search

apache / pulsar-dotpulsar

The official .NET client library for Apache Pulsar
https://pulsar.apache.org/
Apache License 2.0
234 stars 63 forks source link

Add alternative to `DotNetZip` #236

Open aeons opened 6 days ago

aeons commented 6 days ago

I know that DotNetZip is not a direct dependency, but you will need to add it if you have ZLib compressed messages.

DotNetZip is currently marked as abandoned and having a high severity security vulnerability on nuget.

See https://www.nuget.org/packages/dotnetzip/

I know that the specific vulnerability (directory traversal) is not applicable in this use case, but it does show up on various security scanners.

As I see it, it should not be that hard to add alternatives to DotNetZip and probe for them at runtime (like it does currently).

Could System.IO.Compression.ZlibStream or SharpZipLib be considered?

I don't mind putting up a PR if there is interest for this.

blankensteiner commented 6 days ago

Hi @aeons I agree, we should provide an alternative for DotNetZip. If you are up for creating a PR, I would be happy to guide and review :-) Either one (or both?) of those you mention could be a good candidate. /db