fgheysels
commented
1 year ago Maybe this is because we still use some deprecated packges in that project. Maybe one of those packages is the culprit ?
Closed fgheysels closed 9 months ago
fgheysels
commented
1 year ago Maybe this is because we still use some deprecated packges in that project. Maybe one of those packages is the culprit ?
stijnmoreels
commented
1 year ago Maybe this is because we still use some deprecated packges in that project. Maybe one of those packages is the culprit ?
Yes, that would be my guess as well, as we needed to be backwards compatible. But, with the new major version on .NET 8, we could possibly remove those.
fgheysels
commented
1 year ago I think it is important to have a look at it. There are projects where customers refuse to use dependencies that have possible / known security issues.
stijnmoreels
commented
9 months ago Think this is done by: https://github.com/arcus-azure/arcus.security/pull/424 ?
fgheysels
commented
9 months ago Indeed, this looks to be resolved. Thanks!
The Azure KeyVault provider project has a (transitive) reference to Newtonsoft.JSON 10.0.3, which apparently has a security vulnerability.
We should upgrade to a more recent version of Newtonsoft.Json. (10.0.3 already dates back to 2017!)