dotMorten
commented
2 years ago I need a bit more info than that. This package doesn't use Microsoft.SqlServer.Types - it's an alternatice to that when not running on .net framework
Open iduras3 opened 2 years ago
dotMorten
commented
2 years ago I need a bit more info than that. This package doesn't use Microsoft.SqlServer.Types - it's an alternatice to that when not running on .net framework
bjorngadde
commented
2 years ago I believe it's this vulnerability: https://github.com/advisories/GHSA-8g2p-5pqh-5jmc.
This project references System.Data.SqlClient 4.8.3, which seems to be affected.
dotMorten
commented
2 years ago It’s an implicit reference. You can reference a newer version in your application
bjorngadde
commented
2 years ago Yes. Until the reference is bumped, one can explicitly override the version. Instructions can be found via the link above.
dotMorten
commented
2 years ago My point is this library doesn't ship the vulnerable library, so there's no vulnerability in this library.
iduras3
commented
2 years ago We have a dotnet 6 aspnet core project, where we have this package as a transitive dependency. This package shows that it has a dependency on the vulnerable package.
"dotMorten.Microsoft.SqlServer.Types": { "type": "Transitive", "resolved": "1.4.0", "contentHash": "MYxVbuBguObk8QFNTuBZ+ZEC/m1zbvG774FbFvwiDZjc0RYq/co27THrHN5Dyd52ie0R5bt2uxSZj4tIb3lYFg==", "dependencies": { "System.Data.SqlClient": "4.8.3", "System.Memory": "4.5.4" }
I can see that the System.Data.SqlClient package with that version is in the csproj file.
dotMorten
commented
2 years ago Yes it’s a dependency you can override by adding an explicit reference. You’re not using the 2.x release which uses the newer sql client libraries. The 1.x releases are just there for old compat with the older client.
A direct dependency has a vulnerability. vulnerability