Closed DW-MaximV closed 3 weeks ago
.NET Core 3.1 is out of support
@DW-MaximV The minimum .NET version in Microsoft.Data.SqlClient v5.2.2 is .NET 6, so you cannot downgrade to an earlier version. If you insist on using .NET Core 3.1, you will need to use Microsoft.Data.SqlClient v3.1. However, please note that this version has some vulnerabilities, and we were unable to simply bump the major versions of dependencies due to semantic versioning reasons.
@JRahnama OK, I understand.
Describe the bug
The current version of Microsoft.Data.SqlClient has an (indirect) reference on a vulnerable NuGet package: Microsoft.Data.SqlClient 5.2.2 -> System.Security.Cryptography.Cng 5.0.0 -> System.Formats.Asn1 5.0.0
To reproduce
dotnet list package --include-transitive --vulnerable
The output shows vulnerable package System.Formats.Asn1 5.0.0
Expected behavior
No deprecated package should be found.
Further technical details
Microsoft.Data.SqlClient version: 5.2.2 .NET target: netcoreapp3.1 SQL Server version: not relevant Operating system: not relevant
Additional context Related to https://github.com/dotnet/SqlClient/issues/2048