Closed cmenzi closed 3 years ago
I couldn't figure out the best area label to add to this issue. If you have write-permissions please help me learn by adding exactly one area label.
This is a known issue with the list command. We're discussing offline some ways to make this better. The tl;dr: as long as you're keeping the SDK up-to-date, you don't need to worry about vulnerabilities in this component.
I couldn't figure out the best area label to add to this issue. If you have write-permissions please help me learn by adding exactly one area label.
Ok, good to know. Our dependency track tool went insane, because all projects were affected.
Description
We currently using SDK 5.0.202 and SDK 3.1.407 to restore, build and package our solution. There is now for example the transitive dependency
System.Text.Encodings.Web
which was vulnerable withCVE-2021-26701
and fixed and shipped in SDK 5.0.201 and SDK 3.1.407.global.json
:Now, when we do a
dotnet list <project> package --include-transitive --outdated --framework netcoreapp3.1
we get the following result:As you can see, the resolve version of
System.Text.Encodings.Web
is5.0.0
, which should be5.0.1
as there is the fix in it.Do we need explicitly specify them in csproj? Or how we can enforce that the latest version of transitive framework dependencies are used?