search

exercism / fsharp

Exercism exercises in F#.
https://exercism.org/tracks/fsharp
MIT License
107 stars 101 forks source link

[Space-Age] Warning on vulnerability in transitive dependency Newtonsoft.Json 9.0.1 #1302

Open ducdetronquito opened 3 days ago

ducdetronquito commented 3 days ago

Hi !

First thanks for you work on the F# track, it's a pleasure to learn the language on Exercism !

When building the exercise space-age, I have the following warnings:

Restore succeeded with 1 warning(s) in 0.6s
    /exercism_workspace/fsharp/space-age/SpaceAge.fsproj : warning NU1903: Package 'Newtonsoft.Json' 9.0.1 has a known high severity vulnerability, https://github.com/advisories/GHSA-5crp-9r3c-p9vr
  SpaceAge succeeded with 1 warning(s) (2.3s) → bin/Debug/net8.0/SpaceAge.dll
    /exercism_workspace/fsharp/space-age/SpaceAge.fsproj : warning NU1903: Package 'Newtonsoft.Json' 9.0.1 has a known high severity vulnerability, https://github.com/advisories/GHSA-5crp-9r3c-p9vr

It appears that Newtonsoft.Json is a dependency of Microsoft.TestPlatform.TestHost/16.8.3 which in turn is a dependency of Microsoft.NET.Test.Sdk/16.8.3.

dotnet-outdated output that some packages could benefit from being bumped, and bumping Microsoft.NET.Test.Sdk to the latest version would remove the previous warning because Newtonsoft.Json is no longer a dependency.

❯ dotnet outdated
» SpaceAge                                                                                                                                                    
  [net8.0]
  FsUnit.xUnit               4.0.4  -> 6.0.1  
  Microsoft.NET.Test.Sdk     16.8.3 -> 17.12.0
  xunit                      2.4.1  -> 2.9.2  
  xunit.runner.visualstudio  2.4.3  -> 2.8.2

What do you think about it ?

I can make a PR to bump these packages if you agree.

Have a nice day :)

github-actions[bot] commented 3 days ago

Hello. Thanks for opening an issue on Exercism 🙂

At Exercism we use our Community Forum, not GitHub issues, as the primary place for discussion. That allows maintainers and contributors from across Exercism's ecosystem to discuss your problems/ideas/suggestions without them having to subscribe to hundreds of repositories.

This issue will be automatically closed. Please use this link&category=fsharp ) to copy your GitHub Issue into a new topic on the forum, where we look forward to chatting with you!

If you're interested in learning more about this auto-responder, please read this blog post.

ErikSchierboom commented 3 days ago

We can't just update the dependencies unfortunately because the test runner (which runs the tests when submitting solutions) has to be updated too. We'll get to it though.

ducdetronquito commented 3 days ago

Ok ! I'm not a F# guru but If there is any help I can provide, just ask :)