github-actions[bot]
commented
10 months ago Welcome to the FAKE community! Thank you so much for creating your first issue and therefore improving the project!
Open Numpsy opened 10 months ago
github-actions[bot]
commented
10 months ago Welcome to the FAKE community! Thank you so much for creating your first issue and therefore improving the project!
xperiandri
commented
9 months ago @Numpsy will you prepare a PR?
Numpsy
commented
9 months ago That was the intent of #2761 / #2764
xperiandri
commented
9 months ago Approved
Numpsy
commented
4 months ago This stuff is never ending, versions 6.7.0 is showing as having issues now: https://github.com/advisories/GHSA-68w7-72jg-6qpp :-(
Description
I created a CI build using FAKE 6 which also gets run through a Mend analysis, and it raised a warning about references to NuGet.Protocol v 6.0 which has known security vulnerabilities.
Looking at the listing for NuGet.Protocol on nuget.org, it seems that the 6.0.0 versions of all those libraries have actually been delisted due to issues, and several of the updates versions are listed as having issues themselves.
Given the delisting, I think it would be good to bump the version used?
Repro steps
Version 6.0 seems to be specified at https://github.com/fsprojects/FAKE/blob/13e30330cae0597aed6154a95a06d21716b18de3/paket.lock#L825C1-L825C9
Known workarounds
As i'm running the build via a .fsproj file, I can locally update the referances to a newer version if I have to.
Related information
Indications of severity Nuget says the vulnerability is 'high severity'
Version of FAKE (4.X, 5.X, 6.x) 6.0