sergey-tihon
commented
4 years ago Btw. it would be best if FSharp.Configuration NuGet package referenced YamlDotNet instead of containing YamlDotNet.dll so that issues like this doesn't require repackage of FSharp.Configuration.
This is not possible (al least not easy doable) F# TP packages has unique Nuget package layout, that allow IDE/Compiler to resolve correctly design-time dependencies. https://github.com/fsprojects/FSharp.TypeProviders.SDK#nuget-package-layouts-you-should-use
- Runtime dependencies are references as package dependencies and remapped to correct version by TP SDK
- Design-time dependencies are pre-packed inside TP NuGet package for reliable IDE experience.
See vulnerability CVE-2018-1000210: https://vuln.whitesourcesoftware.com/vulnerability/CVE-2018-1000210/
FSharp.Configuration 2.0.0-alpha2 nuget package contains YamlDotNet.dll which has this vulnerability in place.
Btw. it would be best if FSharp.Configuration nuget package referenced YamlDotNet instead of containing YamlDotNet.dll so that issues like this doesn't require repackage of FSharp.Configuration.