jozefizso
commented
3 years ago Duplicate of #1075
Closed jozefizso closed 3 years ago
jozefizso
commented
3 years ago Duplicate of #1075
bruno-garcia
commented
3 years ago I missed this issue and merged #1078 Thanks for you contribution and sorry for closing it.
Environment
How do you use Sentry? Sentry SaaS (sentry.io)
Which SDK and version? .NET Framework 4.6.2 using Sentry.Serilog v3.5.0
Steps to Reproduce
The Sentry.Serilog v3.5.0 uses System.Text.Encodings.Web v5.0.0 through other dependencies (Sentry.Serilog > Sentry > System.Text.Json > System.Text.Encodings.Web).
As the System.Text.Encodings.Web v5.0.0 contains RCE (see https://github.com/dotnet/runtime/issues/49377) it is adviced to use the v5.0.1 nuget package when used by the .NET Framework.
Expected Result
Sentry.Serilog updated to depend on newer version of System.Text.Encodings.Web package.
The Sentry package should depend on System.Text.Json v5.0.2 which references the updated encodings packages.
Actual Result
The Snyk vulnerabilities analyzer marks the System.Text.Encodings.Web@5.0.0 package as vulnerable it our product and this dependency is introduced by the Sentry.Serilog@3.5.0 package.