Closed HakamFostok closed 10 months ago
Actually, I think this library should update the MongoDB.Driver.Core
to 2.22.0.
I override the transitve Nuget package to this version and the warnings have gone.
<Project>
<PropertyGroup>
<ManagePackageVersionsCentrally>true</ManagePackageVersionsCentrally>
<CentralPackageTransitivePinningEnabled>true</CentralPackageTransitivePinningEnabled>
</PropertyGroup>
<!--packages just to solve the vulnerabilities -->
<ItemGroup>
<PackageVersion Include="MongoDB.Driver.Core" Version="2.22.0" />
</ItemGroup>
</Project>
and the result was
I use a ranged dependency since I want to support as many clients as I can. It's up to folks using the Mongo client directly to update their dependencies, not me.
I am using version 1.1.0 of this library (not directly but by referencing MongoDB.Driver.Core.Extensions.OpenTelemtry package version 1.0.0)
This package is taking a dependency on
System.Net.Security 4.0.0
DLL, which has 2 vulnerabilities one high one moderatehere is a screenshot from the solution explorer from Visual Studio
here is a screenshot from the Error List from Visual Studio
here is a screenshot from the Nuget page of the
System.Net.Security 4.0.0
I think it's best to update those packages.
If you like I can make the PR to fix this
Very important note, I am not referencing this dll directly, I am referencing
MongoDB.Driver.Core.Extensions.OpenTelemetry
which take a dependency onMongoDB.Driver.Core.Extensions.DiagnosticSources
I can open this bug also on that repo, if you want.