System.Net.Security 4.0.0 dependency has high severity vulnerability

[HakamFostok]

I am using version 1.1.0 of this library (not directly but by referencing MongoDB.Driver.Core.Extensions.OpenTelemtry package version 1.0.0)

---

This package is taking a dependency on System.Net.Security 4.0.0 DLL, which has 2 vulnerabilities one high one moderate

here is a screenshot from the solution explorer from Visual Studio

here is a screenshot from the Error List from Visual Studio

here is a screenshot from the Nuget page of the System.Net.Security 4.0.0

I think it's best to update those packages.

If you like I can make the PR to fix this

---

Very important note, I am not referencing this dll directly, I am referencing MongoDB.Driver.Core.Extensions.OpenTelemetry which take a dependency on MongoDB.Driver.Core.Extensions.DiagnosticSources

I can open this bug also on that repo, if you want.

[HakamFostok]

Actually, I think this library should update the MongoDB.Driver.Core to 2.22.0. I override the transitve Nuget package to this version and the warnings have gone.

<Project>
    <PropertyGroup>
        <ManagePackageVersionsCentrally>true</ManagePackageVersionsCentrally>
        <CentralPackageTransitivePinningEnabled>true</CentralPackageTransitivePinningEnabled>
    </PropertyGroup>
    <!--packages just to solve the vulnerabilities -->
    <ItemGroup>
        <PackageVersion Include="MongoDB.Driver.Core" Version="2.22.0" />
    </ItemGroup>
</Project>

and the result was

[jbogard]

I use a ranged dependency since I want to support as many clients as I can. It's up to folks using the Mongo client directly to update their dependencies, not me.