NuGet dependency vulnerabilities

[jmisharp]

Current version 6.2.1 of the Respawn package has a security vulnerability because of an old dependency to Microsoft.Data.SqlClient, that has a dependency to System.Drawing.Common@5.0.0.

.NET Core Remote Code Execution Vulnerability (This package is used under: Respawn@6.2.1->Microsoft.Data.SqlClient@4.0.5->System.Configuration.ConfigurationManager@5.0.0->System.Security.Permissions@5.0.0->System.Windows.Extensions@5.0.0->System.Drawing.Common@5.0.0)

Please update to mitigate this vulnerability.

CVE description: https://nvd.nist.gov/vuln/detail/CVE-2021-24112

[alexTr3]

there is also azure core identity that is referenced for no reasons.. REMOVE THIS ASAP..

[Thijmen]

Follow this as well - can we get a fix in for this?

[Thijmen]

For those running into this, I fixed this by adding the dependency with the proper version (in my case it was Azure.Identity)

  <ItemGroup>
    <!-- Fixes for transitive dependencies -->
    <PackageReference Include="Azure.Identity" />
  </ItemGroup>

And then make sure to add the proper version in your Directory.Packages.prop

[Thijmen]

While I also can understand that you also fix direct CVE's - please understand that the SqlClient imports some very old outdated stuff with a lot of CVE's. It would help us tremendously to update this package, to keep our projects maintainable.