lawrence-laz
commented
6 months ago Well that's kind of annoying, the fix in Castle.Core is only available in these tags:
v5.0.0
v5.0.0-beta001
v5.1.0
v5.1.1meaning it was never released for 4.*.* versions.
I'm a bit hesitant to bump a major version on Castle.Core, as that is a breaking change and might cause difficulties to some users (those who are using the package not only as a transitive dependency of Decor).
The vulnerability page lists that System.Net.Http was patched on 4.3.4, so technically if we add that as an explicit dependency to Decor, the unpatched/vulnerable version should never be restored during the build. Not sure if your scanning tools would be sophisticated enough to figure that out, but it's worth a try.
I'll try to release this as a preview version, so please let me know if it resolves the issue.
If the scanning tool still complaints I'll just move to Castle.Core >=5.0.0 and bump major version in Decor as well.
dovrama
Hello, we're using this great package and our scanning tools have picked it up that it has vulnerability.
Basically nuget that is being used in this project (Castle.Core 4.4.0) has reference to this vulnerability: CVE-2018-8292
Exact path: Decor.Extensions.Microsoft.DependencyInjection/2.0.7 -> Castle.Core/4.4.0 -> NETStandard.Library/1.6.1 -> System.Net.Http/4.3.0
We believe that by bumping Castle.Core to newer versions (>= 5.0.0) should fix this issue. Same issue being discussed in Castle.Core: CastleCore using an old version of System.Net.Http which is vulnerable
Could this be done and released?
Thanks in advance!