Vulnerable transitive packages

microsoft / PowerPlatform-DataverseServiceClient

Code Replica for Microsoft.PowerPlatform.Dataverse.Client and supporting nuget packages.

MIT License

284 stars 52 forks source link

Vulnerable transitive packages #455

Closed isorty closed 4 months ago

isorty commented 5 months ago

Currently, when running dotnet list package --vulnerable --include-transitive it shows the following vulnerable packages:

Transitive Package	Resolved	Severity	Advisory URL
System.Security.Cryptography.Pkcs	6.0.1	High	https://github.com/advisories/GHSA-555c-2p6r-68mm
System.Text.RegularExpressions	4.3.0	High	https://github.com/advisories/GHSA-cmhx-cq75-c4mj

MattB-msft commented 4 months ago

This is an ongoing chase for downstream systems. we will update these as quickly as we can, however in the interim, your advised to add the specific versions of the transitive dependencies to your local projects.

thanks for reporting this.