The last Create 1.1.0 release Build Failed. When v1.1.0 will be released?

[kumarpramod]

Hi,

I noticed that last Create 1.1.0 release failed (https://github.com/microsoft/artifacts-credprovider/actions/runs/6039485317).

As this v1.1.0 release contains updated NuGet.Protocol package version to 5.11.5 which is requirement for us as our Security scanner "Vanta" complaining about vulnerability in old packages of NuGet.Protocol

Can you please release v1.1.0 ?

/Pramod

[kumarpramod]

Hi @JohnSchmeichel @embetten, Can you suggest how can v1.1.0 be release ?

[embetten]

1.1.0-alpha is currently released as a pre-released version. See the release here. We will release the 1.1.0 version once we have verified all changes. To unblock, you can use pre-released 1.1.0-alpha by specifying the version in the install script or by following the manual download instructions.

[kumarpramod]

Thanks @embetten Will give it a try. Do you have any tentitative timeline for the release.

[kumarpramod]

Hi @embetten, @JoachimHafner

With _AZURE_ARTIFACTS_CREDENTIAL_PROVIDERVERSION=1.1.0-alpha

Trivy Scan Result: says Installed Version is 6.3.3-rc.3 with CVE-2023-29337 ( HIGH) and fixed versions are [6.0.5, 6.2.4, 6.3.3, 6.4.2, 6.5.1, 6.6.1, 5.11.5]

So it seems Using the Alpha version may not help in our case as the Security scan still alerts due to above reasons

[embetten]

@kumarpramod the 1.1.0-alpha is currently referencing Nuget.Protocol version 6.6.1 here the previous versions are using 5.11.5 (see commit that upgrades here. Per the CVE link both 6.6.1 and 5.11.5 are unaffected versions.

I does not seem the cred provider is the source of the issue for your scan.

[kumarpramod]

@embetten My apologies, You are correct. The cred provider do not have that Nuget Vulnerability after using Alpha release.

Really appreciate your help.