Closed kumarpramod closed 6 months ago
Hi @JohnSchmeichel @embetten, Can you suggest how can v1.1.0 be release ?
1.1.0-alpha is currently released as a pre-released version. See the release here. We will release the 1.1.0 version once we have verified all changes. To unblock, you can use pre-released 1.1.0-alpha by specifying the version in the install script or by following the manual download instructions.
Thanks @embetten Will give it a try. Do you have any tentitative timeline for the release.
Hi @embetten, @JoachimHafner
With _AZURE_ARTIFACTS_CREDENTIAL_PROVIDERVERSION=1.1.0-alpha
Trivy Scan Result: says Installed Version is 6.3.3-rc.3 with CVE-2023-29337 ( HIGH) and fixed versions are [6.0.5, 6.2.4, 6.3.3, 6.4.2, 6.5.1, 6.6.1, 5.11.5]
So it seems Using the Alpha version may not help in our case as the Security scan still alerts due to above reasons
@embetten My apologies, You are correct. The cred provider do not have that Nuget Vulnerability after using Alpha release.
Really appreciate your help.
Hi,
I noticed that last Create 1.1.0 release failed (https://github.com/microsoft/artifacts-credprovider/actions/runs/6039485317).
As this v1.1.0 release contains updated NuGet.Protocol package version to 5.11.5 which is requirement for us as our Security scanner "Vanta" complaining about vulnerability in old packages of NuGet.Protocol
Can you please release v1.1.0 ?
/Pramod