Do not bump Moq to >=4.20.0

microsoft / botbuilder-dotnet

Welcome to the Bot Framework SDK for .NET repository, which is the home for the libraries and packages that enable developers to build sophisticated bot applications using .NET.

https://github.com/Microsoft/botframework

MIT License

865 stars 480 forks source link

Do not bump Moq to >=4.20.0 #6680

Closed stevengum closed 5 months ago

stevengum commented 11 months ago

FYI @tracyboehrer, @johnataylor, @LeeParrishMSFT there's a security issue with the inclusion of an email-gathering .dll that was added to moq v4.20.0. Do not bump Moq to any version greater than or equal to 4.20.0.

The .dll runs at build-time via Moq's code analysis tool. (See below and linked issues for more details)

https://github.com/moq/moq/issues/1372

Moq's maintainer is inviting discussion in https://github.com/moq/moq/issues/1374

tracyboehrer commented 11 months ago

@ceciliaavila Commenting for your team's visibility.

tracyboehrer commented 5 months ago

Apparently the privacy issues were resolved.