Bot Builder 4.22.9 has vulnerable package Azure.Identity 1.3.0

microsoft / botbuilder-dotnet

Welcome to the Bot Framework SDK for .NET repository, which is the home for the libraries and packages that enable developers to build sophisticated bot applications using .NET.

https://github.com/Microsoft/botframework

MIT License

878 stars 484 forks source link

Bot Builder 4.22.9 has vulnerable package Azure.Identity 1.3.0 #6862

Open xzf0587 opened 1 month ago

xzf0587 commented 1 month ago

Version

DotNet Bot Builder 4.22.9

Describe the bug

vulnerable package Azure.Identity 1.3.0

To Reproduce

The NuGet Manager will show the vulnerable package.

xzf0587 commented 4 weeks ago

Is there any update for this issue?

JhontSouth commented 2 weeks ago

Hi @xzf0587, @tracyboehrer, This package is no longer used in the project. It was removed after the update of the package Microsoft.Identity.Web.Certificateless from 1.26.0 to 3.30. This vulnerability will be fixed in the next release.

xzf0587 commented 2 weeks ago

Hi @JhontSouth, Thanks for the reply. It is happy to know the fix plan. What is the next release time?

JhontSouth commented 2 weeks ago

Hi @xzf0587, Maybe @tracyboehrer can help us with that information.