Closed dustinburson closed 1 year ago
kyclai
commented
1 year ago Some packages have a dependency on Azure.Identity < 1.10.3, such as the following. Do they need to be updated too?
Microsoft.Extensions.Azure: "Azure.Identity": "1.4.0"Microsoft.Health.Client: "Azure.Identity": "1.10.0"kyclai
commented
1 year ago https://github.com/microsoft/iomt-fhir/blob/main/src/console/packages.lock.json references Azure.Identity 1.9.0. Does this need to be updated too?
dustinburson
commented
1 year ago https://github.com/microsoft/iomt-fhir/blob/main/src/console/packages.lock.json references Azure.Identity 1.9.0. Does this need to be updated too?
Thanks for the call out Carrie. The package.lock files are automatically generated. The syntax [1.9.0, ) means the min version is 1.9 but can go higher unbounded.
Edit: I took a second look. This particular file seems to be old from when we had src/console/Microsoft.Health.Fhir.Ingest.Console.csproj in the directory. That project was deleted but it looks like the lock file was left behind. It is non functional. I went ahead and deleted it in this PR since I had to make another change.
dustinburson
commented
1 year ago Some packages have a dependency on Azure.Identity < 1.10.3, such as the following. Do they need to be updated too?
Microsoft.Extensions.Azure: "Azure.Identity": "1.4.0"Microsoft.Health.Client: "Azure.Identity": "1.10.0"
I am running our internal compliance build to verify but I don't think it is an issue. Our package version should be forcing the use of 1.10.3.
Edit: Running the internal compliance found we were still using Azure.Identity 1.10 in the in the Microsoft.Health.Test.Utilities.proj. This was through the FHIR Client package you mentioned. Other projects were fine because they either had the package reference directly or transitively through Microsoft.Health.Common. This test project was the one exception. Pushing a new commit to address.
Update Azure.Identity package to address known vulnerability.