Vulnerability in the dependency tree

microsoft / perfview

PerfView is a CPU and memory performance-analysis tool

http://channel9.msdn.com/Series/PerfView-Tutorial

MIT License

4.05k stars 695 forks source link

Vulnerability in the dependency tree #2032

Closed lidvarko closed 1 month ago

lidvarko commented 2 months ago

There is a vulnerability in the library dependency tree. system.net.request 4.3.0 has a dependency to system.net.http 4.3.0 that has a High severity vulnerability.

SymbioticKilla commented 2 months ago

You mean system.net.http?It is a transient, but it is annoying...

Is it possible to lock system.net.http to 4.3.4? Thanks!

MagicAndre1981 commented 1 month ago

@brianrob why does TraceEvent still require those old .net Standard 1.x libs when the TraceEvent lib is .net standard 2.0?

For example System.Diagnostics.Process is part of .net standard 2.0

and only required for .net standard 1.x projects which doesn't apply to TraceEvent

Best is to remove all those old ns1.x support libs.

brianrob commented 1 month ago

That's a goodo callout @MagicAndre1981. I've posted #2037 for this.