search

microsoft / sbom-tool

The SBOM tool is a highly scalable and enterprise ready tool to create SPDX 2.2 compatible SBOMs for any variety of artifacts.
MIT License
1.63k stars 133 forks source link

Bump Microsoft.Extensions.Caching.Memory for CVE #758

Closed DaveTryon closed 1 month ago

DaveTryon commented 1 month ago

CVE-2024-43483 requires that we bump Microsoft.Extensions.Caching.Memory from 8.0.0 to 8.0.1. This is a transitive dependency from Component Detection. that they are likely to eventually pick up, at which time we can revert this change.

Redacted output from dotnet nuget why before the change -- version of Microsoft.Extensions.Caching.Memory is 8.0.0:

>dotnet nuget why Microsoft.Sbom.sln  Microsoft.Extensions.Caching.Memory
Project 'Microsoft.Sbom.Tool' has the following dependency graph(s) for 'Microsoft.Extensions.Caching.Memory':
  [net8.0]
   │  
   ├─ Microsoft.Sbom.Api (v1.0.0)
   │  ├─ Microsoft.ComponentDetection.Detectors (v5.1.5)
   │  │  └─ Microsoft.Extensions.Caching.Memory (v8.0.0)
   │  └─ Microsoft.ComponentDetection.Orchestrator (v5.1.5)
   │     └─ Microsoft.ComponentDetection.Detectors (v5.1.5)
   │        └─ Microsoft.Extensions.Caching.Memory (v8.0.0)
   └─ Microsoft.Sbom.Extensions.DependencyInjection (v1.0.0)
      └─ Microsoft.Sbom.Api (v1.0.0)
         ├─ Microsoft.ComponentDetection.Detectors (v5.1.5)
         │  └─ Microsoft.Extensions.Caching.Memory (v8.0.0)
         └─ Microsoft.ComponentDetection.Orchestrator (v5.1.5)
            └─ Microsoft.ComponentDetection.Detectors (v5.1.5)
               └─ Microsoft.Extensions.Caching.Memory (v8.0.0)

Project 'Microsoft.Sbom.Api' has the following dependency graph(s) for 'Microsoft.Extensions.Caching.Memory':
  [net8.0]
   │  
   ├─ Microsoft.ComponentDetection.Detectors (v5.1.5)
   │  └─ Microsoft.Extensions.Caching.Memory (v8.0.0)
   └─ Microsoft.ComponentDetection.Orchestrator (v5.1.5)
      └─ Microsoft.ComponentDetection.Detectors (v5.1.5)
         └─ Microsoft.Extensions.Caching.Memory (v8.0.0)

Project 'Microsoft.Sbom.Api.Tests' has the following dependency graph(s) for 'Microsoft.Extensions.Caching.Memory':
  [net8.0]
   │  
   └─ Microsoft.Sbom.Api (v1.0.0)
      ├─ Microsoft.ComponentDetection.Detectors (v5.1.5)
      │  └─ Microsoft.Extensions.Caching.Memory (v8.0.0)
      └─ Microsoft.ComponentDetection.Orchestrator (v5.1.5)
         └─ Microsoft.ComponentDetection.Detectors (v5.1.5)
            └─ Microsoft.Extensions.Caching.Memory (v8.0.0)

Project 'Microsoft.Sbom.DotNetTool' has the following dependency graph(s) for 'Microsoft.Extensions.Caching.Memory':
  [net8.0]
   │  
   ├─ Microsoft.Sbom.Api (v1.0.0)
   │  ├─ Microsoft.ComponentDetection.Detectors (v5.1.5)
   │  │  └─ Microsoft.Extensions.Caching.Memory (v8.0.0)
   │  └─ Microsoft.ComponentDetection.Orchestrator (v5.1.5)
   │     └─ Microsoft.ComponentDetection.Detectors (v5.1.5)
   │        └─ Microsoft.Extensions.Caching.Memory (v8.0.0)
   └─ Microsoft.Sbom.Extensions.DependencyInjection (v1.0.0)
      └─ Microsoft.Sbom.Api (v1.0.0)
         ├─ Microsoft.ComponentDetection.Detectors (v5.1.5)
         │  └─ Microsoft.Extensions.Caching.Memory (v8.0.0)
         └─ Microsoft.ComponentDetection.Orchestrator (v5.1.5)
            └─ Microsoft.ComponentDetection.Detectors (v5.1.5)
               └─ Microsoft.Extensions.Caching.Memory (v8.0.0)

Project 'Microsoft.Sbom.Extensions.DependencyInjection' has the following dependency graph(s) for 'Microsoft.Extensions.Caching.Memory':
  [net8.0]
   │  
   └─ Microsoft.Sbom.Api (v1.0.0)
      ├─ Microsoft.ComponentDetection.Detectors (v5.1.5)
      │  └─ Microsoft.Extensions.Caching.Memory (v8.0.0)
      └─ Microsoft.ComponentDetection.Orchestrator (v5.1.5)
         └─ Microsoft.ComponentDetection.Detectors (v5.1.5)
            └─ Microsoft.Extensions.Caching.Memory (v8.0.0)

Project 'Microsoft.Sbom.Extensions.DependencyInjection.Tests' has the following dependency graph(s) for 'Microsoft.Extensions.Caching.Memory':
  [net8.0]
   │  
   └─ Microsoft.Sbom.Extensions.DependencyInjection (v1.0.0)
      └─ Microsoft.Sbom.Api (v1.0.0)
         ├─ Microsoft.ComponentDetection.Detectors (v5.1.5)
         │  └─ Microsoft.Extensions.Caching.Memory (v8.0.0)
         └─ Microsoft.ComponentDetection.Orchestrator (v5.1.5)
            └─ Microsoft.ComponentDetection.Detectors (v5.1.5)
               └─ Microsoft.Extensions.Caching.Memory (v8.0.0)

Project 'Microsoft.Sbom.Targets' has the following dependency graph(s) for 'Microsoft.Extensions.Caching.Memory':
  [net8.0]
   │  
   ├─ Microsoft.Sbom.Extensions.DependencyInjection (v1.0.0)
   │  └─ Microsoft.Sbom.Api (v1.0.0)
   │     ├─ Microsoft.ComponentDetection.Detectors (v5.1.5)
   │     │  └─ Microsoft.Extensions.Caching.Memory (v8.0.0)
   │     └─ Microsoft.ComponentDetection.Orchestrator (v5.1.5)
   │        └─ Microsoft.ComponentDetection.Detectors (v5.1.5)
   │           └─ Microsoft.Extensions.Caching.Memory (v8.0.0)
   └─ Microsoft.Sbom.Tool (v1.0.0)
      ├─ Microsoft.Sbom.Api (v1.0.0)
      │  ├─ Microsoft.ComponentDetection.Detectors (v5.1.5)
      │  │  └─ Microsoft.Extensions.Caching.Memory (v8.0.0)
      │  └─ Microsoft.ComponentDetection.Orchestrator (v5.1.5)
      │     └─ Microsoft.ComponentDetection.Detectors (v5.1.5)
      │        └─ Microsoft.Extensions.Caching.Memory (v8.0.0)
      └─ Microsoft.Sbom.Extensions.DependencyInjection (v1.0.0)
         └─ Microsoft.Sbom.Api (v1.0.0)
            ├─ Microsoft.ComponentDetection.Detectors (v5.1.5)
            │  └─ Microsoft.Extensions.Caching.Memory (v8.0.0)
            └─ Microsoft.ComponentDetection.Orchestrator (v5.1.5)
               └─ Microsoft.ComponentDetection.Detectors (v5.1.5)
                  └─ Microsoft.Extensions.Caching.Memory (v8.0.0)

Project 'Microsoft.Sbom.Targets.Tests' has the following dependency graph(s) for 'Microsoft.Extensions.Caching.Memory':
  [net8.0]
   │  
   ├─ Microsoft.Sbom.Extensions.DependencyInjection (v1.0.0)
   │  └─ Microsoft.Sbom.Api (v1.0.0)
   │     ├─ Microsoft.ComponentDetection.Detectors (v5.1.5)
   │     │  └─ Microsoft.Extensions.Caching.Memory (v8.0.0)
   │     └─ Microsoft.ComponentDetection.Orchestrator (v5.1.5)
   │        └─ Microsoft.ComponentDetection.Detectors (v5.1.5)
   │           └─ Microsoft.Extensions.Caching.Memory (v8.0.0)
   └─ Microsoft.Sbom.Tool (v1.0.0)
      ├─ Microsoft.Sbom.Api (v1.0.0)
      │  ├─ Microsoft.ComponentDetection.Detectors (v5.1.5)
      │  │  └─ Microsoft.Extensions.Caching.Memory (v8.0.0)
      │  └─ Microsoft.ComponentDetection.Orchestrator (v5.1.5)
      │     └─ Microsoft.ComponentDetection.Detectors (v5.1.5)
      │        └─ Microsoft.Extensions.Caching.Memory (v8.0.0)
      └─ Microsoft.Sbom.Extensions.DependencyInjection (v1.0.0)
         └─ Microsoft.Sbom.Api (v1.0.0)
            ├─ Microsoft.ComponentDetection.Detectors (v5.1.5)
            │  └─ Microsoft.Extensions.Caching.Memory (v8.0.0)
            └─ Microsoft.ComponentDetection.Orchestrator (v5.1.5)
               └─ Microsoft.ComponentDetection.Detectors (v5.1.5)
                  └─ Microsoft.Extensions.Caching.Memory (v8.0.0)

Project 'Microsoft.Sbom.Tool.Tests' has the following dependency graph(s) for 'Microsoft.Extensions.Caching.Memory':
  [net8.0]
   │  
   └─ Microsoft.Sbom.Tool (v1.0.0)
      ├─ Microsoft.Sbom.Api (v1.0.0)
      │  ├─ Microsoft.ComponentDetection.Detectors (v5.1.5)
      │  │  └─ Microsoft.Extensions.Caching.Memory (v8.0.0)
      │  └─ Microsoft.ComponentDetection.Orchestrator (v5.1.5)
      │     └─ Microsoft.ComponentDetection.Detectors (v5.1.5)
      │        └─ Microsoft.Extensions.Caching.Memory (v8.0.0)
      └─ Microsoft.Sbom.Extensions.DependencyInjection (v1.0.0)
         └─ Microsoft.Sbom.Api (v1.0.0)
            ├─ Microsoft.ComponentDetection.Detectors (v5.1.5)
            │  └─ Microsoft.Extensions.Caching.Memory (v8.0.0)
            └─ Microsoft.ComponentDetection.Orchestrator (v5.1.5)
               └─ Microsoft.ComponentDetection.Detectors (v5.1.5)
                  └─ Microsoft.Extensions.Caching.Memory (v8.0.0)

Project 'Microsoft.Sbom.Targets.E2E.Tests' has the following dependency graph(s) for 'Microsoft.Extensions.Caching.Memory':
  [net8.0]
   │  
   └─ Microsoft.Sbom.Tool (v1.0.0)
      ├─ Microsoft.Sbom.Api (v1.0.0)
      │  ├─ Microsoft.ComponentDetection.Detectors (v5.1.5)
      │  │  └─ Microsoft.Extensions.Caching.Memory (v8.0.0)
      │  └─ Microsoft.ComponentDetection.Orchestrator (v5.1.5)
      │     └─ Microsoft.ComponentDetection.Detectors (v5.1.5)
      │        └─ Microsoft.Extensions.Caching.Memory (v8.0.0)
      └─ Microsoft.Sbom.Extensions.DependencyInjection (v1.0.0)
         └─ Microsoft.Sbom.Api (v1.0.0)
            ├─ Microsoft.ComponentDetection.Detectors (v5.1.5)
            │  └─ Microsoft.Extensions.Caching.Memory (v8.0.0)
            └─ Microsoft.ComponentDetection.Orchestrator (v5.1.5)
               └─ Microsoft.ComponentDetection.Detectors (v5.1.5)
                  └─ Microsoft.Extensions.Caching.Memory (v8.0.0)

Redacted output from dotnet nuget why before the change -- version of Microsoft.Extensions.Caching.Memory is 8.0.1:

>dotnet nuget why Microsoft.Sbom.sln  Microsoft.Extensions.Caching.Memory
Project 'Microsoft.Sbom.Tool' has the following dependency graph(s) for 'Microsoft.Extensions.Caching.Memory':
  [net8.0]
   │  
   ├─ Microsoft.Sbom.Api (v1.0.0)
   │  ├─ Microsoft.ComponentDetection.Detectors (v5.1.5)
   │  │  └─ Microsoft.Extensions.Caching.Memory (v8.0.1)
   │  ├─ Microsoft.ComponentDetection.Orchestrator (v5.1.5)
   │  │  └─ Microsoft.ComponentDetection.Detectors (v5.1.5)
   │  │     └─ Microsoft.Extensions.Caching.Memory (v8.0.1)
   │  └─ Microsoft.Extensions.Caching.Memory (v8.0.1)
   └─ Microsoft.Sbom.Extensions.DependencyInjection (v1.0.0)
      └─ Microsoft.Sbom.Api (v1.0.0)
         ├─ Microsoft.ComponentDetection.Detectors (v5.1.5)
         │  └─ Microsoft.Extensions.Caching.Memory (v8.0.1)
         ├─ Microsoft.ComponentDetection.Orchestrator (v5.1.5)
         │  └─ Microsoft.ComponentDetection.Detectors (v5.1.5)
         │     └─ Microsoft.Extensions.Caching.Memory (v8.0.1)
         └─ Microsoft.Extensions.Caching.Memory (v8.0.1)

Project 'Microsoft.Sbom.Api' has the following dependency graph(s) for 'Microsoft.Extensions.Caching.Memory':
  [net8.0]
   │  
   ├─ Microsoft.ComponentDetection.Detectors (v5.1.5)
   │  └─ Microsoft.Extensions.Caching.Memory (v8.0.1)
   ├─ Microsoft.ComponentDetection.Orchestrator (v5.1.5)
   │  └─ Microsoft.ComponentDetection.Detectors (v5.1.5)
   │     └─ Microsoft.Extensions.Caching.Memory (v8.0.1)
   └─ Microsoft.Extensions.Caching.Memory (v8.0.1)

Project 'Microsoft.Sbom.Api.Tests' has the following dependency graph(s) for 'Microsoft.Extensions.Caching.Memory':
  [net8.0]
   │  
   └─ Microsoft.Sbom.Api (v1.0.0)
      ├─ Microsoft.ComponentDetection.Detectors (v5.1.5)
      │  └─ Microsoft.Extensions.Caching.Memory (v8.0.1)
      ├─ Microsoft.ComponentDetection.Orchestrator (v5.1.5)
      │  └─ Microsoft.ComponentDetection.Detectors (v5.1.5)
      │     └─ Microsoft.Extensions.Caching.Memory (v8.0.1)
      └─ Microsoft.Extensions.Caching.Memory (v8.0.1)

Project 'Microsoft.Sbom.DotNetTool' has the following dependency graph(s) for 'Microsoft.Extensions.Caching.Memory':
  [net8.0]
   │  
   ├─ Microsoft.Sbom.Api (v1.0.0)
   │  ├─ Microsoft.ComponentDetection.Detectors (v5.1.5)
   │  │  └─ Microsoft.Extensions.Caching.Memory (v8.0.1)
   │  ├─ Microsoft.ComponentDetection.Orchestrator (v5.1.5)
   │  │  └─ Microsoft.ComponentDetection.Detectors (v5.1.5)
   │  │     └─ Microsoft.Extensions.Caching.Memory (v8.0.1)
   │  └─ Microsoft.Extensions.Caching.Memory (v8.0.1)
   └─ Microsoft.Sbom.Extensions.DependencyInjection (v1.0.0)
      └─ Microsoft.Sbom.Api (v1.0.0)
         ├─ Microsoft.ComponentDetection.Detectors (v5.1.5)
         │  └─ Microsoft.Extensions.Caching.Memory (v8.0.1)
         ├─ Microsoft.ComponentDetection.Orchestrator (v5.1.5)
         │  └─ Microsoft.ComponentDetection.Detectors (v5.1.5)
         │     └─ Microsoft.Extensions.Caching.Memory (v8.0.1)
         └─ Microsoft.Extensions.Caching.Memory (v8.0.1)

Project 'Microsoft.Sbom.Extensions.DependencyInjection' has the following dependency graph(s) for 'Microsoft.Extensions.Caching.Memory':
  [net8.0]
   │  
   └─ Microsoft.Sbom.Api (v1.0.0)
      ├─ Microsoft.ComponentDetection.Detectors (v5.1.5)
      │  └─ Microsoft.Extensions.Caching.Memory (v8.0.1)
      ├─ Microsoft.ComponentDetection.Orchestrator (v5.1.5)
      │  └─ Microsoft.ComponentDetection.Detectors (v5.1.5)
      │     └─ Microsoft.Extensions.Caching.Memory (v8.0.1)
      └─ Microsoft.Extensions.Caching.Memory (v8.0.1)

Project 'Microsoft.Sbom.Extensions.DependencyInjection.Tests' has the following dependency graph(s) for 'Microsoft.Extensions.Caching.Memory':
  [net8.0]
   │  
   └─ Microsoft.Sbom.Extensions.DependencyInjection (v1.0.0)
      └─ Microsoft.Sbom.Api (v1.0.0)
         ├─ Microsoft.ComponentDetection.Detectors (v5.1.5)
         │  └─ Microsoft.Extensions.Caching.Memory (v8.0.1)
         ├─ Microsoft.ComponentDetection.Orchestrator (v5.1.5)
         │  └─ Microsoft.ComponentDetection.Detectors (v5.1.5)
         │     └─ Microsoft.Extensions.Caching.Memory (v8.0.1)
         └─ Microsoft.Extensions.Caching.Memory (v8.0.1)

Project 'Microsoft.Sbom.Targets' has the following dependency graph(s) for 'Microsoft.Extensions.Caching.Memory':
  [net8.0]
   │  
   ├─ Microsoft.Sbom.Extensions.DependencyInjection (v1.0.0)
   │  └─ Microsoft.Sbom.Api (v1.0.0)
   │     ├─ Microsoft.ComponentDetection.Detectors (v5.1.5)
   │     │  └─ Microsoft.Extensions.Caching.Memory (v8.0.1)
   │     ├─ Microsoft.ComponentDetection.Orchestrator (v5.1.5)
   │     │  └─ Microsoft.ComponentDetection.Detectors (v5.1.5)
   │     │     └─ Microsoft.Extensions.Caching.Memory (v8.0.1)
   │     └─ Microsoft.Extensions.Caching.Memory (v8.0.1)
   └─ Microsoft.Sbom.Tool (v1.0.0)
      ├─ Microsoft.Sbom.Api (v1.0.0)
      │  ├─ Microsoft.ComponentDetection.Detectors (v5.1.5)
      │  │  └─ Microsoft.Extensions.Caching.Memory (v8.0.1)
      │  ├─ Microsoft.ComponentDetection.Orchestrator (v5.1.5)
      │  │  └─ Microsoft.ComponentDetection.Detectors (v5.1.5)
      │  │     └─ Microsoft.Extensions.Caching.Memory (v8.0.1)
      │  └─ Microsoft.Extensions.Caching.Memory (v8.0.1)
      └─ Microsoft.Sbom.Extensions.DependencyInjection (v1.0.0)
         └─ Microsoft.Sbom.Api (v1.0.0)
            ├─ Microsoft.ComponentDetection.Detectors (v5.1.5)
            │  └─ Microsoft.Extensions.Caching.Memory (v8.0.1)
            ├─ Microsoft.ComponentDetection.Orchestrator (v5.1.5)
            │  └─ Microsoft.ComponentDetection.Detectors (v5.1.5)
            │     └─ Microsoft.Extensions.Caching.Memory (v8.0.1)
            └─ Microsoft.Extensions.Caching.Memory (v8.0.1)

Project 'Microsoft.Sbom.Targets.Tests' has the following dependency graph(s) for 'Microsoft.Extensions.Caching.Memory':
  [net8.0]
   │  
   ├─ Microsoft.Sbom.Extensions.DependencyInjection (v1.0.0)
   │  └─ Microsoft.Sbom.Api (v1.0.0)
   │     ├─ Microsoft.ComponentDetection.Detectors (v5.1.5)
   │     │  └─ Microsoft.Extensions.Caching.Memory (v8.0.1)
   │     ├─ Microsoft.ComponentDetection.Orchestrator (v5.1.5)
   │     │  └─ Microsoft.ComponentDetection.Detectors (v5.1.5)
   │     │     └─ Microsoft.Extensions.Caching.Memory (v8.0.1)
   │     └─ Microsoft.Extensions.Caching.Memory (v8.0.1)
   └─ Microsoft.Sbom.Tool (v1.0.0)
      ├─ Microsoft.Sbom.Api (v1.0.0)
      │  ├─ Microsoft.ComponentDetection.Detectors (v5.1.5)
      │  │  └─ Microsoft.Extensions.Caching.Memory (v8.0.1)
      │  ├─ Microsoft.ComponentDetection.Orchestrator (v5.1.5)
      │  │  └─ Microsoft.ComponentDetection.Detectors (v5.1.5)
      │  │     └─ Microsoft.Extensions.Caching.Memory (v8.0.1)
      │  └─ Microsoft.Extensions.Caching.Memory (v8.0.1)
      └─ Microsoft.Sbom.Extensions.DependencyInjection (v1.0.0)
         └─ Microsoft.Sbom.Api (v1.0.0)
            ├─ Microsoft.ComponentDetection.Detectors (v5.1.5)
            │  └─ Microsoft.Extensions.Caching.Memory (v8.0.1)
            ├─ Microsoft.ComponentDetection.Orchestrator (v5.1.5)
            │  └─ Microsoft.ComponentDetection.Detectors (v5.1.5)
            │     └─ Microsoft.Extensions.Caching.Memory (v8.0.1)
            └─ Microsoft.Extensions.Caching.Memory (v8.0.1)

Project 'Microsoft.Sbom.Tool.Tests' has the following dependency graph(s) for 'Microsoft.Extensions.Caching.Memory':
  [net8.0]
   │  
   └─ Microsoft.Sbom.Tool (v1.0.0)
      ├─ Microsoft.Sbom.Api (v1.0.0)
      │  ├─ Microsoft.ComponentDetection.Detectors (v5.1.5)
      │  │  └─ Microsoft.Extensions.Caching.Memory (v8.0.1)
      │  ├─ Microsoft.ComponentDetection.Orchestrator (v5.1.5)
      │  │  └─ Microsoft.ComponentDetection.Detectors (v5.1.5)
      │  │     └─ Microsoft.Extensions.Caching.Memory (v8.0.1)
      │  └─ Microsoft.Extensions.Caching.Memory (v8.0.1)
      └─ Microsoft.Sbom.Extensions.DependencyInjection (v1.0.0)
         └─ Microsoft.Sbom.Api (v1.0.0)
            ├─ Microsoft.ComponentDetection.Detectors (v5.1.5)
            │  └─ Microsoft.Extensions.Caching.Memory (v8.0.1)
            ├─ Microsoft.ComponentDetection.Orchestrator (v5.1.5)
            │  └─ Microsoft.ComponentDetection.Detectors (v5.1.5)
            │     └─ Microsoft.Extensions.Caching.Memory (v8.0.1)
            └─ Microsoft.Extensions.Caching.Memory (v8.0.1)

Project 'Microsoft.Sbom.Targets.E2E.Tests' has the following dependency graph(s) for 'Microsoft.Extensions.Caching.Memory':
  [net8.0]
   │  
   └─ Microsoft.Sbom.Tool (v1.0.0)
      ├─ Microsoft.Sbom.Api (v1.0.0)
      │  ├─ Microsoft.ComponentDetection.Detectors (v5.1.5)
      │  │  └─ Microsoft.Extensions.Caching.Memory (v8.0.1)
      │  ├─ Microsoft.ComponentDetection.Orchestrator (v5.1.5)
      │  │  └─ Microsoft.ComponentDetection.Detectors (v5.1.5)
      │  │     └─ Microsoft.Extensions.Caching.Memory (v8.0.1)
      │  └─ Microsoft.Extensions.Caching.Memory (v8.0.1)
      └─ Microsoft.Sbom.Extensions.DependencyInjection (v1.0.0)
         └─ Microsoft.Sbom.Api (v1.0.0)
            ├─ Microsoft.ComponentDetection.Detectors (v5.1.5)
            │  └─ Microsoft.Extensions.Caching.Memory (v8.0.1)
            ├─ Microsoft.ComponentDetection.Orchestrator (v5.1.5)
            │  └─ Microsoft.ComponentDetection.Detectors (v5.1.5)
            │     └─ Microsoft.Extensions.Caching.Memory (v8.0.1)
            └─ Microsoft.Extensions.Caching.Memory (v8.0.1)
codecov-commenter commented 1 month ago

Codecov Report

All modified and coverable lines are covered by tests :white_check_mark:

Project coverage is 70.13%. Comparing base (552c36c) to head (4499fac).

Additional details and impacted files ```diff @@ Coverage Diff @@ ## main #758 +/- ## ======================================= Coverage 70.13% 70.13% ======================================= Files 277 277 Lines 8651 8651 Branches 1006 1006 ======================================= Hits 6067 6067 Misses 2065 2065 Partials 519 519 ```

:umbrella: View full report in Codecov by Sentry.
:loudspeaker: Have feedback on the report? Share it here.

KalleOlaviNiemitalo commented 1 month ago

Would CentralPackageTransitivePinningEnabled avoid the need to explicitly promote the transitive dependency to direct? https://learn.microsoft.com/nuget/consume-packages/Central-Package-Management#transitive-pinning

DaveTryon commented 1 month ago

Would CentralPackageTransitivePinningEnabled avoid the need to explicitly promote the transitive dependency to direct? https://learn.microsoft.com/nuget/consume-packages/Central-Package-Management#transitive-pinning

Thanks for the tip, @KalleOlaviNiemitalo! I experimented with this option, and we run into problems with mixed versions of System.Reactive and System.Threading.Tasks.Dataflow, coming largely through transitive dependencies. This can probably be addressed, but that would be a separate change, well beyond the scope of addressing a CVE.