Remove unused packages that have vulnerable dependencies

microsoft / scalar

Scalar: A set of tools and extensions for Git to allow very large monorepos to run on Git without a virtualization layer

MIT License

1.39k stars 63 forks source link

Remove unused packages that have vulnerable dependencies #528

Closed derrickstolee closed 2 years ago

derrickstolee commented 2 years ago

We got an internal report for a vulnerability:

  A remote code execution vulnerability exists when parsing certain
  types of graphics files. This vulnerability only exists on systems
  running on MacOS or Linux. This CVE ID is unique from CVE-2021-26701.

The report also included this statement:

  Root dependencies for System.Drawing.Common

  Microsoft.PowerShell.SDK 6.2.2
  Microsoft.Windows.Compatibility 2.1.1

It turns out that we don't need these dependencies anymore, so we can remove them.

derrickstolee commented 2 years ago

The functional tests are failing because of a change in microsoft/git, so the functional tests will pass in that environment. I'm going to merge this using admin privileges and verify microsoft/git still passes afterwards.