Some Dependencies are flagged as vulnerable

[kerrywicks]

I've only noticed this after the folks at github updated their github action windows runners to use a version of visual studio that has the NuGetAuditMode set to 'all', when the default used to be 'direct'. This means that any transitive Packages with security vulnerabilities are now flagged up as warnings, when previously you'd not see anything if you had -warnaserror set.

The following dependencies of sqlmanagementobjects are flagged as vulnerable, but I'd also like to highlight that a lot of the dependencies referenced in general are massively out of date:

Azure.Identity 1.10.3 (Latest 1.13.1) Microsoft.Identity.Client 4.56.0 (Latest 4.66.2) Microsoft.IdentityModel.JsonWebTokens 6.24.0 (Latest 8.2.1) System.Formats.Asn1 5.0.0 (Latest 9.0.0) System.IdentityModel.Tokens.Jwt 6.24.0 (latest 8.2.1)

At the moment, I've had to go through my projects and set the nugetauditmode back to direct to replicate the original behaviour so we have our builds back up and running - but obviously we can't stay in this mode forever, especially with a known security issue.

Are there any plans to update the dependencies for sqlmanagementobjects, or am I better off just trying to find an alternative?

Thanks!

[shueybubbles]

Now that SSMS 21 preview is out, we will update the public nupkg with newer dependencies soon. In any event, any application that takes a Microsoft.Data.SqlClient or SMO dependency should probably add explicit PackageReference entries for frequently updated packages like Azure.Identity, Azure.Core, and Microsoft.Identity.Client. I can guarantee they will release patches faster than we do.

[kerrywicks]

Thanks for the speedy response! Looks like that is the way forwards. Thank you!