Open stevengum opened 1 year ago
Thanks for bringing this up. We're currently using Moq 4.18.4, and are not planning to bump the version, other than for security patches.
@singhk97 @corinagum - just noticed that dependabot auto-bump Moq to 4.20.69 (https://github.com/microsoft/teams-ai/pull/593). Is there any setting to let dependabot to ignore Moq?
Let's leave this issue open until the security issue is fixed.
FYI @stevenic, @corinagum, @singhk97, @siduppal there's a security issue with the inclusion of an email-gathering .dll that was added to moq v4.20.0. Do not bump Moq to any version greater than or equal to 4.20.0.
The .dll runs at build-time via Moq's code analysis tool. (See below and linked issues for more details)
https://github.com/moq/moq/issues/1372
Moq's maintainer is inviting discussion in https://github.com/moq/moq/issues/1374