Open dungpa opened 2 years ago
@dungpa We don't really support this client anymore, but if you make a PR with a fix we probably can merge it.
@scottf It has been done by Dependabot at https://github.com/nats-io/stan.net/pull/203?
Is there any chance to merge that PR and release a new version of STAN.Client NuGet package?
@dungpa I merged #203 I then noticed that Google.Protobuf and Tools is at 3.21.1. Is it possible that you can upgrade to the latest? We really are not supporting this client anymore because of JetStream, but I can merge things and try to build.
@scottf I upgraded Google.Protobuf.Tools to 3.15.0 in https://github.com/nats-io/stan.net/pull/205 for consistency.
We are not ready to move to 3.21.1 yet, sorry.
Currently
STAN.Client
Nuget package usesGoogle.Protobuf
version 3.13.0 which contains security vulnerabilities. See e.g.:It's possible for the downstream systems to pin to a newer version and apply binding redirects. But it is not ideal for
STAN.Client
to depend on a compromised version of a popular dependency.Is this possible to publish a new version of
STAN.Client
that usesGoogle.Protobuf
3.15.0 or newer (as suggested by the security advisory above)?