Is this possible to depend on a safer version of `Google.Protobuf` NuGet package?

[dungpa]

Currently STAN.Client Nuget package uses Google.Protobuf version 3.13.0 which contains security vulnerabilities. See e.g.:

• https://www.nuget.org/packages/Google.Protobuf/3.13.0
• https://github.com/advisories/GHSA-77rm-9x9h-xj3g

It's possible for the downstream systems to pin to a newer version and apply binding redirects. But it is not ideal for STAN.Client to depend on a compromised version of a popular dependency.

Is this possible to publish a new version of STAN.Client that uses Google.Protobuf 3.15.0 or newer (as suggested by the security advisory above)?

[scottf]

@dungpa We don't really support this client anymore, but if you make a PR with a fix we probably can merge it.

[dungpa]

@scottf It has been done by Dependabot at https://github.com/nats-io/stan.net/pull/203?

Is there any chance to merge that PR and release a new version of STAN.Client NuGet package?

[scottf]

@dungpa I merged #203 I then noticed that Google.Protobuf and Tools is at 3.21.1. Is it possible that you can upgrade to the latest? We really are not supporting this client anymore because of JetStream, but I can merge things and try to build.

[dungpa]

@scottf I upgraded Google.Protobuf.Tools to 3.15.0 in https://github.com/nats-io/stan.net/pull/205 for consistency.

We are not ready to move to 3.21.1 yet, sorry.