Closed luisjones closed 2 months ago
Can we fix then soon on 2.7.1.1?
Can we fix then soon on 2.7.1.1?
select your project where you consume npoi in Visual Studio, open NuGet UI, go to "Installed packages
", here you see "Top Level Packages
" and "Transivite Packages
". Now find SixLabors.ImageSharp
under Transitive Packages
and install it in Version 2.1.9 to fix it yourself. Only issue is now that NuGet shows an update of SixLabors.ImageSharp
to 3.1.5 because Microsoft still has no version range blocking like in old packages.config times (allowedVersions entry) or detecting of incompatible frameworks.
There is no plan of urgent fix for this. The security bug is about gif codec. NPOI doesn't use this feature in ImageSharp at all.
Created #1402
NPOI Version
2.7.1
Issue Description
Our Trivy security scanner pipeline is preventing this project from being used due to a security vulnerability in the SixLabors.ImageSharp package.
Installed library version: 2.1.8 Fixed versions: 2.1.9, 3.1.5
CVE-2024-41132 (https://avd.aquasec.com/nvd/2024/cve-2024-41132/) CVE-2024-41131 (https://avd.aquasec.com/nvd/2024/cve-2024-41131/)
I have not created a PR for this as I did not want this to conflict with https://github.com/nissl-lab/npoi/pull/1390