Open joacimsvensson opened 2 years ago
I don’t really think forcing security updates for Hangfire.Core is a job for extensions like Console, unless a vulnerability somehow affects or is related to the extension itself.
The extension only specifies the minimum version it can work with. It is your job as a developer/maintainer to keep packages used by your project up-to-date.
Hello! I agree that it is your job as a developer to keep the packages used by your project updated.
On the other hand, if I find packages in a code that use transitive packages that report vulnerability, this can lead to people no longer trusting the package.
"dotnet list ./
The dependency to Hangfire.Core should be elevated to version 1.7.3 and above. Versions of Hangfire.Core below that is vulnerable to cross-site scripting: https://ossindex.sonatype.org/vulnerability/sonatype-2019-0260?component-type=nuget&component-name=Hangfire.Core