Hangfire.Console has a dependency to versions of Hangfire.Core with known vulnerabilities

[joacimsvensson]

The dependency to Hangfire.Core should be elevated to version 1.7.3 and above. Versions of Hangfire.Core below that is vulnerable to cross-site scripting: https://ossindex.sonatype.org/vulnerability/sonatype-2019-0260?component-type=nuget&component-name=Hangfire.Core

[pieceofsummer]

I don’t really think forcing security updates for Hangfire.Core is a job for extensions like Console, unless a vulnerability somehow affects or is related to the extension itself.

The extension only specifies the minimum version it can work with. It is your job as a developer/maintainer to keep packages used by your project up-to-date.

[novacema]

Hello! I agree that it is your job as a developer to keep the packages used by your project updated.

On the other hand, if I find packages in a code that use transitive packages that report vulnerability, this can lead to people no longer trusting the package.

"dotnet list ./ package --vulnerable --include-transitive"