Release 6.7.1

[ckadluba]

• Fixed issue #552 by downgrading SqlClient dependency to 5.1.6 which is LTS and fixed the vulnerabilities referenced in issue #544
• Fixed vulnerabilities by removing all System.* 4 versions as recommended by Microsoft (https://devblogs.microsoft.com/nuget/nugetaudit-2-0-elevating-security-and-trust-in-package-management/#system-net-http-and-system-text-regularexpressions, issue #544)
• Fixed vulnerability by updating xunit to 2.9.0 (issue #544)
• Fixed vulnerability by directly referencing transitive dependency System.Formats.Asn1 (https://github.com/advisories/GHSA-447r-wph3-92pm, issue #544)
• Fixed vulnerability by directly referencing transitive dependency System.Private.Uri (https://github.com/advisories/GHSA-xhfc-gr8f-ffwc, issue #544)
• Activated NuGet Audit for high and critical vulnerabilities in direct and transitive dependencies for all projects (https://devblogs.microsoft.com/nuget/nugetaudit-2-0-elevating-security-and-trust-in-package-management/)

[github-advanced-security[bot]]

This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation.

[cancakar35]

@ckadluba Why do we directly reference System.Private.Uri?

[ckadluba]

Hi @cancakar35!

Because there was a warning about a vulnerability when using dotnet nuget audit (see discussion here https://github.com/serilog-mssql/serilog-sinks-mssqlserver/issues/544#issuecomment-2320653299) and only referencing System.Private.Uri fixed it. As cremor noted, this might be a false positive caused by the SDK, but I didn't want to take the risk or let the sink have any warnings about vulnerabilities. Hopefully we can remove this again when MS fixes it the false positive or we upgrade the TFMs in the future.