Vulnerability in System.Data.Common

zzzprojects / Eval-Expression.NET

C# Eval Expression | Evaluate, Compile, and Execute C# code and expression at runtime.

https://eval-expression.net/

Other

449 stars 86 forks source link

Vulnerability in System.Data.Common #150

Closed vivet closed 11 months ago

vivet commented 12 months ago

The library includes System.Data.Common 4.3.0, which has an old vulnerability in System.Text.RegularExpressions 4.3.0. CVE-2019-0820, https://github.com/advisories/GHSA-cmhx-cq75-c4mj.

The package System.Data.Common is old and not updated for a long time. I actually find it strange that you can include it in a netstandard2.0. as it references netstandard1.2.

Is it possible to update this to mitigate the vulnerability?

JonathanMagnan commented 12 months ago

Hello @vivet ,

Thank you for reporting.

Indeed, this package was used when we were supporting .net standard 1.3 and is no longer needed.

We will review our dependencies

Best Regards,

Jon

JonathanMagnan commented 11 months ago

Hello @vivet ,

The v5.0.11 has been released.

We removed that dependency and 4 other packages that were no longer needed.

Thank you for letting us know about this vulnerability.

Best Regards,

Jon

vivet commented 11 months ago

Great, thanks