-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
"..Solution contains packages with vulnerabilities" #4500
Comments
Update: |
The Also, the SharpCompress vulnerability is still present in 0.28.0: Of course, it is always suggested to switch to a new version with security patches :) |
Oh yes I meant v0.29. Not updating/patching well known vulnerabilities is a very bad practice. When you desire to use only a small subset of a particular dependency that is |
Since when you obviously don't want to update the outdated version - why even keep the reference to the whole assembly or solution then? |
Please note that I'm not the developer of HDT - and I'm saying, as a user to other users, it won't deal much damage due to the actual usage, so kinda safe, instead of it should not be updated. Also, I guess you need to open an issue at Squirrel for the SharpCompress part? It specifies that version. |
Yes, I have posted in Squirrel's closed issue Actually I don't really understand for how long and why nobody became active in this affair. |
Bug report
It's not a
bug
[it's worse, in a way] but it's definitely odd to keep severe/high vulnerabilities in an open source project that is being used as often/longtime as HSDT is.Expected Behavior
Vulnerabilities that should have been removed long ago already, ordered by CVE-severity:
High
Newtonsoft.Json 12.0.3
Moderate
SharpCompress 0.17.1
Actual Behavior
Despite the existance of the vulnerability-less updates for:
Newtonsoft.Json: 13.0.3 (i.e. ++1 major version),
SharpCompress 0.34.1
,no updates were done.
Note:
SharpCompress 0.18 was released on Jul 17, 2017, and you cannot see any earlier releases even. https://github.com/adamhathcock/sharpcompress/releases/tag/0.18
That and the fact how inflationary Newtonsoft increments its major versions, I believe,
the outstanding SharpCompress-update is almost worse despite the lower severity.
Visual Studio warns me about vulnerable NuGets, doesn't it for you?
[Elaborate guess: Maybe then it's time to move on from VS2017 to VS2022]
Also I recommend hopping from WPF to Avalonia.
It's just a comparably tiny refactoring-job since both are very similiar. However Avalonia
supplies most platforms [Win,Linux,iOS, Android, Mac OS, WASM/Web] and you practically
only need to write the code for the base-application once (which is more or less already
ready with your current code apart from roughly estimating about 10-15% of the WPF code needs to be changed for the port - but it's always the same stuff that needs to be changed so it's pretty straight forward, not like writing new code.
Actively developed, open source, awesome community, high performant:
www.avaloniaui.net
Steps to reproduce behavior
Log/Screenshots
(VS, SolutionExplorer: Vulnerabilities-Warning)
(VS, NuGet GUI: distinct Vulnerabilities; cut together, downsized)
The text was updated successfully, but these errors were encountered: