"..Solution contains packages with vulnerabilities"

[PhilWeisz]

Bug report

It's not a bug [it's worse, in a way] but it's definitely odd to keep severe/high vulnerabilities in an open source project that is being used as often/longtime as HSDT is.

Expected Behavior

Vulnerabilities that should have been removed long ago already, ordered by CVE-severity:

High
Newtonsoft.Json 12.0.3

Moderate
SharpCompress 0.17.1

Actual Behavior

Despite the existance of the vulnerability-less updates for:

Newtonsoft.Json: 13.0.3 (i.e. ++1 major version),
SharpCompress 0.34.1

,no updates were done.

Note:
SharpCompress 0.18 was released on Jul 17, 2017, and you cannot see any earlier releases even. https://github.com/adamhathcock/sharpcompress/releases/tag/0.18
That and the fact how inflationary Newtonsoft increments its major versions, I believe,
the outstanding SharpCompress-update is almost worse despite the lower severity.

Visual Studio warns me about vulnerable NuGets, doesn't it for you?
[Elaborate guess: Maybe then it's time to move on from VS2017 to VS2022]

Also I recommend hopping from WPF to Avalonia.
It's just a comparably tiny refactoring-job since both are very similiar. However Avalonia
supplies most platforms [Win,Linux,iOS, Android, Mac OS, WASM/Web] and you practically
only need to write the code for the base-application once (which is more or less already
ready with your current code apart from roughly estimating about 10-15% of the WPF code needs to be changed for the port - but it's always the same stuff that needs to be changed so it's pretty straight forward, not like writing new code.
Actively developed, open source, awesome community, high performant:
www.avaloniaui.net

Steps to reproduce behavior

• any -

Log/Screenshots

(VS, SolutionExplorer: Vulnerabilities-Warning)

(VS, NuGet GUI: distinct Vulnerabilities; cut together, downsized)

[PhilWeisz]

Update:
Newtonsoft.Json's vulnerability is gone starting from version 13.0.1 and
SharpCompress vulnerability is gone starting from version 0.29.0

[sgkoishi]

The Newtonsoft.Json vulnerability is DoS - which means it is slow (using high CPU and RAM) when encountering certain maliciously crafted input data. Such a use case is not how HDT works: HDT does not handle arbitrary user input string and parse it as JSON - in fact, this hardly or does not affect HDT at all.
For the SharpCompress, HDT does not use it directly. HDT uses Squirrel, which explicitly requires v0.17.1.

Also, the SharpCompress vulnerability is still present in 0.28.0: Affected versions: < 0.29, Patched versions: 0.29

Of course, it is always suggested to switch to a new version with security patches :)

[PhilWeisz]

Oh yes I meant v0.29.
Even if it does not affect HDT currently - it is in broad usage - and this gives potential attackers further attack-surfaces - no matter how or whether a direct abuse of it is known or not.

Not updating/patching well known vulnerabilities is a very bad practice.

When you desire to use only a small subset of a particular dependency that is very old (i.e. the dependency's version is outdated by a long time) you could as well just implement that subset of the foreign library in your software and exclude the potentially malicious or vulnerable parts.

[PhilWeisz]

Since when you obviously don't want to update the outdated version - why even keep the reference to the whole assembly or solution then?

[sgkoishi]

Please note that I'm not the developer of HDT - and I'm saying, as a user to other users, it won't deal much damage due to the actual usage, so kinda safe, instead of it should not be updated.

Also, I guess you need to open an issue at Squirrel for the SharpCompress part? It specifies that version.

[PhilWeisz]

Yes, I have posted in Squirrel's closed issue

Actually I don't really understand for how long and why nobody became active in this affair.
Thank you @sgkoishi .