-
Notifications
You must be signed in to change notification settings - Fork 493
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Microsoft.Azure.Cosmos references many out of support and vulnerable package versions. #4674
Comments
We cannot update the dependency on For System.Net.Http and System.Text.RegularExpressions, we should investigate the path they are coming in through and either update an intermediate dependency, or consider pinning to a higher version. Tagging also @kirankumarkolli and @kundadebdatta. |
'System.Text.RegularExpressions' seems like a transitive dependency through 'Newtonsoft.Json' 'Newtonsoft.Json' 10.0.2 vulnerability is address through a code fix, unfortunately upgrading to the suggested version is a breaking change. Except 'Newtonsoft.Json' we can at-least fix others as new dependencies directly to override. @ericstj thoughts on how to way to let analyzer to suppress for Newtonsoft.Json? |
You can update the other dependencies, FWIW many of your customers are going to be in this same predicament since they'll see this vulnerability warning for Newtonsoft. Don't you have a major version where you can choose to update Newtonsoft? Also - have you reached out to @JamesNK to see if he'd be able to produce a |
Thank you other dependencies are addressed will ship part of next release. Our next major version will remove dependency on Newstonsoft and just use STJ as default serializer. |
STJ is going to have the same problem if you stay on older versions of it: dotnet/runtime#104619 |
I believe the STJ in here is inherited via Azure.Core, which currently is a 6.x min (which is not on the official list of versions covered by that cited issue? (Of course your overall point is not necessarily invalidated by that) |
…s) and also warnings (#4693) [INTERNAL] Samples: Fixes upgrades to latest versions (vulnerabilities) and also warnings For Cosmos pinned to latest versions ``` <PackageReference Include="Microsoft.Azure.Cosmos" Version="3.43.0" /> ``` Newtonsoft.Json and System.Text.Json: updated to patched versions ``` <PackageReference Include="Newtonsoft.Json" Version="13.0.3" /> <PackageReference Include="System.Text.Json" Version="8.0.4" /> ``` Microsoft.NET.Sdk.Functions: Upgraded to latest ``` <PackageReference Include="Microsoft.NET.Sdk.Functions" Version="4.4.1" /> ``` Removed transitive dependencies: Configuration and Configuration.FileExtensions ``` <PackageReference Include="Microsoft.Extensions.Configuration" Version="2.2.0" /> <PackageReference Include="Microsoft.Extensions.Configuration.FileExtensions" Version="2.2.0" /> ``` ChangeFeed project: Its a migration project which has V2 CFP project reference which has vulnerabile dependencies, which are now pinned explicitly to patched version ``` <PackageReference Include="System.Net.Http" Version="4.3.4" /> <PackageReference Include="System.Net.Security" Version="4.3.2" /> ``` Ref: #4674
Is this ever going to actually get fixed? I've been waiting on this for years. The 3.46.0 change only makes things worse. Now I have to have a direct dependency on Newtonsoft and can no longer justify it as an indirect reference through the Cosmos package. |
I agree with @AIZ-THerring. IMHO Nuget Microsoft packages have to migrate to STJ if they use Newtonsoft. It may be a long step but it is necessary to avoid depending on third party packages that do the same thing as a proprietary package. |
Describe the bug
Microsoft.Azure.Cosmos references many packages which are out of support and vulnerable.
To Reproduce
Create a new project with the latest .NET 9.0 preview SDK which includes NuGet audit for security vulnerabilities. Add a reference to
<PackageReference Include="Microsoft.Azure.Cosmos" Version="3.43.0"/>
and restore the project.Expected behavior
No warnings when restoring.
Actual behavior
The following warnings occur:
Environment summary
SDK Version: 3.43.0
.NET SDK: 9.0.0-preview.7.24405.7
OS Version: Windows 11 23H2
Additional context
See https://learn.microsoft.com/en-us/nuget/concepts/auditing-packages
https://devblogs.microsoft.com/nuget/nugetaudit-2-0-elevating-security-and-trust-in-package-management/
Tasks
The text was updated successfully, but these errors were encountered: