Skip to content

Commit

Permalink
Add a direct reference to Asn1 to force version without a CVE (#7109)
Browse files Browse the repository at this point in the history
* Try remove the dependency on crypto

* Try if we can fix it

* Move asn1 reference to a separate item group

* Fix typos and formatting

* Sort PackageReferences

---------

Co-authored-by: Brandon Ording <bording@gmail.com>
  • Loading branch information
SzymonPobiega and bording authored Jul 19, 2024
1 parent d7b35c1 commit a2ca1a7
Showing 1 changed file with 5 additions and 1 deletion.
6 changes: 5 additions & 1 deletion src/NServiceBus.Core/NServiceBus.Core.csproj
Original file line number Diff line number Diff line change
Expand Up @@ -10,9 +10,9 @@

<ItemGroup Label="Public dependencies">
<PackageReference Include="Microsoft.Extensions.DependencyInjection" Version="8.0.0" />
<PackageReference Include="Microsoft.Extensions.Diagnostics" Version="8.0.0" />
<PackageReference Include="NServiceBus.MessageInterfaces" Version="[1.0.0, 2.0.0)" />
<PackageReference Include="System.Security.Cryptography.Xml" Version="8.0.0" />
<PackageReference Include="Microsoft.Extensions.Diagnostics" Version="8.0.0" />
</ItemGroup>

<ItemGroup Label="Private dependencies">
Expand All @@ -24,6 +24,10 @@
<PackageReference Include="Particular.Packaging" Version="4.1.0" PrivateAssets="All" />
</ItemGroup>

<ItemGroup Label="Direct references to transitive dependencies to avoid versions with CVE">
<PackageReference Include="System.Formats.Asn1" Version="8.0.1" />
</ItemGroup>

<PropertyGroup>
<PackageId>NServiceBus</PackageId>
<Description>Build, version, and monitor better microservices with the most powerful service platform for .NET</Description>
Expand Down

0 comments on commit a2ca1a7

Please sign in to comment.