Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix vulnerabilities in dependencies #20547

Closed
wants to merge 7 commits into from
Closed

Fix vulnerabilities in dependencies #20547

wants to merge 7 commits into from

Conversation

Muximize
Copy link
Contributor

Description

Resolves 417 instances of 14 vulnerabilities in multiple versions of these 10 (transitive) dependencies:

Azure.Identity                   
Microsoft.Identity.Client        
Newtonsoft.Json                  
Npgsql                           
SixLabors.ImageSharp             
System.Formats.Asn1              
System.Net.Http                  
System.Security.Cryptography.Xml 
System.Text.Json                 
System.Text.RegularExpressions

These stats are only for the framework solution but the modules where also fixed. These where found using:

dotnet list package --vulnerable --include-transitive

Notes

Because it gets annoying to keep having to fix these in our project, I thought maybe I should fix it at the source 😇

Instead of just updating the vulnerable package versions, I did some cleanup to reduce the amount of transitive dependencies and to make the process of updating them easier in the future:

  • Some vulnerabilities are only present in the netstandard2.0 and netstandard2.1 targets of some dependencies. Because ABP 8 requires net8.0 anyway, I assume those targets can be safely dropped as an easy fix.
  • The AssetTargetFallback can then be dropped from projects too.
  • There are bunch of unused dependencies that I removed, but there might be more of them.
  • Because IdentityServer4 is deprecated, there is no fix for its vulnerability. According to Announcement of plan to replace the IdentityServer #11989 it should have been removed by now as OpenIddict became the default in ABP 6.
  • I also updated all other outdated dependencies I could find.

@CLAassistant
Copy link

CLAassistant commented Aug 17, 2024
edited
Loading

CLA assistant check
All committers have signed the CLA.

@enisn enisn requested a review from maliming August 17, 2024 07:44
@Muximize
Copy link
Contributor Author

Muximize commented Sep 2, 2024

I rebased this on latest dev to fix a merge conflict.

@MichelZ
Copy link
Contributor

MichelZ commented Sep 5, 2024

Great initiative, I was just going to open an issue because of transitive package vulnerabilities that I'd like to see fixed 👍

@Muximize
Copy link
Contributor Author

@maliming I see now ABP is usually quite conservative in updating dependencies, so maybe you can skip the last commit, or cherry pick what you like in this PR.

@Muximize Muximize force-pushed the fix-vulnerabilities branch 2 times, most recently from 687c2b4 to b24467b Compare September 11, 2024 08:34
@maliming maliming added this to the 9.0-final milestone Oct 8, 2024
@maliming maliming changed the base branch from dev to prerel-9.0 October 15, 2024 06:55
@maliming
Copy link
Member

maliming commented Oct 15, 2024
edited
Loading

Thanks @Muximize

We will continue to support the netstandard2.0 and netstandard2.1. And packages have been upgraded in #20960

I will cherry-pick your commit to a new Pull Request. 👍

@maliming maliming closed this Oct 15, 2024
@maliming maliming modified the milestones: 9.0-final, 8.3-patch Oct 15, 2024
@maliming maliming mentioned this pull request Oct 15, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@maliming maliming Awaiting requested review from maliming

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@Muximize @CLAassistant @MichelZ @maliming