Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update vulnerable libraries #604

Closed
wants to merge 2 commits into from
Closed

Update vulnerable libraries #604

wants to merge 2 commits into from

Conversation

eskildsen
Copy link

This is meant as an update for the current 4.4.1 version. Suggested version is 4.4.2 as it is only minor changes.

Aim is to update the dependencies System.Net.Http and System.Text.RegularExpressions to versions with security fixes. It is resolved in the new version 5 on master, however, with no suggested release date, this acts as an intermediary fix.

Feel free to comment, if you see this as a wrong approach, or if code needs to be altered.

@eskildsen
Copy link
Author

eskildsen commented Dec 13, 2021
edited
Loading

This is meant to be branching from https://github.com/castleproject/Core/tree/v4.4.1, so should probably not go to master, but rather a new branch

Havunen
Havunen reviewed Dec 28, 2021
View reviewed changes
src/Castle.Core/Castle.Core.csproj
@@ -43,6 +43,11 @@
<PackageReference Include="System.ComponentModel" Version="4.3.0" />
<PackageReference Include="System.ComponentModel.TypeConverter" Version="4.3.0" />
</ItemGroup>

<ItemGroup Condition="'$(TargetFramework)'!='net35'AND'$(TargetFramework)'!='net40'">
<PackageReference Include="System.Net.Http" Version="4.3.4" />
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These packages should probably be defined with open upper version so application layer can have higher version installed

@Havunen
Copy link

Havunen commented Dec 29, 2021

Wouldn't it be way better to add netstandard2.0 / net5.0 / net6.0 compilation targets and not have any dependencies for those?

@Havunen
Copy link

Havunen commented Dec 29, 2021

I created an issue: #606 but I dont know is anybody maintaining this project?
New nuget system makes it difficult to patch dependencies of dependencies...

@eskildsen
Copy link
Author

Wouldn't it be way better to add netstandard2.0 / net5.0 / net6.0 compilation targets and not have any dependencies for those?

Yes, it would certainly be better. However, this is meant as a small non-breaking change for the V4 branch. It seems the work on V5 will resolve this issues, so this is only until then. From recent issues and comments in this repository, this is something getting more attention. And it would be easier to get dependant projects (e.g. AutoMoq) to update to a minor version.

@Havunen
Copy link

Havunen commented Dec 29, 2021
edited
Loading

Hmm, yeah but adding new target frameworks should not be breaking change if old target frameworks are not removed. Change is easy to do, but getting maintainers attention to publish new version is difficult :(

@Jevonius Jevonius mentioned this pull request Jan 11, 2022
Closed
@jonorossi
Copy link
Member

I'm going to close this until it is clear in #602 why this change should go into Castle.

@jonorossi jonorossi closed this Jan 11, 2022
@Havunen
Copy link

Havunen commented Feb 12, 2022

Can you add modern target frameworks to official castle core package and upload it to nuget please? It would be nice to avoid larger refactoring away from castle.core

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Havunen Havunen Havunen left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@eskildsen @Havunen @jonorossi