Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

System.CommandLine.Hosting vulnerable transitive dependency #2503

Open
sanghel-orbyta opened this issue Nov 12, 2024 · 3 comments
Open

System.CommandLine.Hosting vulnerable transitive dependency #2503

sanghel-orbyta opened this issue Nov 12, 2024 · 3 comments

Comments

@sanghel-orbyta
Copy link

sanghel-orbyta commented Nov 12, 2024

Any chance for a release refresh of System.CommandLine.Hosting?

I'm getting a transitive dep vulnerability warning for the latest 0.4.0-alpha.. version, and AFAIK there aren't newer releases.

Image

@namtab00
Copy link

@jonsequitur / @adamsitnik / @Keboo sorry for the direct ping, any chance this could be looked into?

I know we're in PREVIEW waters, but this shouldn't be a big issue to fix.

@farangkao
Copy link

farangkao commented Nov 21, 2024

Note: if you have TreatWarningsAsErrors, with the newest Visual Studio Update, any Build will be blocked, even if you will accept the vulnerability (for most CLI Apps this can maybe be tolerated at the moment)

you can disable them individually, still get the warnings ,but the build will succeed.

		<TreatWarningsAsErrors>true</TreatWarningsAsErrors>
		<WarningsNotAsErrors>NU1901;NU1902;NU1903;NU1904</WarningsNotAsErrors>

message in the build:

 warning NU1903: Package 'System.Text.Json' 6.0.0 has a known high severity vulnerability, https://github.com/advisories/GHSA-8g4q-xg66-9fp4

I would like to highlight, that he way this is currently solved is not satisfactory, and that this solution is since years in preview state is not very good solution for a project that is "from Microsoft".
Also please consider following the standard in implementing hosting support in the future, instead of this (working, but rather unconventional) solution, see here for more details:
#918

@sanghel-orbyta sanghel-orbyta changed the title System.CommanLine.Hosting vulnerable transitive dependency System.CommandLine.Hosting vulnerable transitive dependency Nov 21, 2024
@conficient
Copy link

Easy fix: add System.Text.Json version 6.0.11 (or whatever v6 version is current/secure) directly to the project.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants