Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[release/6.0] Update dependencies #34821

Merged
merged 1 commit into from
Oct 4, 2024
Merged

Conversation

AndriySvyryd
Copy link
Member

@AndriySvyryd AndriySvyryd commented Oct 3, 2024

Description

Due to a recent change NuGet restore now shows CVE warnings for transitive packages even if the actual version that will be used will be the current one provided by SDK. This PR updates transitive dependencies to minimize the number of warnings

Customer impact

Warnings on restore when EF packages are referenced.

How found

Partner ask (templates)

Regression

No

Testing

Tested manually.

Risk

Low.

@AndriySvyryd AndriySvyryd requested a review from a team October 3, 2024 20:16
@@ -21,6 +21,8 @@

<ItemGroup>
<PackageReference Include="Microsoft.Azure.Cosmos" Version="3.29.0" />
<PackageReference Include="System.Net.Http" Version="4.3.4" />
<PackageReference Include="System.Text.RegularExpressions" Version="4.3.1" />
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These two indeed are dropped by conflict resolution, so it's annoying we need to specify them. The end up being brought in by Newtonsoft.Json which Cosmos doesn't want to update. Azure/azure-cosmos-dotnet-v3#4674

@@ -21,6 +21,9 @@

<ItemGroup>
<PackageReference Include="Microsoft.Data.SqlClient" Version="2.1.7" />
<PackageReference Include="System.Drawing.Common" Version="4.7.3" />
Copy link
Member

@ericstj ericstj Oct 3, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These ones are real transitive vulnerabilities. Nothing else is going to drop these or update them. Unfortunately SqlClient hasn't shipped an update to address them. Maybe they would consider it? I see version 2.1.7 was shipped less than a year ago.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

They've been informed of this offline, but they don't plan to ship an update as this vulnerability does not affect SqlClient

@AndriySvyryd AndriySvyryd merged commit 1c624b2 into release/6.0 Oct 4, 2024
7 checks passed
@AndriySvyryd AndriySvyryd deleted the UpdateDependencies-6.0 branch October 4, 2024 18:11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants