Consider publishing new version of System.Data.Common without transitive vulnerability #109551
Comments
dotnet-policy-service
bot
added
the
untriaged
|
Tagging subscribers to this area: @roji, @ajcvickers |
|
/cc @ericstj what's our policy for these things? |
|
I don't think the Thus, the vulnerability should not be applicable at all. |
|
The suggestion is to just remove the package for .NET Standard and .NET 6+. For .NET Framework, the package can be kept and no vulnerable dependency will be brought. |
|
Correct, we'd recommend that folks remove their dependency on this package. It's not required for .NETFramework, .NETStandard2.0, nor .NET. The only reason it might be brought in is some old library that's still building against .NETStandard1.x - and if that's the case here you can just as easily update any other transitive dependency. @Banner-Keith do you have a direct dependency on this package? Would you like us to take a look at your library and help you remove it? |
|
It's not being pulled in by me directly, but rather through the popular MiniProfiler library. The MiniProfiler.Shared nuget package has a dependency on System.Data.Common. They use it in anything targeting .net standard 2.0. After digging in to their csproj it looks like the reason I am seeing this now is that we use .net 8 and they target .net 6, .net standard 2.0, and .net 4.6.1. So now that we aren't on .net 6 we are getting the old dependencies. I will ask them to swap over to .net 8 support. |
The latest version of System.Data.Common 4.3.0 is widely used with 310k downloads and is dependent on System.Text.RegularExpressions 4.3.0 which has a vulnerability (#29550). Please consider publishing System.Data.Common 4.3.1 with a dependency of System.Text.RegularExpressions 4.3.1.
The text was updated successfully, but these errors were encountered: