Microsoft.Azure.Cosmos references many out of support and vulnerable package versions. #4674
Comments
microsoft-github-policy-service
bot
added
the
customer-reported
|
We cannot update the dependency on For System.Net.Http and System.Text.RegularExpressions, we should investigate the path they are coming in through and either update an intermediate dependency, or consider pinning to a higher version. Tagging also @kirankumarkolli and @kundadebdatta. |
|
'System.Text.RegularExpressions' seems like a transitive dependency through 'Newtonsoft.Json' 'Newtonsoft.Json' 10.0.2 vulnerability is address through a code fix, unfortunately upgrading to the suggested version is a breaking change. Except 'Newtonsoft.Json' we can at-least fix others as new dependencies directly to override. @ericstj thoughts on how to way to let analyzer to suppress for Newtonsoft.Json? |
|
You can update the other dependencies, FWIW many of your customers are going to be in this same predicament since they'll see this vulnerability warning for Newtonsoft. Don't you have a major version where you can choose to update Newtonsoft? Also - have you reached out to @JamesNK to see if he'd be able to produce a |
|
Thank you other dependencies are addressed will ship part of next release. Our next major version will remove dependency on Newstonsoft and just use STJ as default serializer. |
|
STJ is going to have the same problem if you stay on older versions of it: dotnet/runtime#104619 |
|
I believe the STJ in here is inherited via Azure.Core, which currently is a 6.x min (which is not on the official list of versions covered by that cited issue? (Of course your overall point is not necessarily invalidated by that) |
…s) and also warnings (#4693) [INTERNAL] Samples: Fixes upgrades to latest versions (vulnerabilities) and also warnings For Cosmos pinned to latest versions ``` <PackageReference Include="Microsoft.Azure.Cosmos" Version="3.43.0" /> ``` Newtonsoft.Json and System.Text.Json: updated to patched versions ``` <PackageReference Include="Newtonsoft.Json" Version="13.0.3" /> <PackageReference Include="System.Text.Json" Version="8.0.4" /> ``` Microsoft.NET.Sdk.Functions: Upgraded to latest ``` <PackageReference Include="Microsoft.NET.Sdk.Functions" Version="4.4.1" /> ``` Removed transitive dependencies: Configuration and Configuration.FileExtensions ``` <PackageReference Include="Microsoft.Extensions.Configuration" Version="2.2.0" /> <PackageReference Include="Microsoft.Extensions.Configuration.FileExtensions" Version="2.2.0" /> ``` ChangeFeed project: Its a migration project which has V2 CFP project reference which has vulnerabile dependencies, which are now pinned explicitly to patched version ``` <PackageReference Include="System.Net.Http" Version="4.3.4" /> <PackageReference Include="System.Net.Security" Version="4.3.2" /> ``` Ref: #4674
Describe the bug
Microsoft.Azure.Cosmos references many packages which are out of support and vulnerable.
To Reproduce
Create a new project with the latest .NET 9.0 preview SDK which includes NuGet audit for security vulnerabilities. Add a reference to
<PackageReference Include="Microsoft.Azure.Cosmos" Version="3.43.0"/>and restore the project.Expected behavior
No warnings when restoring.
Actual behavior
The following warnings occur:
Environment summary
SDK Version: 3.43.0
.NET SDK: 9.0.0-preview.7.24405.7
OS Version: Windows 11 23H2
Additional context
See https://learn.microsoft.com/en-us/nuget/concepts/auditing-packages
https://devblogs.microsoft.com/nuget/nugetaudit-2-0-elevating-security-and-trust-in-package-management/
The text was updated successfully, but these errors were encountered: