Security issues #771
Comments
|
When you say 'the package', do you mean the PdfPig nuget package or something else in the repo? (the main lib seems to only depend on System.ValueTuple, and then only on .NET 4.x, though adding a .NET 4.7.1 target might remove that for 4.7.1+ consumers) |
|
There are references to .NET Standard.Library 1.6.1 from the tests though: which does cause complaints from certain tooling. |
|
Sorry I wasn't clear. It's with NuGet packages that are included in PdfPig. They could be packages that are pulling in other dependencies that are out of date. Looking at the NuGet packages that are in PdfPig now, all of them are out of date, with CodeCov being deprecated and no longer maintained. Possibly updating the NuGet packages will update the dependencies.. |
|
there's already a discussion about the coverage thing in #755 |
|
Thank you! Hopefully there will be a discussion about updating the other packages as well. |
|
The dependencies in the test project have been updated and minimzed now, which has removed transitive references to a load of old stuff, though the test project itself still runs against .NET Core 2.1 as well as 6.0 |
|
Thank you! |
|
I think all the old package have been cleared out or updated now - so is there anything left to do here? |
|
It all looks great now. Thank you! |
I was investigating using this package for use on a work project, and part of our due diligence before using packages is to run the package through a scan for vulnerabilities. Our scan found multiple security vulnerabilities with the old versions of .NetCore and Newtonsoft.Json that should be fixed by updating the packages to the current versions.
I like the package, it does exactly what we need, but with the vulnerabilities, I won't be able to get it approved. Any chance of getting the packages you are using updated to address the vulnerabilities?
Thanks!
The text was updated successfully, but these errors were encountered: