-
Notifications
You must be signed in to change notification settings - Fork 4.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[browser][WBT] SignalRPassMessageWasmBrowser - NU1903 - System.Text.Json 8.0.0 #104737
Comments
Tagging subscribers to 'arch-wasm': @lewing |
Note that this means that you are using the nuget.org feed somewhere which is unrelated but should be fixed as well. NU1903 is part of the NuGet Audit feature which only works with the nuget.org feed atm. |
cc @lewing |
Unfortunately, I don't know how these tests work. Can someone please file an issue for the nuget.org issue? |
In wbt we're populating nuget config here:
that produces:
Do you mean we should remove |
Yes. AFAIK using the nuget.org feed in our builds is disallowed for security reasons. cc @mmitche |
Copied from a mail conversation: .NET's policy is that we do not publish new intermediate packages for the sole purpose of updating a leaf dependency. This is instead an application-level concern. We rely on NuGet functionality to make updating leaf dependencies simple and painless. We don't yet have that documented but we will follow-up on it. |
@ViktorHofer VS is telling me that this particular NuGet package is using a vulnerable assembly. So why do I have to fix this? Why do I have to manually download another top level dependency for what is currently translative? I don't understand the logic. Surely, something, somewhere is responsible for using a vulnerable version and it should be rectified. No? Otherwise the headache is put on our shoulders and technically, the issue is not with out code but the NuGet packages concerned. |
Log
Build Information
Build: https://dev.azure.com/dnceng-public/public/_build/results?buildId=737345
Build error leg or test failing:
Error Message
Fill the error message using step by step known issues guidance.
Known issue validation
Build: 🔎 https://dev.azure.com/dnceng-public/public/_build/results?buildId=737345
Error message validated:
[NU1903: Package 'System.Text.Json' 8.0.0 has a known high severity vulnerability
]Result validation: ✅ Known issue matched with the provided build.
Validation performed at: 7/11/2024 4:23:34 PM UTC
Report
Summary
The text was updated successfully, but these errors were encountered: