RCE vulnerability with System.Text.Encodings.Web@4.0.2 through a sample project

[jorbraken]

Description

PuppeteerSharp currently introduces an RCE vulnerability with System.Text.Encodings.Web@4.0.2.0 through a sample project here, and it's throwing off Snyk scanning thinking that's an actual vulnerability... Wondering if that could be upgraded to match a fixed version as listed on that Snyk link?

Complete minimal example reproducing the issue

• Nothing to reproduce, this is just a vulnerability that's throwing off scanners.

Expected behavior: Vulnerable package System.Text.Encodings.Web@4.0.2.0 throws off scanner

[What you expect to happen]

Actual behavior: Scanner not to go off with that vulnerability

[What actually happens]

Versions

• Which version of PuppeteerSharp are you using? 6.2.0
• Which .NET runtime and version are you targeting? .NET framework 4.6.1 and .NET Standard 2.0

Additional Information

N/A

[kblok]

It makes sense. PRs are welcome :)

[jorbraken]

Just dug a little deeper and it seems like it is being used by the Puppeteer itself...
PuppeteerSharp@6.2.0 › Microsoft.AspNetCore.WebUtilities@2.0.2 › System.Text.Encodings.Web@4.4.0

And Microsoft.AspNetCore.WebUtilities is being used directly here

I'll try to collab with a PR 👍