-
Notifications
You must be signed in to change notification settings - Fork 174
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Wali/nuget package vulnerability fix #2068
Conversation
src/BuildServer/BuildServer.csproj
Outdated
@@ -18,7 +18,9 @@ | |||
<PackageReference Include="Microsoft.VisualStudio.Azure.Containers.Tools.Targets" Version="1.17.0" /> | |||
<PackageReference Include="Newtonsoft.Json" Version="13.0.2" /> | |||
<PackageReference Include="RunProcessAsTask" Version="1.2.4" /> | |||
<PackageReference Include="runtime.unix.System.Private.Uri" Version="4.3.2" /> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Would you mind providing some context as to why this runtime.unix.System.Private.Uri
package was also added as a package reference throughout these .csproj
files?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Adding a screenshot or a description of the vulnerability we are solving would be nice.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please have a look on the comment: #2068 (comment)
src/Detector/Detector.csproj
Outdated
@@ -57,7 +57,9 @@ | |||
<PackageReference Include="Microsoft.CSharp" Version="4.7.0" /> | |||
<PackageReference Include="Microsoft.Extensions.Http" Version="7.0.0" /> | |||
<PackageReference Include="Newtonsoft.Json" Version="13.0.2" /> | |||
<PackageReference Include="runtime.unix.System.Private.Uri" Version="4.3.2" /> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: I'm not sure if we need to include these package references in Detector.csproj
and Detector.Test.csproj
since they already reference the Common.csproj
project, so these package references should be propagated downstream to these projects, but it's worth double-checking this
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please have a look on the comment: #2068 (comment)
After discussing with Dan, I have updated the dependency in the projects. Our partners showed concern on the |
Could you please clarify why the other projects apart from Detector don't show the vulnerability? Given that here we need to take a direct dependency on a package we don't need directly, I'd rather make sure we minimize the impact on our project to where it is absolutely needed. |
@daniv-msft @waliMSFT -- to follow-up on the above comment: it may be worth introducing |
@daniv-msft Among all the projects we have inside |
Thanks for clarifying! In that case, please consider moving the System.Private.Uri nuget reference to Detector.csproj only so that we keep the workaround we need to create here as minimal as possible. |
|
updated the version of the nuget package System.Runtime.Uri to 4.3.2