Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Vulnerability in the dependency tree #2032

Closed
lidvarko opened this issue May 3, 2024 · 3 comments · Fixed by #2037
Closed

Vulnerability in the dependency tree #2032

lidvarko opened this issue May 3, 2024 · 3 comments · Fixed by #2037

Comments

@lidvarko
Copy link

lidvarko commented May 3, 2024

There is a vulnerability in the library dependency tree. system.net.request 4.3.0 has a dependency to system.net.http 4.3.0 that has a High severity vulnerability.
@SymbioticKilla
Copy link

SymbioticKilla commented May 6, 2024
edited

You mean system.net.http?It is a transient, but it is annoying...

Is it possible to lock system.net.http to 4.3.4?
Thanks!

image

@MagicAndre1981
Copy link
Contributor

@brianrob why does TraceEvent still require those old .net Standard 1.x libs when the TraceEvent lib is .net standard 2.0?

For example System.Diagnostics.Process is part of .net standard 2.0

image

and only required for .net standard 1.x projects which doesn't apply to TraceEvent

image

Best is to remove all those old ns1.x support libs.

@brianrob brianrob mentioned this issue May 24, 2024
Merged
@brianrob
Copy link
Member

That's a goodo callout @MagicAndre1981. I've posted #2037 for this.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Remove Unnecessary PackageReferences brianrob/perfview
4 participants
@brianrob @MagicAndre1981 @lidvarko @SymbioticKilla