Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Critical vulnerability in dependency chain #213

Open
the-black-wolf opened this issue Sep 25, 2024 · 6 comments
Open

Critical vulnerability in dependency chain #213

the-black-wolf opened this issue Sep 25, 2024 · 6 comments
Labels
enhancement New feature or request

Comments

@the-black-wolf
Copy link

Description

Prism.Avalonia (including prerelease) has a versioned dependency chain starting with System.Configuration.ConfigurationManager 4.7.0 which ends in package System.Drawing.Common 4.7.0 which has a known critical severity vulnerability, GHSA-rxg9-xrhp-64gj

Reference should be upgraded to the latest 8.0.0 version.

Environment

  • OS: All
  • Prism.Avalonia Version: 9.0.401.11110-pre, but others are affected
  • Avalonia Version: 11.2.0-beta2

Severity (1-5)

3 its annoying, but also causes errors in TreatWarningsLikeErrors build configs.

Steps To Reproduce

Steps to reproduce the behavior:
Just add the package and build under latest toolkit, warning should popup:

` C:\projects\Foo\Fai\Fo\Fam.csproj : warning NU1904: Package 'System.Drawing.Common' 4.7.0 has a known critical severity vulnerability, GHSA-rxg9-xrhp-64gj

Expected Behavior

Updated references

Screenshots

n/a

Additional context

n/a

@the-black-wolf the-black-wolf added the enhancement New feature or request label Sep 25, 2024
@DamianSuess
Copy link
Collaborator

Wonderful catch, thank you for the heads up

@the-black-wolf
Copy link
Author

Wonderful catch, thank you for the heads up

Hm, not to be a stickler but can we expect a nuget release with the updated references. We are kind of getting our ears pulled by CI.

@DamianSuess
Copy link
Collaborator

DamianSuess commented Oct 12, 2024

@the-black-wolf, just a heads up, The 9.0 release was pulled as we are moving to be fully integrated with the Prism project. All new releases starting with 9.0 will be created over there moving forward.

@the-black-wolf
Copy link
Author

@DamianSuess hi, can you please point me as I dont see Avalonia in the main Prism project?

@DamianSuess
Copy link
Collaborator

We're still working on the migration to get things published.

What's the best way to reach you to get the support you need?

@the-black-wolf
Copy link
Author

@DamianSuess
its not that big of a deal that I would want to waste your time. I am happy to just track the progression of this, if there is an issue or a pull request I can follow. For now I added a v8 reference into project, overriding transitive one from Prism.Avalonia, to get us through the CI. I have no way of knowing if this will causes us any regression issues, but for now we are into development and not yet into CD. There is still some time left before we have to roll it out.

# for free to join this conversation on GitHub. Already have an account? # to comment
Labels
enhancement New feature or request
Projects
None yet
Development

No branches or pull requests

2 participants