Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Cannot update to v2.1.7 due to vulnerability tag #2689

Closed
4 tasks done
WParr3 opened this issue Mar 6, 2024 · 4 comments
Closed
4 tasks done

Cannot update to v2.1.7 due to vulnerability tag #2689

WParr3 opened this issue Mar 6, 2024 · 4 comments
Labels
security upstream-issue Issue depends on upstream dependency fix.

Comments

@WParr3
Copy link

WParr3 commented Mar 6, 2024

Prerequisites

  • I have written a descriptive issue title
  • I have verified that I am running the latest version of ImageSharp
  • I have verified if the problem exist in both DEBUG and RELEASE mode
  • I have searched open and closed issues to ensure it has not already been reported

ImageSharp version

2.1.7

Other ImageSharp packages and versions

2.1.6

Environment (Operating system, version and so on)

Windows 10

.NET Framework version

6.0

Description

We are unable to run our build pipelines because when running the NuGet Restore command we are confronted with the error:
##[error]The nuget command failed with exit code(1) and error(NU1903: Warning As Error: Package 'SixLabors.ImageSharp' 2.1.6 has a known high severity vulnerability, https://github.com/advisories/GHSA-65x7-c272-7g7r

Upon inspecting the vulnerability GitHub we found the advisory page for the v2 package, informing that this issue has been patched in version 2.1.7 (we are currently on 2.1.6): GHSA-65x7-c272-7g7r

However, upon updating the package using Visual Studio's NuGet Package Manager, it fails as version 2.1.7 is marked with the tag "Vulnerable", causing a rollback to occur during the update attempt.

Could this tag be removed from v2.1.7 so that we can proceed to update the package and subsequently run our CI/CD pipelines successfully once more?

Steps to Reproduce

  1. Open NuGet Package Manager in Visual Studio;
  2. Select package source: nuget(.org);
  3. Find the SixLabors.ImageSharp package;
  4. Check the projects for which you wish to update and select version 2.1.7 from the dropdown;
  5. Click the "Install" button;

Images

image
@Gabriel2048
Copy link

Gabriel2048 commented Mar 6, 2024
edited
Loading

I am seeing the same issue error NU1903: Package 'SixLabors.ImageSharp' 2.1.7 has a known high severity vulnerability, https://github.com/advisories/GHSA-65x7-c272-7g7r on .NET 8

@jizc
Copy link

jizc commented Mar 6, 2024

I believe this will be resolved by this PR: github/advisory-database#3936

@kendallb
Copy link

kendallb commented Mar 6, 2024

Same issue. Cannot migrate to 3.x as we are still on .NET 4.8. I assume we just upgrade to 2.1.7 and wait for the advisory to be fixed in GitHub/NuGet?

@JimBobSquarePants
Copy link
Member

We had to wait for the advisory update to be merged. Should be fine now.

https://www.nuget.org/packages/SixLabors.ImageSharp/2.1.7

@JimBobSquarePants JimBobSquarePants added upstream-issue Issue depends on upstream dependency fix. security and removed needs triage labels Mar 6, 2024
@VisualMelon VisualMelon mentioned this issue Mar 7, 2024
Merged
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
security upstream-issue Issue depends on upstream dependency fix.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@JimBobSquarePants @kendallb @jizc @Gabriel2048 @WParr3