You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
SqlClient 5.14 currently relies on transient packages that have vulnerabilities.
Microsoft.IdentityModel.JsonWebTokens is being referenced at version 6.24.0, which currently is vulnerable.
Microsoft.IdentityModel.Protocols.OpenIdConnect is being referenced at version 6.24.0, which has a dependency of System.IdentityModel.Tokens.Jwt , which is vulnerable.
Could these packages please be updated to non-vulnerable versions?
The text was updated successfully, but these errors were encountered:
in corporate software for checking vulnerabilities in dependencies Mend (previously Whitesource) - in every lib in which I use Microsoft.Data.SqlClient I need to also manually install Azure.Core and now also System.IdentityModel.Tokens.Jwt
will it be possible to introduce in M$ such process that whenever some vulnerability will be found in some package all M$ packages dependant on vulnerable package will be released with new dependency? any ideas how to be safe by design instead of pushing that on shoulders of developers? can M$ libraries use semantic versioning like in nodejs? similar to ^ or ~ prefix? instead of hardcoded strict numbers in dependencies?
SqlClient 5.14 currently relies on transient packages that have vulnerabilities.
Microsoft.IdentityModel.JsonWebTokens is being referenced at version 6.24.0, which currently is vulnerable.
Microsoft.IdentityModel.Protocols.OpenIdConnect is being referenced at version 6.24.0, which has a dependency of System.IdentityModel.Tokens.Jwt , which is vulnerable.
Could these packages please be updated to non-vulnerable versions?
The text was updated successfully, but these errors were encountered: