I observed a number of NuGet packages with known, medium and high, vulnerabilities in the latest release 13.2. Do Asp.Net Zero do any vulnerability scanning before a release?
Specifically I detected these vulnerabilities:
- system.text.regularexpressions.4.3.0.nupkg
- microsoft.identitymodel.jsonwebtokens.6.15.0.nupkg
- bouncycastle.cryptography.2.3.0.nupkg
- system.text.json.8.0.3.nupkg
- system.text.regularexpressions.4.3.0.nupkg
- Azure.Identity' 1.11.2
Please confirm that you are aware of these NuGet package with vulnerabilities?
Please, let know if or when these packages are updated in the Asp.Net Zero .Net 8 solution?
Br. Tom Andersen
4 Answer(s)
-
0
Hi @henriksorensen
We upgrade all NuGet packages in each version. The new version of AspNet Zero (13.3) will be released today or tomorrow.
-
0
Thanks for a quick response! Looking forward to the new release. Some of these vulnerabilities are due to transitive dependencies and may need a bit work apart from upgrading the direct dependencies. I'll try the new release next week.
Br. Tom
-
0
Hi,
The new release is out. If you can create an issue on https://github.com/aspnetzero/aspnet-zero-core, we will also check this issue.
-
0
Hi Thanks for the new release. Looks good! One vulnerability remains in the backend code: System.Text.RegularExpressions 4.3.0 High https://github.com/advisories/GHSA-cmhx-cq75-c4mj It is a transitive package in all projects. The fix is to explicit take a dependency on System.Text.RegularExpressions 4.3.1
I'll create an issue on git hub.
