abp icon indicating copy to clipboard operation
abp copied to clipboard
verified publisher icon abpframework

Fix vulnerabilities in dependencies

Open Muximize opened this issue 1 year ago • 1 comments

Description

Resolves 417 instances of 14 vulnerabilities in multiple versions of these 10 (transitive) dependencies:

Azure.Identity                   
Microsoft.Identity.Client        
Newtonsoft.Json                  
Npgsql                           
SixLabors.ImageSharp             
System.Formats.Asn1              
System.Net.Http                  
System.Security.Cryptography.Xml 
System.Text.Json                 
System.Text.RegularExpressions

These stats are only for the framework solution but the modules where also fixed. These where found using:

dotnet list package --vulnerable --include-transitive

Notes

Because it gets annoying to keep having to fix these in our project, I thought maybe I should fix it at the source 😇

Instead of just updating the vulnerable package versions, I did some cleanup to reduce the amount of transitive dependencies and to make the process of updating them easier in the future:

  • Some vulnerabilities are only present in the netstandard2.0 and netstandard2.1 targets of some dependencies. Because ABP 8 requires net8.0 anyway, I assume those targets can be safely dropped as an easy fix.
  • The AssetTargetFallback can then be dropped from projects too.
  • There are bunch of unused dependencies that I removed, but there might be more of them.
  • Because IdentityServer4 is deprecated, there is no fix for its vulnerability. According to #11989 it should have been removed by now as OpenIddict became the default in ABP 6.
  • I also updated all other outdated dependencies I could find.

Muximize avatar Aug 17 '24 00:08 Muximize

CLA assistant check
All committers have signed the CLA.

CLAassistant avatar Aug 17 '24 00:08 CLAassistant

I rebased this on latest dev to fix a merge conflict.

Muximize avatar Sep 02 '24 08:09 Muximize

Great initiative, I was just going to open an issue because of transitive package vulnerabilities that I'd like to see fixed 👍

MichelZ avatar Sep 05 '24 08:09 MichelZ

@maliming I see now ABP is usually quite conservative in updating dependencies, so maybe you can skip the last commit, or cherry pick what you like in this PR.

Muximize avatar Sep 10 '24 17:09 Muximize

Thanks @Muximize

We will continue to support the netstandard2.0 and netstandard2.1. And packages have been upgraded in https://github.com/abpframework/abp/pull/20960

I will cherry-pick your commit to a new Pull Request. 👍

maliming avatar Oct 15 '24 07:10 maliming