wcf icon indicating copy to clipboard operation
wcf copied to clipboard
verified publisher icon dotnet

System.ServiceModel.Primitives 8.0.0 transivitely uses vulnerable package System.Security.Cryptography.Pkcs 6.0.1

Open flo-so opened this issue 2 years ago • 5 comments

System.ServiceModel.Primitives 8.0.0 has dependency System.Security.Cryptography.Xml >= 6.0.1 System.Security.Cryptography.Xml 6.0.1 has depency System.Security.Cryptography.Pkcs 6.0.1 which is marked vulnerable Visual Studio 2022 transitive package installation installs minimum required package version, which is the vulnerable version Please update package dependecies of System.ServiceModel.Primitives 8.0.0

flo-so avatar Jan 16 '24 14:01 flo-so

similar issue is in System.ServiceModel.Primitives 6.2.0

miksh7 avatar Feb 22 '24 19:02 miksh7

It's especially odd that the 8.0.0 version, which only targets net8.0, would depend on .NET 6 packages instead of .NET 8 ones.

Zastai avatar May 10 '24 12:05 Zastai

What would have to be changed to use the current dependency? Is it necessary at all to explicitly state the version? The package should be contained in the runtime directly

lukasmichel avatar Jul 04 '24 09:07 lukasmichel

Why does the .NET 8 dependency list include .NET 6 package? There are older packages with dependency specifications for the older stuff. This feels like a lifecycle violation.

davidgvh avatar Jul 18 '24 15:07 davidgvh

@HongGit Friendly ping since there is still no documented workaround (to either use [email protected] or [email protected]+). So an official fix or at least note would be appreaciated.

Falco20019 avatar Oct 11 '24 09:10 Falco20019