force-net
Replace NuGet references with known security risks
The referenced NuGet package NETStandard.Library 1.6.1 references 2 NuGet packages that have known security risks.
- System.Net.Http 4.3.0
- System.Text.RegularExpressions 4.3.0
This could be solved for example by update NETStandard.Library to 2.0.3
Is there any maintainer for this repository? There is no update since 2022
I really have no time to do something. It is not critical issue. When you reference this library, current version of .NETStandard is used. Library itself does not use any of these dependencies. But I understand, that automatic tools can throw warning about this.
I still trying to find time, possibility and desire to check issues and update library.
@force-net Thank you for the library! While I understand not having time for anything (same camp here), please do not neglect security issues. It is basically waving hand, "oh this security issue, pretty normal". One day you wave hand one time too more.
As a workaround I simply forced to install nuget packages DeepCloner uses, of course having this right in DeepCloner would be better :-).
Hey @force-net
Would you accept/review pull requests that fixes this issue? I don't mind taking a look to fix this.
I think we should close this issue. Just add the updated dependency to your app.
This project has no package dependencies just netstandard. This dependency giving you this warning is a transitive package reference. We should not bump the TFM to resolve this and it's really questionable to take on a package reference we don't need to resolve this. I get that it's annoying, but I feel like it's the consumers responsibility.
I've hard-forked the library into FastCloner with full support for netstandard2.0. Tests are upped to ~300 and most of the issues here are solved, as well as in some similar libraries. The new library aims to smooth many of the rough edges, feel free to check it out. Contributions are welcome, the license is still the same! ⭐
