-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Security alerts on MQTTnet.AspNetCore #1943
Comments
We should maybe check these dependencies within the project itself. With the following settings in the projects <NoWarn>NU1803;NU1901;NU1902</NoWarn>
<TreatWarningsAsErrors>true</TreatWarningsAsErrors>
<NuGetAuditMode>all</NuGetAuditMode>
<NuGetAudit>true</NuGetAudit> this can be checked automatically within Visual studio. Explanation:
@chkr1011 Just as an idea to get notified when such issues occur in the future. Read https://learn.microsoft.com/en-us/nuget/concepts/auditing-packages for detailed information. |
Support for old versions is dropped in version 5 of the library so that the warnings will also disappear. |
Does dropping support mean, that there is no longer any possibility to use MQTTnet with net48 or netstandard2.0? .NET 48 as such will still be supported by Microsoft for several years, there is no end date announced yet https://learn.microsoft.com/en-us/lifecycle/products/microsoft-net-framework. |
I would say yes. |
Version 5 of the library will support .NET 8+ only. |
PR is here: #2016. |
Should be done with #2016. |
Describe the feature request
Analyzing our application with Mend.io revelated 4 security alerts by transitive libraries brought with MQTTnet.AspNetCore.
Which project is your feature request related to?
MQTTnet.AspNetCore 4.3.3.952
Describe the solution you'd like
Upgrading required libraries in the NuGet spec. My temprorary workaround is to add the following package references to my project file:
Describe alternatives you've considered
Upgrading higher level NuGets to fix the issues, as microsoft.aspnetcore.http.connections.1.1.0 depends on multiple of these libraries.
microsoft.aspnetcore.http.connections.1.1.0 -> microsoft.aspnetcore.websockets.2.2.0 -> system.net.websockets.websocketprotocol.4.5.1
microsoft.aspnetcore.http.connections.1.1.0 ->newtonsoft.json.11.0.2
Additional context
The text was updated successfully, but these errors were encountered: