Security warnings about usage of NuGet.Protocol v6.0 #2760
Comments
|
Welcome to the FAKE community! Thank you so much for creating your first issue and therefore improving the project! |
|
@Numpsy will you prepare a PR? |
|
Approved |
|
This stuff is never ending, versions 6.7.0 is showing as having issues now: GHSA-68w7-72jg-6qpp :-( |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Description
I created a CI build using FAKE 6 which also gets run through a Mend analysis, and it raised a warning about references to NuGet.Protocol v 6.0 which has known security vulnerabilities.
Looking at the listing for NuGet.Protocol on nuget.org, it seems that the 6.0.0 versions of all those libraries have actually been delisted due to issues, and several of the updates versions are listed as having issues themselves.
Given the delisting, I think it would be good to bump the version used?
Repro steps
Version 6.0 seems to be specified at https://github.com/fsprojects/FAKE/blob/13e30330cae0597aed6154a95a06d21716b18de3/paket.lock#L825C1-L825C9
Known workarounds
As i'm running the build via a .fsproj file, I can locally update the referances to a newer version if I have to.
Related information
Indications of severity
Nuget says the vulnerability is 'high severity'
Version of FAKE (4.X, 5.X, 6.x)
6.0
The text was updated successfully, but these errors were encountered: