NuGet dependency vulnerabilities

[jmisharp]

Current version 6.2.1 of the Respawn package has a security vulnerability because of an old dependency to Microsoft.Data.SqlClient, that has a dependency to [email protected].

.NET Core Remote Code Execution Vulnerability (This package is used under: [email protected]>[email protected]>[email protected]>[email protected]>[email protected]>[email protected])

Please update to mitigate this vulnerability.

CVE description: https://nvd.nist.gov/vuln/detail/CVE-2021-24112

[alexTr3]

there is also azure core identity that is referenced for no reasons.. REMOVE THIS ASAP..

[Thijmen]

Follow this as well - can we get a fix in for this?

[Thijmen]

For those running into this, I fixed this by adding the dependency with the proper version (in my case it was Azure.Identity)

  <ItemGroup>
    <!-- Fixes for transitive dependencies -->
    <PackageReference Include="Azure.Identity" />
  </ItemGroup>

And then make sure to add the proper version in your Directory.Packages.prop

[Thijmen]

While I also can understand that you also fix direct CVE's - please understand that the SqlClient imports some very old outdated stuff with a lot of CVE's. It would help us tremendously to update this package, to keep our projects maintainable.