Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Hangfire.Console has a dependency to versions of Hangfire.Core with known vulnerabilities #121

Open
joacimsvensson opened this issue Jun 16, 2022 · 2 comments
Open

Hangfire.Console has a dependency to versions of Hangfire.Core with known vulnerabilities #121

joacimsvensson opened this issue Jun 16, 2022 · 2 comments

Comments

@joacimsvensson
Copy link

The dependency to Hangfire.Core should be elevated to version 1.7.3 and above. Versions of Hangfire.Core below that is vulnerable to cross-site scripting: https://ossindex.sonatype.org/vulnerability/sonatype-2019-0260?component-type=nuget&component-name=Hangfire.Core
@pieceofsummer
Copy link
Owner

I don’t really think forcing security updates for Hangfire.Core is a job for extensions like Console, unless a vulnerability somehow affects or is related to the extension itself.

The extension only specifies the minimum version it can work with. It is your job as a developer/maintainer to keep packages used by your project up-to-date.

@novacema
Copy link

Hello!
I agree that it is your job as a developer to keep the packages used by your project updated.

On the other hand, if I find packages in a code that use transitive packages that report vulnerability, this can lead to people no longer trusting the package.

"dotnet list ./ package --vulnerable --include-transitive"

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@pieceofsummer @joacimsvensson @novacema