Made transitive package SystemFormats.Asn1 a top-level package so tha…#37
Made transitive package SystemFormats.Asn1 a top-level package so tha…#37zbalkan wants to merge 1 commit intoTechnitiumSoftware:masterfrom
Conversation
…t we can use latest version. The minimum version 5.0 had vulnerabilities.
There was a problem hiding this comment.
Pull request overview
Pins System.Formats.Asn1 as a top-level dependency in TechnitiumLibrary.Security.Cryptography to allow updating beyond a vulnerable minimum transitive version.
Changes:
- Add an explicit
PackageReferencetoSystem.Formats.Asn1(version10.0.2) in the cryptography project.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| </PropertyGroup> | ||
|
|
||
| <ItemGroup> | ||
| <PackageReference Include="System.Formats.Asn1" Version="10.0.2" /> |
There was a problem hiding this comment.
This adds a new direct NuGet dependency to the produced package. If the intent is only to override a transitive version for this project (and not force downstream consumers to take a dependency on System.Formats.Asn1), consider marking it as PrivateAssets="all" (or using an equivalent version-pinning approach) to avoid changing the dependency surface. Also double-check that the chosen 10.0.2 version is compatible with this project’s net9.0 target to prevent restore/runtime binding issues.
|
It's better to wait dotnet 10 update or we can roll back to a dotnet 9 compatible but not vulnerable version. |
.NET 10 is being planned in the next update or at most the one after it. |
|
But the vulnerability is there. Since this is not used in DNS Server, the impact is related to your work, I believe. So, I can do the minor change the way you want. |
2 participants
…t we can use latest version. The minimum version 5.0 had vulnerabilities.