Open
Description
openedon Sep 11, 2024
Describe the bug
Microsoft.Azure.Cosmos references many packages which are out of support and vulnerable.
To Reproduce
Create a new project with the latest .NET 9.0 preview SDK which includes NuGet audit for security vulnerabilities. Add a reference to <PackageReference Include="Microsoft.Azure.Cosmos" Version="3.43.0"/> and restore the project.
Expected behavior
No warnings when restoring.
Actual behavior
The following warnings occur:
C:\scratch\azureCosmos\azureCosmos.csproj : warning NU1903: Package 'Newtonsoft.Json' 10.0.2 has a known high severity vulnerability, https://github.com/advisories/GHSA-5crp-9r3c-p9vr
C:\scratch\azureCosmos\azureCosmos.csproj : warning NU1903: Package 'System.Net.Http' 4.3.0 has a known high severity vulnerability, https://github.com/advisories/GHSA-7jgj-8wvc-jh57
C:\scratch\azureCosmos\azureCosmos.csproj : warning NU1903: Package 'System.Text.RegularExpressions' 4.3.0 has a known high severity vulnerability, https://github.com/advisories/GHSA-cmhx-cq75-c4mj
Environment summary
SDK Version: 3.43.0
.NET SDK: 9.0.0-preview.7.24405.7
OS Version: Windows 11 23H2
Additional context
See https://learn.microsoft.com/en-us/nuget/concepts/auditing-packages
https://devblogs.microsoft.com/nuget/nugetaudit-2-0-elevating-security-and-trust-in-package-management/
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Metadata
Assignees
Type
Projects
Status
Approved