Cannot update to v2.1.7 due to vulnerability tag #2689
Description
Prerequisites
- I have written a descriptive issue title
- I have verified that I am running the latest version of ImageSharp
- I have verified if the problem exist in both
DEBUGandRELEASEmode - I have searched open and closed issues to ensure it has not already been reported
ImageSharp version
2.1.7
Other ImageSharp packages and versions
2.1.6
Environment (Operating system, version and so on)
Windows 10
.NET Framework version
6.0
Description
We are unable to run our build pipelines because when running the NuGet Restore command we are confronted with the error:
##[error]The nuget command failed with exit code(1) and error(NU1903: Warning As Error: Package 'SixLabors.ImageSharp' 2.1.6 has a known high severity vulnerability, https://github.com/advisories/GHSA-65x7-c272-7g7r
Upon inspecting the vulnerability GitHub we found the advisory page for the v2 package, informing that this issue has been patched in version 2.1.7 (we are currently on 2.1.6): GHSA-65x7-c272-7g7r
However, upon updating the package using Visual Studio's NuGet Package Manager, it fails as version 2.1.7 is marked with the tag "Vulnerable", causing a rollback to occur during the update attempt.
Could this tag be removed from v2.1.7 so that we can proceed to update the package and subsequently run our CI/CD pipelines successfully once more?
Steps to Reproduce
- Open NuGet Package Manager in Visual Studio;
- Select package source: nuget(.org);
- Find the SixLabors.ImageSharp package;
- Check the projects for which you wish to update and select version 2.1.7 from the dropdown;
- Click the "Install" button;
Images
