-
Notifications
You must be signed in to change notification settings - Fork 641
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Updated package versions to eliminate vulnerable and deprecated transitive dependencies #976
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…dependencies on ICU4N.Collation, ICU4N.CurrencyData, ICU4N.LanguageData, ICU4N.RegionData, and ICU4N.Transliterator because these have all been merged into the main assembly. Did minimal integration to fix compile errors.
…s just to pin the version
…dependency on System.Text.Json, since it was only used to pin the version
…kages on net6.0 and 8.0.0 for Microsoft.Extensions packages on net8.0
…System.Runtime.CompilerServices.Unsafe as it was only used to pin the version
… on net8.0. Only use 6.0.1 on net6.0 because lucene-cli is the only consumer. 6.0.0 has a vulnerability, so we must pin the version since we own the distribution.
…Services.RuntimeInformation and reference to System.Net.Http in net462
…cene.Net.CodeAnalysis.CSharp and Lucene.Net.CodeAnalysis.VisualBasic to ensure it is built prior to Lucene.Net
…asic): Added package references on System.Net.Http and System.Text.RegularExpressions
… dependencies NETStandardLibrary 1.6.1, System.Net.Http 4.3.4, and System.Text.RegularExpressions 4.3.1 because they have vulnerabilities.
…soft.Extensions.Configuration 8.x. In Lucene.Net.TestFramework and lucene-cli, we must reference Microsoft.Extensions.Configuration.Json 8.0.1 to avoid pulling in vulnerable transitive dependencies.
…ction.Abstractions to 8.0.0 and Microsoft.Extensions.DependencyInjection to 8.0.1 to be consistent with Microsoft.Extensions.Configuration
…ons to 2.1.1 because 2.0.0 has been deprecated
…1.1 on .NET Framework and 8.0.0 on other target frameworks
…ependency on System.Text.Encodings.Web to upgrade the version, since the version referenced by Microsoft.AspNetCore.Http.Abstractions is vulnerable and there is no upgrade.
…tCore.TestHost for the test target framework
…t472, added references to Microsoft.AspNetCore.Http and System.IO.Pipelines because the versions that Microsoft.AspNetCore.TestHost 2.1.1 references are vulnerable
…nce to System.Text.Json because the version that IKVM references transitively is vulnerable and we are blocked from upgrading IKVM due to disk space limitations on Azure DevOps.
…Xml to 8.0.1 to avoid bringing in vulnerable version of System.Formats.Asn1 by default.
…nstraint so we cannot depend on 3.x or higher (since it will break binary compatibility)
paulirwin
approved these changes
Oct 21, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary of the changes (Less than 80 chars)
Updated package versions to eliminate vulnerable and deprecated transitive dependencies.
Description