Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

After creating Razor Pages with Individual, "Azure.Identity" 1.7.0 is added and identified as a vulnerable package. #2203

Closed
v-elenafeng opened this issue Nov 2, 2023 · 4 comments
Closed

After creating Razor Pages with Individual, "Azure.Identity" 1.7.0 is added and identified as a vulnerable package. #2203

v-elenafeng opened this issue Nov 2, 2023 · 4 comments
Labels
2️⃣ Duplicate Issue/PR that is a duplicate and already exists.

Comments

@v-elenafeng
Copy link

INSTALL STEPS

  1. Clean machine: Win11 x64 22h2 ENU
  2. Install Dev17.8 GA VAL (Includes SDK 8.0.100), Web workload

REPRO STEPS

  1. File > New project > ASP.NET Core Web App (Razor Pages) > .NET 8.0 > Individual Account > Create
  2. Go to Manage NuGet Packages

ACTUAL
It shows that a vulnerable package is installed. If you check the 'Show only vulnerable' checkbox, then you can see that the warning is because the 'Microsoft.EntityFrameworkCore.SqlServer.8.0.0' package have a dependency on Azure.Identity 1.7.0, which has been detected as the vulnerable package.
image
image

EXPECTED
The 'Microsoft.EntityFrameworkCore.SqlServer.8.0.0' package should be updated to depend on a newer version of Azure.Identity that is not vulnerable.
@ajcvickers ajcvickers transferred this issue from dotnet/efcore Nov 2, 2023
@ajcvickers
Copy link

This is a SqlClient dependency. Once SqlClient updates its dependency, then EF can update to that.

@shenjiawei
Copy link

This is a SqlClient dependency. Once SqlClient updates its dependency, then EF can update to that.

Do we have a timeline on when the update will be released?

@ErikEJ
Copy link
Contributor

ErikEJ commented Nov 2, 2023

@shenjiawei The update is in SqlClient 5.2 preview 4, due in November

@DavoudEshtehari DavoudEshtehari added the 2️⃣ Duplicate Issue/PR that is a duplicate and already exists. label Nov 3, 2023
@DavoudEshtehari
Copy link
Contributor

DavoudEshtehari commented Nov 3, 2023
edited
Loading

Duplicate of #2195, and will be published with the next preview (MDS 5.2-preview4).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
2️⃣ Duplicate Issue/PR that is a duplicate and already exists.
Projects
SqlClient Triage Board
Status: Closed
Milestone
No milestone
Development

No branches or pull requests
5 participants
@ajcvickers @ErikEJ @shenjiawei @DavoudEshtehari @v-elenafeng