Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Possible security vulnerability in AzureKeyVault provider #423

Closed
fgheysels opened this issue Nov 15, 2023 · 5 comments
Closed

Possible security vulnerability in AzureKeyVault provider #423

fgheysels opened this issue Nov 15, 2023 · 5 comments

Comments

@fgheysels
Copy link
Member

The Azure KeyVault provider project has a (transitive) reference to Newtonsoft.JSON 10.0.3, which apparently has a security vulnerability.

We should upgrade to a more recent version of Newtonsoft.Json. (10.0.3 already dates back to 2017!)
@fgheysels
Copy link
Member Author

Maybe this is because we still use some deprecated packges in that project. Maybe one of those packages is the culprit ?

@stijnmoreels
Copy link
Member

Maybe this is because we still use some deprecated packges in that project. Maybe one of those packages is the culprit ?

Yes, that would be my guess as well, as we needed to be backwards compatible. But, with the new major version on .NET 8, we could possibly remove those.

@fgheysels
Copy link
Member Author

I think it is important to have a look at it.
There are projects where customers refuse to use dependencies that have possible / known security issues.

@stijnmoreels
Copy link
Member

Think this is done by: #424 ?

@fgheysels
Copy link
Member Author

Indeed, this looks to be resolved. Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@fgheysels @stijnmoreels