Nuget platform - current version
KrzysztofPajak opened this issue · comments
Is there any plans to upgrade packages on Nuget platform?
@KrzysztofPajak probably in the near future, but there are only a few commits since the last version. I've been busy with work and other projects so not many changes here lately.
There have been a fair amount of changes since the last Nuget release, including specifically the Newtonsoft update to v13.0.1 to fix GHSA-5crp-9r3c-p9vr and the SqlClient updates to fix GHSA-8g2p-5pqh-5jmc.
If Myget is the place to get updates that's fine, but maybe the readme could use an update to put that front and center, as I think most folks will default to Nuget.
@fuzzzerd I may get to a new release this week, but be aware: MiniProfiler doesn't need to update for those security fixes at all - you can reference any compatible version (e.g. long as there's no breaking change) of any transitive dependency directly to upgrade it immediately. This applies to any library - if that weren't the case then every library everywhere would have to be constantly updating for all CVEs in any dependency no matter how deep in the tree.
Understood. Thank you. I use System.Text.Json and recently added MiniProfiler (which is fantastic by the way) and was surprised to get security warnings regarding Newtonsoft until I traced it to a transitive dependency.
There's now a 4.3.8 release on NuGet with latest changes :) I can't promise regular updates yet, but trying to find more consistent time to make sure things are up to date here.