Giters

SixLabors / ImageSharp

:camera: A modern, cross-platform, 2D Graphics library for .NET

Home Page:https://sixlabors.com/products/imagesharp/

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Cannot update to v2.1.7 due to vulnerability tag

WParr3 opened this issue · comments

commented

Prerequisites

  • I have written a descriptive issue title
  • I have verified that I am running the latest version of ImageSharp
  • I have verified if the problem exist in both DEBUG and RELEASE mode
  • I have searched open and closed issues to ensure it has not already been reported

ImageSharp version

2.1.7

Other ImageSharp packages and versions

2.1.6

Environment (Operating system, version and so on)

Windows 10

.NET Framework version

6.0

Description

We are unable to run our build pipelines because when running the NuGet Restore command we are confronted with the error:
##[error]The nuget command failed with exit code(1) and error(NU1903: Warning As Error: Package 'SixLabors.ImageSharp' 2.1.6 has a known high severity vulnerability, https://github.com/advisories/GHSA-65x7-c272-7g7r

Upon inspecting the vulnerability GitHub we found the advisory page for the v2 package, informing that this issue has been patched in version 2.1.7 (we are currently on 2.1.6): GHSA-65x7-c272-7g7r

However, upon updating the package using Visual Studio's NuGet Package Manager, it fails as version 2.1.7 is marked with the tag "Vulnerable", causing a rollback to occur during the update attempt.

Could this tag be removed from v2.1.7 so that we can proceed to update the package and subsequently run our CI/CD pipelines successfully once more?

Steps to Reproduce

  1. Open NuGet Package Manager in Visual Studio;
  2. Select package source: nuget(.org);
  3. Find the SixLabors.ImageSharp package;
  4. Check the projects for which you wish to update and select version 2.1.7 from the dropdown;
  5. Click the "Install" button;

Images

image

commented

I am seeing the same issue error NU1903: Package 'SixLabors.ImageSharp' 2.1.7 has a known high severity vulnerability, https://github.com/advisories/GHSA-65x7-c272-7g7r on .NET 8

commented

I believe this will be resolved by this PR: github/advisory-database#3936

commented

Same issue. Cannot migrate to 3.x as we are still on .NET 4.8. I assume we just upgrade to 2.1.7 and wait for the advisory to be fixed in GitHub/NuGet?

commented

We had to wait for the advisory update to be merged. Should be fine now.

https://www.nuget.org/packages/SixLabors.ImageSharp/2.1.7