Security warnings about usage of NuGet.Protocol v6.0

Question

Security warnings about usage of NuGet.Protocol v6.0

Numpsy opened this issue 9 months ago · comments

Description

I created a CI build using FAKE 6 which also gets run through a Mend analysis, and it raised a warning about references to NuGet.Protocol v 6.0 which has known security vulnerabilities.

Looking at the listing for NuGet.Protocol on nuget.org, it seems that the 6.0.0 versions of all those libraries have actually been delisted due to issues, and several of the updates versions are listed as having issues themselves.

Given the delisting, I think it would be good to bump the version used?

Repro steps

Version 6.0 seems to be specified at https://github.com/fsprojects/FAKE/blob/13e30330cae0597aed6154a95a06d21716b18de3/paket.lock#L825C1-L825C9

Known workarounds

As i'm running the build via a .fsproj file, I can locally update the referances to a newer version if I have to.

Related information

Indications of severity
Nuget says the vulnerability is 'high severity'
Version of FAKE (4.X, 5.X, 6.x)
6.0

Andrii Chebukin commented 8 months ago

Approved

github-actions · Answer 1 · Sun Sep 03 2023 04:03:01 GMT+0800 (China Standard Time)

Welcome to the FAKE community! Thank you so much for creating your first issue and therefore improving the project!

Andrii Chebukin · Answer 2 · Sun Oct 01 2023 21:43:57 GMT+0800 (China Standard Time)

@Numpsy will you prepare a PR?

Richard Webb · Answer 3 · Sun Oct 01 2023 23:06:29 GMT+0800 (China Standard Time)

That was the intent of #2761 / #2764