-
Notifications
You must be signed in to change notification settings - Fork 586
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Security warnings about usage of NuGet.Protocol v6.0 #2760
Comments
Welcome to the FAKE community! Thank you so much for creating your first issue and therefore improving the project! |
@Numpsy will you prepare a PR? |
Approved |
This stuff is never ending, versions 6.7.0 is showing as having issues now: GHSA-68w7-72jg-6qpp :-( |
The NuGet dependencies have been updated to the latest versions now, so I'll close this. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Description
I created a CI build using FAKE 6 which also gets run through a Mend analysis, and it raised a warning about references to NuGet.Protocol v 6.0 which has known security vulnerabilities.
Looking at the listing for NuGet.Protocol on nuget.org, it seems that the 6.0.0 versions of all those libraries have actually been delisted due to issues, and several of the updates versions are listed as having issues themselves.
Given the delisting, I think it would be good to bump the version used?
Repro steps
Version 6.0 seems to be specified at https:/fsprojects/FAKE/blob/13e30330cae0597aed6154a95a06d21716b18de3/paket.lock#L825C1-L825C9
Known workarounds
As i'm running the build via a .fsproj file, I can locally update the referances to a newer version if I have to.
Related information
Indications of severity
Nuget says the vulnerability is 'high severity'
Version of FAKE (4.X, 5.X, 6.x)
6.0
The text was updated successfully, but these errors were encountered: