Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Space-Age] Warning on vulnerability in transitive dependency Newtonsoft.Json 9.0.1 #1302

Open
ducdetronquito opened this issue Nov 26, 2024 · 3 comments
Open

[Space-Age] Warning on vulnerability in transitive dependency Newtonsoft.Json 9.0.1 #1302

ducdetronquito opened this issue Nov 26, 2024 · 3 comments

Comments

@ducdetronquito
Copy link

Hi !

First thanks for you work on the F# track, it's a pleasure to learn the language on Exercism !

When building the exercise space-age, I have the following warnings:

Restore succeeded with 1 warning(s) in 0.6s
    /exercism_workspace/fsharp/space-age/SpaceAge.fsproj : warning NU1903: Package 'Newtonsoft.Json' 9.0.1 has a known high severity vulnerability, https://github.com/advisories/GHSA-5crp-9r3c-p9vr
  SpaceAge succeeded with 1 warning(s) (2.3s) → bin/Debug/net8.0/SpaceAge.dll
    /exercism_workspace/fsharp/space-age/SpaceAge.fsproj : warning NU1903: Package 'Newtonsoft.Json' 9.0.1 has a known high severity vulnerability, https://github.com/advisories/GHSA-5crp-9r3c-p9vr

It appears that Newtonsoft.Json is a dependency of Microsoft.TestPlatform.TestHost/16.8.3 which in turn is a dependency of Microsoft.NET.Test.Sdk/16.8.3.

dotnet-outdated output that some packages could benefit from being bumped, and bumping Microsoft.NET.Test.Sdk to the latest version would remove the previous warning because Newtonsoft.Json is no longer a dependency.

❯ dotnet outdated
» SpaceAge                                                                                                                                                    
  [net8.0]
  FsUnit.xUnit               4.0.4  -> 6.0.1  
  Microsoft.NET.Test.Sdk     16.8.3 -> 17.12.0
  xunit                      2.4.1  -> 2.9.2  
  xunit.runner.visualstudio  2.4.3  -> 2.8.2

What do you think about it ?

I can make a PR to bump these packages if you agree.

Have a nice day :)
@github-actions GitHub Actions
Copy link
Contributor

Hello. Thanks for opening an issue on Exercism 🙂

At Exercism we use our Community Forum, not GitHub issues, as the primary place for discussion. That allows maintainers and contributors from across Exercism's ecosystem to discuss your problems/ideas/suggestions without them having to subscribe to hundreds of repositories.

This issue will be automatically closed. Please use this link&category=fsharp ) to copy your GitHub Issue into a new topic on the forum, where we look forward to chatting with you!

If you're interested in learning more about this auto-responder, please read this blog post.

@ErikSchierboom
Copy link
Member

We can't just update the dependencies unfortunately because the test runner (which runs the tests when submitting solutions) has to be updated too. We'll get to it though.

@ducdetronquito
Copy link
Author

Ok !
I'm not a F# guru but If there is any help I can provide, just ask :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ErikSchierboom @ducdetronquito