Sdk 2805 net security dependency upgrades#545
Open
mehmet-yoti wants to merge 4 commits into
Open
Conversation
Closes the Critical GHSA-ghhp-997w-qr28 (System.Text.Encodings.Web 4.5.0) in CoreExample/DigitalIdentity/DocScan and the High GHSA-cmhx-cq75-c4mj (System.Text.RegularExpressions 4.3.0) across all four examples. CoreExample & DigitalIdentityExample: - Drop Microsoft.AspNetCore.Hosting.Abstractions 2.2.0 and Microsoft.AspNetCore.StaticFiles 2.2.0 (in-box via Microsoft.NET.Sdk.Web) - Drop Microsoft.VisualStudio.Web.CodeGeneration.Design 3.1.4 and deprecated DotNetCliToolReference (scaffolding-only, not used at runtime) - Microsoft.CodeAnalysis.{Common,CSharp,CSharp.Workspaces} 4.9.2/4.2.0 -> 4.13.0 - Microsoft.VisualStudio.Azure.Containers.Tools.Targets 1.20.1/1.16.1 -> 1.23.0 DocScanExample: drop Microsoft.VisualStudio.Web.CodeGeneration.Design 3.1.4. AmlExample: Newtonsoft.Json 13.0.3 -> 13.0.4. All four examples: DotNetEnv 2.3.0 -> 3.2.0, plus explicit System.Text.RegularExpressions 4.3.1 to override the vulnerable 4.3.0 that DotNetEnv 3.2.0 still drags in transitively via Microsoft.Extensions.Configuration 1.1.2 -> NETStandard.Library 1.6.1. Verified: dotnet list package --vulnerable --include-transitive reports zero findings on all four example projects; all four build clean.
No advisory currently reports against Yoti.Auth.csproj, but several pins are years out of date. Bumps: - Google.Protobuf 3.26.1 -> 3.30.2 (stay on 3.x; wire/API compatible with existing src/Yoti.Auth/ProtoBuf/**/*.cs, no regen needed) - JsonSubTypes 1.9.0 -> 2.0.1 - Newtonsoft.Json 13.0.3 -> 13.0.4 - NLog 5.0.1 -> 5.5.1 (latest 5.x; holding back from 6.x to keep legacy TFM support) - Portable.BouncyCastle 1.8.5 -> 1.9.0 (per-TFM gated: 1.9.0 dropped netstandard1.6, so we keep 1.8.5 for that legacy target only) - Microsoft.CodeAnalysis.NetAnalyzers 7.0.3 -> 9.0.0 (analyzer only) - System.Net.Http 4.3.4: gated to legacy TFMs only (net452/462/472/48 and netstandard1.6). On netstandard2.1/netcoreapp3.1/net6.0 the in-box BCL HttpClient is used; the NuGet shim is unnecessary and was causing potential assembly conflicts. Verified: all 8 TFMs build clean; dotnet list --vulnerable reports zero findings.
Conservative test-project bump. Attempted broader upgrades but reverted:
- MSTest.{TestAdapter,TestFramework} 2.2.10 -> 3.6.4: surfaces 3 pre-
existing test bugs around ThrowsExceptionAsync semantics. Out of
scope for a security PR; MSTest 2.2.10 has no advisory.
- Microsoft.NET.Test.Sdk 17.2.0 -> 17.13.0: requires MSTest 3.x.
- Moq 4.18.1 -> 4.18.4 (within [4.18.4,4.20.0) range to avoid the 4.20+
SponsorLink telemetry): 4.18.4 introduces a regression in dynamic-
argument serialization that breaks DocScanClientTests
(OutOfMemoryException in JsonConvert.SerializeObject of a Moq-captured
dynamic). Holding 4.18.1; no advisory against it.
All 811 tests pass.
GHSA-7jgj-8wvc-jh57 After Phase 2 gated System.Net.Http 4.3.4 to legacy TFMs only in the core SDK, the four example apps re-surfaced the High advisory via DotNetEnv 3.2.0 -> Microsoft.Extensions.Configuration 1.1.2 -> NETStandard.Library 1.6.1 -> System.Net.Http 4.3.0 (the vulnerable pre-patch version). Adding an explicit PackageReference for 4.3.4 (the fixed shim) in each example forces NuGet to resolve the patched version transitively. Verified: dotnet list --vulnerable --include-transitive reports zero findings across all 6 projects (core, tests, 4 examples). All 811 tests pass; all 5 buildable projects compile clean.
There was a problem hiding this comment.
Pull request overview
This PR resolves all High/Critical CVEs reported by dotnet list package --vulnerable --include-transitive across the SDK, test project, and example apps, while also doing defensive hygiene bumps on aged pins in the core SDK. The changes are split into four phases (example transitive CVE fixes, core SDK hygiene bumps, test project bumps, and a follow-up System.Net.Http transitive fix in examples).
Changes:
- Replace vulnerable transitive packages in the four example projects by removing redundant
Microsoft.AspNetCore.*/Microsoft.VisualStudio.Web.CodeGeneration.Design/DotNetCliToolReference, upgradingDotNetEnv/Microsoft.CodeAnalysis.*/Microsoft.VisualStudio.Azure.Containers.Tools.Targets, and pinning explicitSystem.Text.RegularExpressions 4.3.1andSystem.Net.Http 4.3.4overrides. - Bump core SDK pins (
Google.Protobuf,JsonSubTypes1.9→2.0.1 major,Newtonsoft.Json,NLog,Microsoft.CodeAnalysis.NetAnalyzers) and gatePortable.BouncyCastle 1.9.0/System.Net.Http 4.3.4per-TFM so legacy targets keep working. - Bump
coverlet.msbuild6.0.2 → 6.0.4 in the test project.
Reviewed changes
Copilot reviewed 6 out of 6 changed files in this pull request and generated no comments.
Show a summary per file
| File | Description |
|---|---|
| src/Yoti.Auth/Yoti.Auth.csproj | Core SDK package bumps; per-TFM gating for Portable.BouncyCastle and System.Net.Http; JsonSubTypes major version bump |
| src/Examples/Profile/CoreExample/CoreExample.csproj | Drop redundant ASP.NET/scaffolding refs, bump DotNetEnv/CodeAnalysis/Containers.Tools, add explicit System.Net.Http/System.Text.RegularExpressions overrides |
| src/Examples/DigitalIdentity/DigitalIdentity/DigitalIdentityExample.csproj | Same pattern as CoreExample |
| src/Examples/DocScan/DocScanExample/DocScanExample.csproj | Drop CodeGeneration.Design, bump DotNetEnv, add transitive CVE override pins |
| src/Examples/Aml/AmlExample/AmlExample.csproj | Bump DotNetEnv/Newtonsoft.Json, add transitive CVE override pins |
| test/Yoti.Auth.Tests/Yoti.Auth.Tests.csproj | Patch bump of coverlet.msbuild |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Closes all High and Critical CVEs reported by
dotnet list package --vulnerable --include-transitiveacross the core SDK, test project,and all four example apps. Also performs hygiene bumps on aged-but-unflagged core SDK pins. Work split across 4 commits so each phase can
be reviewed (and reverted) independently.
Baseline scan (before this PR)
System.Text.Encodings.Web4.5.0System.Text.RegularExpressions4.3.0Both pulled in transitively via
Microsoft.AspNetCore.Hosting.Abstractions 2.2.0,Microsoft.AspNetCore.StaticFiles 2.2.0,Microsoft.VisualStudio.Web.CodeGeneration.Design 3.1.4, andDotNetEnv 2.3.0. The core SDK (Yoti.Auth.csproj) and test projectreported zero advisories but had several years-stale pins worth bumping defensively.
Phases
Phase 1 — Example app transitive CVE fixes (
0730934)Microsoft.AspNetCore.Hosting.Abstractions 2.2.0andMicrosoft.AspNetCore.StaticFiles 2.2.0Microsoft.NET.Sdk.Web). DropMicrosoft.VisualStudio.Web.CodeGeneration.Design 3.1.4and deprecatedDotNetCliToolReference(scaffolding-only, not used at runtime).Microsoft.CodeAnalysis.{Common,CSharp,CSharp.Workspaces}4.9.2/4.2.0Microsoft.VisualStudio.Azure.Containers.Tools.Targets1.20.1/1.16.1 → 1.23.0Microsoft.VisualStudio.Web.CodeGeneration.Design 3.1.4Newtonsoft.Json13.0.3 → 13.0.4DotNetEnv2.3.0 → 3.2.0; explicitSystem.Text.RegularExpressions 4.3.1override (becauseDotNetEnv 3.2.0still drags inMicrosoft.Extensions.Configuration 1.1.2→NETStandard.Library 1.6.1)Phase 2 — Core SDK hygiene bumps (
3cf4463)No advisory reported against
src/Yoti.Auth/Yoti.Auth.csproj, but several pins are years out of date. Bumps:src/Yoti.Auth/ProtoBuf/**/*.cs, no regen needednetstandard1.6, so 1.8.5 is held for that legacy target onlynet452/462/472/48andnetstandard1.6only — onnetstandard2.1/netcoreapp3.1/net6.0the in-box BCLHttpClientis used; the NuGet shim was unnecessaryAll 8 SDK target frameworks build clean on Windows (
netstandard1.6;netstandard2.1;netcoreapp3.1;net6.0;net452;net462;net472;net48).On macOS only the modern targets build; Azure Pipelines
windows-latestcovers the legacy matrix.Phase 3 — Test project bumps (
d9131c1)coverlet.msbuild6.0.2 → 6.0.4 (minor reliability patch).Attempted broader upgrades but reverted as out-of-scope for a security PR:
ThrowsExceptionAsyncsemantics. Noadvisory against MSTest 2.2.10.
[4.18.4,4.20.0)to avoid the 4.20+ SponsorLink telemetry): 4.18.4 introduces a regression indynamic-argument serialization that breaks
DocScanClientTests.GetSessionConfigurationShouldSucceed(OutOfMemoryExceptioninJsonConvert.SerializeObjectof a Moq-captured dynamic). Holding 4.18.1; no advisory against it.Phase 4 — System.Net.Http transitive fix in examples (
82ed952)After Phase 2 gated
System.Net.Http 4.3.4to legacy TFMs in the core SDK, the example apps re-surfaced a High advisoryGHSA-7jgj-8wvc-jh57 via
DotNetEnv 3.2.0→Microsoft.Extensions.Configuration 1.1.2→NETStandard.Library 1.6.1→System.Net.Http 4.3.0.Added an explicit
PackageReference Include="System.Net.Http" Version="4.3.4"to each of the 4 example csproj files to force NuGet toresolve the patched shim.