Microsoft.Identity.Client version and dependency design about dbatools HOT 4 OPEN

I think I just saw another issue that may be related to this. I had to update Microsoft.Identity recently due to a CVE in SqlClient.

Unfortunately, I am very very limited on my ability to troubleshoot DLLs. Perhaps @FriedrichWeinmann or @StartAutomating have some ideas? I believe James was trying to address this in one of his modules to make things like this easier.

from dbatools.

To address this for PS 7 you would need to implement what jborean93 shows:

• https://github.com/jborean93/PowerShell-ALC

It allows DLL to not get into conflict, but implementing this is not trivial, especially for large module like this. And you still have to take care of PS 5.1 conflicts the old way.

I am mostly proposing to upgrade the version to non-vurnable (which is even bad in Microsoft.Graph as it uses 4.60.1) and follow Microsoft.Graph with it's version.

I know Microsoft.Graph releases new version every 2 weeks, so it's not great, but this is the only thing I can think of. If they upgrade to 4.60.3, we try to follow and keep it in sync. If new version is out, but Microsoft.Graph doesn't upgrade, we keep it the same.

Right now I have to resort to drastic fix, by replacing DLLs myself all over the place to avoid conflicts so all the DLL version matches, but that goes a bit too far as I am modifying someone else's libraries.

from dbatools.

Thanks for the explanation.

There's another CVE that I'm missing? I just got a scan and passed. I don't believe it's reasonable to update the library every 2 weeks, so that cannot be a solution, unfortunately.

from dbatools.

As you can see on nuget.org it shows which versions are affected so the one you use 4.56 has vulnerabilities, you also use 4.53 which is also marked as problematic.

I guess 2 weeks is nuts, but it only would matter if the DLL would be updated. Most of the processes I have are automated to republish so for me it's not a big deal.

from dbatools.