Security Vulnerability: https://github.com/advisories/GHSA-8g2p-5pqh-5jmc about microsoft.sqlserver.types HOT 7 OPEN

It’s an implicit reference. You can reference a newer version in your application

from microsoft.sqlserver.types.

I need a bit more info than that. This package doesn't use Microsoft.SqlServer.Types - it's an alternatice to that when not running on .net framework

from microsoft.sqlserver.types.

I believe it's this vulnerability: GHSA-8g2p-5pqh-5jmc.

This project references System.Data.SqlClient 4.8.3, which seems to be affected.

from microsoft.sqlserver.types.

Yes. Until the reference is bumped, one can explicitly override the version. Instructions can be found via the link above.

from microsoft.sqlserver.types.

My point is this library doesn't ship the vulnerable library, so there's no vulnerability in this library.

from microsoft.sqlserver.types.

We have a dotnet 6 aspnet core project, where we have this package as a transitive dependency. This package shows that it has a dependency on the vulnerable package.

"dotMorten.Microsoft.SqlServer.Types": { "type": "Transitive", "resolved": "1.4.0", "contentHash": "MYxVbuBguObk8QFNTuBZ+ZEC/m1zbvG774FbFvwiDZjc0RYq/co27THrHN5Dyd52ie0R5bt2uxSZj4tIb3lYFg==", "dependencies": { "System.Data.SqlClient": "4.8.3", "System.Memory": "4.5.4" }

I can see that the System.Data.SqlClient package with that version is in the csproj file.

from microsoft.sqlserver.types.

Yes it’s a dependency you can override by adding an explicit reference. You’re not using the 2.x release which uses the newer sql client libraries. The 1.x releases are just there for old compat with the older client.

from microsoft.sqlserver.types.