Upgrade packages with vulnerability#17801
Conversation
MikeAlhayek
changed the title
Well:
|
|
If we have to upgrade OpenId, we would have to release v2.2.0 instead of v2.1.7 so I was hoping to avoid having to do that. But if it is safer to upgrade OpenId and release v2.2.0 then maybe that is what we should do? |
|
Last time I suggested that (in January IIRC), it was ruled out because 3.0 was around the corner, which made releasing a 2.2 version not very appealing. Has anything changed in this regard? If you decide to bump the OpenIddict version in the 2.x branch, you'll need to backport these 2 PRs: |
|
@sebastienros should we release v2.2.0 instead of v2.1.7 only with the PRs we already backported along with the 2 PR referenced above? I think we are a bit far on v3.0.0. |
|
There is no ideal solution with the current state of things. I suggest we keep the net9.0 Microsoft.Bcl dependency, so reference all valid versions, but once there is an IM with a truly long support then we switch to it. Hopefully before net9.0 becomes unsupported, which is in a year: May 12, 2026. |
|
FWIW, I came to the same conclusion when I had to decide what do in OpenIddict 7.0 (that will require ASP.NET Core 2.3+ instead of 2.1+ and thus will reference the 8.0 version of the .NET Extensions on older TFMs): previous OpenIddict versions referenced older IM versions for the older TFMs to avoid having mixed .NET Extensions versions, but 7.0 will target IM 8.x for all TFMs. Hopefully they’ll be able to remove that dependency so this won’t be a problem at all. |
|
We decided to ship 2.1.7 with the vulnerability packages since they existing in 2.1.6 also until there is a fix or v3 is released. |
3 participants
@kevinchalet is it okay to update only these 2 packages in to /release.2.1 branch? Need to address the current vulnerability issue with these two dependencies and ship 2.1.7.
Note this is based on release/2.1 branch not main.