Dependencies are reported to contain high vulnerabilities

[WenningQiu]

Antlr3.Runtime (v3.5.1) brings on dependencies that are reported to contain high vulnerabilities:

The root cause might be that Antlr3.Runtime targets netstandard version lower than 2.0 according to this Microsoft blog (https://devblogs.microsoft.com/nuget/nugetaudit-2-0-elevating-security-and-trust-in-package-management/).

Can we have a new version that targets netstandard2.0 to move away from those vulnerable dependencies?

Thanks.

[lextm]

You can add a dependency of a newer System.Text.RegularExpression package to your project to resolve this issue.

[WenningQiu]

In fact the reported vulnerability is a false positive as System.Text.RegularExpressions.DLL will be provided by the platform.

A new feature called "package pruning" was added to the SDK to address this. It was first added in .NET SDK 9.0.200, and can be enabled by setting the RestoreEnablePackagePruning property to true. The feature will be turned on by default in the .NET 10 SDK.

See more details here: https://github.com/NuGet/Home/blob/dev/accepted/2024/prune-package-reference.md