Nuget package Vulnerability

[polajenko]

I am trying to add bunit to my blazor web assembly project and Microsoft is warning about a package vulnerability in the Microsoft.Extensions.Caching.Memory package.

GHSA-qj66-m88j-hmgj

[linkdotnet]

Thanks for bringing this to our attention. I will prepare a fix and we can make a new release.
@egil WOrks for you?

[polajenko]

yes thanks I will wait to install bunit until a fix is released.

[linkdotnet]

In the meantime you can install the dependency yourself. .NET will always take direct installed dependencies over transient ones:

<PackageVersion Include="Microsoft.Extensions.Caching.Memory" Version="8.0.1"/>

[polajenko]

Why not also turn on dependabot alerts for this repo then you would be notified automatically.

[linkdotnet]

Interestingly enough, they are turned on :D

[polajenko]

In the meantime you can install the dependency yourself. .NET will always take direct installed dependencies over transient ones:

<PackageVersion Include="Microsoft.Extensions.Caching.Memory" Version="8.0.1"/>

done

[polajenko]

Interestingly enough, they are turned on :D

ok I can't see them from the security tab. I suppose it is hidden from our viewpoint.

[linkdotnet]

There is no "open" one

[linkdotnet]

@polajenko New stable version 1.34 is out. That should drop the need for the additional dependency inside your code.