Update package references to address vulnerabilities including transitive packages #74
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…tive packages, and update version to 2.0.0-beta4
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This is an update to address vulnerability warnings on transitive packages, which are now reported in builds if you have the lasted Visual Studio 2022 (or Build Tools), or .NET 9 SDK even if targeting an earlier version.
System.Drawing.Commonis a child dependency for some reason and this has a critical vulnerability in version 4.7.0 - updated to 4.7.3System.Net.Httphas a high vulnerability in version 4.3.3 - updated to 4.3.4System.Security.Cryptography.Xmlhas a moderate vulnerability in version 4.7.0 - updated to 4.7.1Only updated to highest patch version that isn't vulnerable to avoid potential breaking changes.
I don't know if there's any activity here however but have made these changes on a local copy and using a local folder repo to use it. Pushed build to 2.0.0-beta4 as it's next version after the official package in nuget. Noting csproj in the repository still refers to 2.0.0-beta2 yet beta3 was published.
This would also include #33 if published, as the merge date is later than beta3 publish date in nuget?
I realise EWS is deprecated, but we still have to support it for on-prem Exchange server customers and Microsoft have abandoned us.