Fix 'Microsoft.AspNetCore.Server.Kestrel.Core' 2.3.0 has a known critical severity vulnerability, https://github.com/advisories/GHSA-5rrx-jjjq-q2r5 #72
Conversation
…own critical severity vulnerability, GHSA-5rrx-jjjq-q2r5
There was a problem hiding this comment.
Pull Request Overview
This pull request attempts to address a critical security vulnerability in Microsoft.AspNetCore.Server.Kestrel.Core 2.3.0 by modifying package dependencies in the Clerk.BackendAPI project. The changes include replacing the Microsoft.AspNetCore package with Microsoft.AspNetCore.Http, upgrading Newtonsoft.Json, and adding Visual Studio-specific files to .gitignore.
- Replaced
Microsoft.AspNetCore2.3.0 withMicrosoft.AspNetCore.Http2.3.0 - Updated Newtonsoft.Json from version 13.0.3 to 13.0.4
- Added
.vsfolder to .gitignore for Visual Studio compatibility
Reviewed Changes
Copilot reviewed 1 out of 2 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| src/Clerk/BackendAPI/Clerk.BackendAPI.csproj | Modified package dependencies: replaced Microsoft.AspNetCore with Microsoft.AspNetCore.Http, and upgraded Newtonsoft.Json to 13.0.4 |
| .gitignore | Added .vs folder to exclude Visual Studio user-specific files from version control |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
|
||
| <ItemGroup> | ||
| <PackageReference Include="newtonsoft.json" Version="13.0.3" /> | ||
| <PackageReference Include="Microsoft.AspNetCore.Http" Version="2.3.0" /> |
There was a problem hiding this comment.
The package Microsoft.AspNetCore.Http version 2.3.0 is severely outdated for a .NET 8.0 project and may contain security vulnerabilities. This version is from the .NET Core 2.x era (circa 2018), while the project targets .NET 8.0. The test project uses Microsoft.AspNetCore.TestHost version 8.0.11, indicating that modern ASP.NET Core 8.x packages should be used instead.
Recommendation: Update to Microsoft.AspNetCore.Http version 8.0.x (e.g., 8.0.11) to match the target framework and ensure security patches are applied. Additionally, the PR title mentions a vulnerability in Microsoft.AspNetCore.Server.Kestrel.Core, but this change adds Microsoft.AspNetCore.Http instead. Please verify that this addresses the actual vulnerability or if Microsoft.AspNetCore.Server.Kestrel.Core also needs to be referenced with an updated version.
| <PackageReference Include="Microsoft.AspNetCore.Http" Version="2.3.0" /> | |
| <PackageReference Include="Microsoft.AspNetCore.Http" Version="8.0.11" /> |
| <ItemGroup> | ||
| <PackageReference Include="newtonsoft.json" Version="13.0.3" /> | ||
| <PackageReference Include="Microsoft.AspNetCore.Http" Version="2.3.0" /> | ||
| <PackageReference Include="newtonsoft.json" Version="13.0.4" /> |
There was a problem hiding this comment.
The Newtonsoft.Json package update from 13.0.3 to 13.0.4 is inconsistent with the test project's dependencies. The test project (Tests.csproj) still references Newtonsoft.Json version 13.0.3 (line 9), which could lead to version conflicts or inconsistencies during testing.
Recommendation: Also update the Newtonsoft.Json reference in Tests.csproj to version 13.0.4 to maintain consistency across the solution.
1 participant
This pull request updates the package dependencies in the
Clerk.BackendAPI.csprojfile to ensure compatibility and improve maintainability. The most significant changes are related to dependency management.Dependency updates and corrections:
newtonsoft.jsonpackage to version 13.0.4 for improved features and bug fixes.Microsoft.AspNetCore.Httpversion 2.3.0, ensuring the project has the necessary HTTP abstractions.Microsoft.AspNetCoreversion 2.3.0, likely to avoid redundancy or conflicts.General maintenance:
#71