-
Notifications
You must be signed in to change notification settings - Fork 17
Fix 'Microsoft.AspNetCore.Server.Kestrel.Core' 2.3.0 has a known critical severity vulnerability, https://github.com/advisories/GHSA-5rrx-jjjq-q2r5 #72
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
base: main
Are you sure you want to change the base?
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -10,3 +10,4 @@ debug/ | |
| .env.development | ||
| .env.test | ||
| .env.production | ||
| /.vs | ||
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,4 +1,4 @@ | ||
| <Project Sdk="Microsoft.NET.Sdk"> | ||
| <Project Sdk="Microsoft.NET.Sdk"> | ||
|
|
||
| <PropertyGroup> | ||
| <IsPackable>true</IsPackable> | ||
|
|
@@ -54,9 +54,9 @@ Please see https://clerk.com/docs for more information.</Description> | |
| </PropertyGroup> | ||
|
|
||
| <ItemGroup> | ||
| <PackageReference Include="newtonsoft.json" Version="13.0.3" /> | ||
| <PackageReference Include="Microsoft.AspNetCore.Http" Version="2.3.0" /> | ||
| <PackageReference Include="newtonsoft.json" Version="13.0.4" /> | ||
|
||
| <PackageReference Include="nodatime" Version="3.1.9" /> | ||
| <PackageReference Include="Microsoft.AspNetCore" Version="2.3.0" /> | ||
| <PackageReference Include="System.IdentityModel.Tokens.Jwt" Version="8.2.0" /> | ||
| <PackageReference Include="Microsoft.SourceLink.GitHub" Version="8.0.0" PrivateAssets="All"/> | ||
| </ItemGroup> | ||
|
|
||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The package
Microsoft.AspNetCore.Httpversion 2.3.0 is severely outdated for a .NET 8.0 project and may contain security vulnerabilities. This version is from the .NET Core 2.x era (circa 2018), while the project targets .NET 8.0. The test project usesMicrosoft.AspNetCore.TestHostversion 8.0.11, indicating that modern ASP.NET Core 8.x packages should be used instead.Recommendation: Update to
Microsoft.AspNetCore.Httpversion 8.0.x (e.g., 8.0.11) to match the target framework and ensure security patches are applied. Additionally, the PR title mentions a vulnerability inMicrosoft.AspNetCore.Server.Kestrel.Core, but this change addsMicrosoft.AspNetCore.Httpinstead. Please verify that this addresses the actual vulnerability or ifMicrosoft.AspNetCore.Server.Kestrel.Corealso needs to be referenced with an updated version.