-
Notifications
You must be signed in to change notification settings - Fork 151
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add .NET Standard 2.0 target to SimpleInjector.Packaging #964
Comments
Upgrading the reference to .NET Standard 2.0 is a breaking change, which is why I won't fix this. For more details about the reasoning of not updating, please read this. |
Hi Steven, Thank you for your quick and clear response. I fixed my code the same way by directly referencing a newer package as you also suggested in your stackoverflow reply. I understand you don't want to introduce a breaking change by upgrading from netstandard 1.3 to netstandard2.0. Do you concider adding netstandard2.0 as an extra target next aside netstandard1.3 also as a breaking change? I'm asking this because this is suggested in the microsoft guidelines about targeting. Just curious how you look at this. Thanks |
No, that should not be breaking, and that's certainly an option. That doesn't change things from a security perspective because, as I explained on Stack Overflow, end the end it's up to the application developer to manage the packages, as otherwise package owners would be forced in updating their packages constantly, which caused a new set of issues. But considering the Microsoft guidance on .NET Standard 1.x, it would be a good idea to add a .NET Standard 2.0 target. |
I reopened this issue and updated the title to reflect this. Will try to add this to the next minor release. |
As of today, I noticed a security warning using the "SimpleInjector.Packaging" Version="5.0.0" package in a net6.0 project.
Message:
Transitive dependency System.Net.Http 4.1.0 contains vurnabilities according to Checkmarx
NuGet also mentions a security risk (See https://www.nuget.org/packages/System.Net.Http/4.1.0. )
Message:
This package has at least one vulnerability with high severity. It may lead to specific problems in your project. Try updating the package version.
When investigating, I notice the folowing dependencies:
SimpleInjector.Packaging 5.0.0 -> NetStandard 1.6.0 -> System.Net.Http 4.1.0.
The SimpleInjector.Packaging page at Nuget shows me that only .netframework 4.5 and netstandard1.0 are targeted and netstandard1.0 is the reason of this transitive depenency.
Directly referencing a newer version of NETStandard.Library (ie. Version="2.0.3") would probably solve this matter but I think this should also be addressed in the source package, which is in this case SimpleInjector.Packaging.
The text was updated successfully, but these errors were encountered: