Skip to content

fix: Address vulnerable dependencies#135

Closed
rogerbarreto wants to merge 6 commits intogoogleapis:mainfrom
rogerbarreto:address-vulnerabilities
Closed

fix: Address vulnerable dependencies#135
rogerbarreto wants to merge 6 commits intogoogleapis:mainfrom
rogerbarreto:address-vulnerabilities

Conversation

@rogerbarreto
Copy link
Copy Markdown
Contributor

@rogerbarreto rogerbarreto commented Dec 4, 2025

Motivation

Address current vulnerable dependent packages.

D:\repo\community\google-dotnet-genai\Google.GenAI [main+22 ~0 -0 !]> dotnet package list --vulnerable --include-transitive
Restore succeeded with 2 warning(s) in 0.5s
    D:\repo\community\google-dotnet-genai\Google.GenAI\Google.GenAI.csproj : warning NU1903: Package 'System.Text.Json' 8.0.0 has a known high severity vulnerability, https://github.com/advisories/GHSA-8g4q-xg66-9fp4
    D:\repo\community\google-dotnet-genai\Google.GenAI\Google.GenAI.csproj : warning NU1903: Package 'System.Text.Json' 8.0.0 has a known high severity vulnerability, https://github.com/advisories/GHSA-hh2w-p6rv-4g7w

Build succeeded with 2 warning(s) in 0.6s

The following sources were used:
   https://api.nuget.org/v3/index.json
   C:\Program Files (x86)\Microsoft SDKs\NuGetPackages\

Project `Google.GenAI` has the following vulnerable packages
   [netstandard2.1]:
   Top-level Package       Requested   Resolved   Severity   Advisory URL
   > System.Text.Json      8.0.0       8.0.0      High       https://github.com/advisories/GHSA-hh2w-p6rv-4g7w
                                                  High       https://github.com/advisories/GHSA-8g4q-xg66-9fp4

   Transitive Package         Resolved   Severity   Advisory URL
   > System.Net.Security      4.3.0      Moderate   https://github.com/advisories/GHSA-ch6p-4jcm-h8vh
                                         High       https://github.com/advisories/GHSA-6xh7-4v2w-36q6
                                         High       https://github.com/advisories/GHSA-qhqf-ghgh-x2m4
                                         Moderate   https://github.com/advisories/GHSA-j8f4-2w4p-mhjc

   [net8.0]:
   Transitive Package         Resolved   Severity   Advisory URL
   > System.Net.Security      4.3.0      Moderate   https://github.com/advisories/GHSA-ch6p-4jcm-h8vh
                                         High       https://github.com/advisories/GHSA-6xh7-4v2w-36q6
                                         High       https://github.com/advisories/GHSA-qhqf-ghgh-x2m4
                                         Moderate   https://github.com/advisories/GHSA-j8f4-2w4p-mhjc

@rogerbarreto rogerbarreto changed the title Address vulnerable dependencies fix: Address vulnerable dependencies Dec 4, 2025
stephentoub
stephentoub reviewed Dec 4, 2025
View reviewed changes
Comment thread Google.GenAI/Google.GenAI.csproj Outdated
stephentoub
stephentoub reviewed Dec 5, 2025
View reviewed changes
Comment thread Directory.Packages.props Outdated
@rogerbarreto rogerbarreto mentioned this pull request Dec 11, 2025
Merged
@rogerbarreto
Copy link
Copy Markdown
Contributor Author

rogerbarreto commented Dec 16, 2025

Closing this PR as this was addressed by the merged one.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@stephentoub stephentoub stephentoub approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@rogerbarreto @stephentoub