Home

NuGet package vulnerability in managed reference

I keep getting a warning that Azure.Identity 1.7.0 has security vulnerabilities but I never directly reference this or any other NuGet package. The only thing I'm doing is adding an EF Core connection. When I look at the assembly resolution log Azure.Identity shows up under the Managed references section.

Is it possible to specify what package the LinqPad EF Core driver references here?

Comments

  • EntityFrameworkCore.SqlServer depends on Azure.Identity via Microsoft.Data.SqlClient. You can see this in the reverse dependency graph.

    You can work around this warning by adding a reference to the latest Azure.Identity package, although you will need to do this separately in each query. Another workaround is to add this package to My Extensions - this will force (at least) the version you reference to be referenced by all queries. Yet another option is to suppress the warning in LINQPad preferences.

    In terms of a permanent fix, you'll need to wait until Microsoft updates Microsoft.Data.SqlClient to use a newer version of Azure.Identity.

    In terms of risk, it doesn't appear to be relevant if you're using Windows Authentication or SQL Authentication. Although I've not looked at the advisory in great detail.

  • Should we do the same thing when a connection adds an old version of EntityFrameworkCore? There is a vulnerability alert for EFCore 8.0.8 but it is also listed as the lateted recommended, even though 8.0.11 is out?

Sign In or Register to comment.