NuGet package vulnerability in managed reference

jeffpapp

I keep getting a warning that Azure.Identity 1.7.0 has security vulnerabilities but I never directly reference this or any other NuGet package. The only thing I'm doing is adding an EF Core connection. When I look at the assembly resolution log Azure.Identity shows up under the Managed references section.

Is it possible to specify what package the LinqPad EF Core driver references here?

JoeAlbahari

EntityFrameworkCore.SqlServer depends on Azure.Identity via Microsoft.Data.SqlClient. You can see this in the reverse dependency graph.

You can work around this warning by adding a reference to the latest Azure.Identity package, although you will need to do this separately in each query. Another workaround is to add this package to My Extensions - this will force (at least) the version you reference to be referenced by all queries. Yet another option is to suppress the warning in LINQPad preferences.

In terms of a permanent fix, you'll need to wait until Microsoft updates Microsoft.Data.SqlClient to use a newer version of Azure.Identity.

In terms of risk, it doesn't appear to be relevant if you're using Windows Authentication or SQL Authentication. Although I've not looked at the advisory in great detail.