Microsoft.ApplicationInsights.Log4NetAppender dependency has known CVE

[phatcher]

• List of NuGet packages and version that you are using: https://www.nuget.org/packages/Microsoft.ApplicationInsights.Log4NetAppender/2.16.0
• Runtime version (e.g. net461, net48, netcoreapp2.1, netcoreapp3.1, etc. You can find this information from the *.csproj file): All
• Hosting environment (e.g. Azure Web App, App Service on Linux, Windows, Ubuntu, etc.): All

What are you trying to achieve?

Basically a question of should upstream packages continue to take dependencies on library versions with know failures/CVEs

Log4NetAppender takes a dependency on log4net >= 2.0.8 which has a known vun CVE-2018-1285, this was reported by a build scanner as part of my CI build.

General principle says that libraries should take dependencies on the earliest version that works for them and not constrain the upper bounds unless absolutely necessary, but in this case I am now forced to modify all of my projects to have an explicit reference rather than relying on the transitive reference from a library.

So, should official MS components still take earlier references when they could move to the later one without the vulnerability. I can see arguments both ways, but thought I'd raise the question.

What have you tried so far?

Taking the explicit reference to the later package

[cijothomas]

I think this project should be upgrade to require 2.0.9 minimum. @TimothyMothra can you plan this for next release?

[phatcher]

Looking at the vunerability it says that you need at least 2.0.10