Bump MongoDB.Driver from 2.13.1 to 2.15.0 and Microsoft.AspNetCore.Http from 2.1.0 to 2.2.0#608
Conversation
| # inputs: | ||
| # targetPath: bld/bin/AnyCPU_Debug/Tests.Security/netcoreapp3.1/ | ||
| # artifactName: Tests.Security | ||
| - task: ComponentGovernanceComponentDetection@0 No newline at end of file |
| <PackageReference Include="GoogleApi" Version="4.0.4" /> | ||
| <PackageReference Include="Microsoft.Security.Utilities" Version="1.1.0" /> | ||
| <PackageReference Include="MongoDB.Driver" Version="2.13.1" /> | ||
| <PackageReference Include="MongoDB.Driver" Version="2.15.0" /> |
| <None Remove="Properties\PublishProfiles\**" /> | ||
| </ItemGroup> | ||
| <ItemGroup> | ||
| <PackageReference Include="Microsoft.AspNetCore.Http" Version="2.2.2" /> |
There was a problem hiding this comment.
2.2.2 contains a fix for the vulnerability found in 2.1.0:
https://access.redhat.com/security/cve/CVE-2020-1045
There was a problem hiding this comment.
there are no release notes for the PR, which is customer impacting, potentially, because runtime components are changing.
There was a problem hiding this comment.
Just updated and added some detail in the description
|
|
||
| ## Unreleased | ||
|
|
||
| - Bump MongoDB.Driver from 2.13.2 to 2.14.0 and Microsoft.AspNetCore.Http from 2.1.0 to 2.2.0. [#608](https://github.com/microsoft/sarif-pattern-matcher/pull/608) |
|
|
||
| ## Unreleased | ||
|
|
||
| - Bump MongoDB.Driver from 2.13.2 to 2.14.0 and Microsoft.AspNetCore.Http from 2.1.0 to 2.2.0. [#608](https://github.com/microsoft/sarif-pattern-matcher/pull/608) |
There was a problem hiding this comment.
fixed.
I mistakenly used the version of ElfSharp (it was in my head).
|
|
||
| ## Unreleased | ||
|
|
||
| - Bump MongoDB.Driver from 2.13.1 to 2.15.0 and Microsoft.AspNetCore.Http from 2.1.0 to 2.2.0. [#608](https://github.com/microsoft/sarif-pattern-matcher/pull/608) |
There was a problem hiding this comment.
for the mongodb package, we have an end-to-end test
for the http package, its the azure function. I was able to run and debug.
There was a problem hiding this comment.
actually, our mongodb validator is disabled due to not being signed. so, we won't face any impact.
|
|
||
| ## Unreleased | ||
|
|
||
| - Bump MongoDB.Driver from 2.13.1 to 2.15.0 and Microsoft.AspNetCore.Http from 2.1.0 to 2.2.0. [#608](https://github.com/microsoft/sarif-pattern-matcher/pull/608) |
There was a problem hiding this comment.
Should the CVEs be linked here? I notice most all release line items are very factual and explain just the change and not rationale as to the why. If that is intended I suppose CVEs don't need to be historically captured here.
There was a problem hiding this comment.
One of my first iterations I had added, then I removed to simplify and added this to the PR.
The rationale: you as a customer who is using will only see the release notes if you face a problem. For things like vulnerabilities, I think you wouldn't come, so, it's why I omitted in the end.
Changes
This change will fix the following issues:
As you can see, you cannot see Microsoft.AspNetCore.Http version 2.1.0 in the changes because it is a reference from the package Microsoft.NET.Sdk.Functions -> Microsoft.Azure.WebJobs.Extensions.Http -> Microsoft.AspNetCore.Http
For significant contributions please make sure you have completed the following items:
ReleaseHistory.mdupdated for non-trivial changes