-
Notifications
You must be signed in to change notification settings - Fork 3.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update Microsoft.CodeAnalysis version to 4.10 #34116
Conversation
Thanks @halter73. This causes some analyzer-related test failures:
Any idea what these are about? |
Also, just noting that switching to version 4.10 requires using VS version Visual Studio 2022 version 17.10 (which shouldn't be a problem, see version docs). |
I think |
We decided not to take this change in 9.0, see #33970 |
4888d98
to
9d2b31e
Compare
This should help avoid warnings due to the transitive System.Drawing.Common 4.7.0 dependency that has a "critical" CVE for an RCE vulnerability. GHSA-rxg9-xrhp-64gj. Right now, System.Drawing.Common is transitively referenced via Microsoft.CodeAnalysis.Workspaces.MSBuild 4.8.0 -> Microsoft.Build.Framework 16.10.0 -> System.Security.Permissions 4.7.0 -> System.Windows.Extensions 4.7.0 -> System.Drawing.Common 4.7.0. I think updating the Microsoft.CodeAnalysis.Workspaces.MSBuild dependency from 4.8.0 to 4.10.0 should remove the transitive System.Drawing.Common dependency entirely.
9d2b31e
to
9585709
Compare
The test errors after upgrading to 4.10.0 are already tracked by dotnet/roslyn-sdk#1175 |
Noting that the CVE here against the transitive dependency of Microsoft.CodeAnalysis 4.8.0 isn't relevant, as it's a private asset of our Microsoft.Analyzers package. I'll go ahead and close this for now, and we can revisit for EF 10 whenever we need to upgrade the package for whatever reason. |
This should help avoid warnings due to the transitive System.Drawing.Common 4.7.0 dependency that has a "critical" CVE for an RCE vulnerability. GHSA-rxg9-xrhp-64gj.
Right now, System.Drawing.Common is transitively referenced via Microsoft.CodeAnalysis.Workspaces.MSBuild 4.8.0 -> Microsoft.Build.Framework 16.10.0 -> System.Security.Permissions 4.7.0 -> System.Windows.Extensions 4.7.0 -> System.Drawing.Common 4.7.0.
I think updating the Microsoft.CodeAnalysis.Workspaces.MSBuild dependency from 4.8.0 to 4.10.0 should remove the transitive System.Drawing.Common dependency entirely.