Fix Microsoft.Identity.Client documentation security issue#3370
Conversation
|
@Arkatufus redacted the squatting uri, but otherwise LGTM |
| <PackageReference Include="Akka.Hosting" Version="$(AkkaHostingVersion)" /> | ||
| <PackageReference Include="Akka.Cluster.Hosting" Version="$(AkkaHostingVersion)" /> | ||
| <PackageReference Include="Azure.Identity" Version="$(AzureIdentityVersion)" /> | ||
| <PackageReference Include="Microsoft.Identity.Client" Version="$(MicrosoftIdentityVersion)" /> |
There was a problem hiding this comment.
Indentation is incorrect here. And https://www.nuget.org/packages/Akka.Management/1.5.45.1#dependencies-body-tab doesn't show it depends on Microsoft.Identity.Client at all?
There was a problem hiding this comment.
It's only the Akka.Coordination.Azure and Akka.Discovery.Azure packages that need it. Core Akka.Management et al don't depend on it.
There was a problem hiding this comment.
But yeah we should format and fix the indentation - happy to accept a PR if you'd like ;)
There was a problem hiding this comment.
Maybe updating to the newly released Azure.Identity 1.14.2 https://github.com/Azure/azure-sdk-for-net/releases/tag/Azure.Identity_1.14.2 and remove the package reference for Microsoft.Identity.Client instead or is there concerns with taking a dependency on 1.14.2 at this time?
There was a problem hiding this comment.
Maybe updating to the newly released Azure.Identity 1.14.2 https://github.com/Azure/azure-sdk-for-net/releases/tag/Azure.Identity_1.14.2 and remove the package reference for Microsoft.Identity.Client instead or is there concerns with taking a dependency on 1.14.2 at this time?
nah that would be my preference -we only added the explicit dependency to Microsoft.Identity.Client because the updated Azure.Identity package wasn't available yet.
There was a problem hiding this comment.
So yes, removing the explicit reference and just updating Azure.Identity is the way to go IMHO
There was a problem hiding this comment.
Created a PR in the meantime for just the indentation fix #3372
There was a problem hiding this comment.
Ah just saw your comment, I'll close that PR and open a new one
It was added to handle reported security vulnerability akkadotnet#3370 Azure.Identity has since been patched so we bump that instead per https://github.com/akkadotnet/Akka.Management/pull/3370/files#r2201789201
It was added to handle reported security vulnerability akkadotnet#3370 Azure.Identity has since been patched so we bump that instead per https://github.com/akkadotnet/Akka.Management/pull/3370/files#r2201789201
* Bump Azure.Identity to 1.14.2 * Remove top level Microsoft.Identity.Client dependency It was added to handle reported security vulnerability #3370 Azure.Identity has since been patched so we bump that instead per https://github.com/akkadotnet/Akka.Management/pull/3370/files#r2201789201 * Fix indentation issues * Remove top level Microsoft.Identity.Client dependency It was added to handle reported security vulnerability #3370 Azure.Identity has since been patched so we bump that instead per https://github.com/akkadotnet/Akka.Management/pull/3370/files#r2201789201
3 participants
Changes
Apparently, the typo URL is being typosquatted by a phishing site and is a security risk.