-
Notifications
You must be signed in to change notification settings - Fork 41
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Is this possible to depend on a safer version of Google.Protobuf
NuGet package?
#204
Comments
@dungpa We don't really support this client anymore, but if you make a PR with a fix we probably can merge it. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Currently
STAN.Client
Nuget package usesGoogle.Protobuf
version 3.13.0 which contains security vulnerabilities.See e.g.:
It's possible for the downstream systems to pin to a newer version and apply binding redirects.
But it is not ideal for
STAN.Client
to depend on a compromised version of a popular dependency.Is this possible to publish a new version of
STAN.Client
that usesGoogle.Protobuf
3.15.0 or newer (as suggested by the security advisory above)?The text was updated successfully, but these errors were encountered: