[Bug] dependency System.Security.SecureString 4.3.0 reporting transient dependency vulnerabilities #4900
Milestone
Comments
mikegoatly
added
needs attention
bgavrilMS
added
bug
confidential-client
and removed
untriaged
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Library version used
4.63.0
.NET version
Compiling against 9.0.100-preview.7.24407.12
Scenario
PublicClient - desktop app
Is this a new or an existing app?
This is a new app or experiment
Issue description and reproduction steps
Nuget audit in .NET 9 has changed the default NuGetAuditMode from “direct” to “all” (Related article). This means that using the the .NET 9 SDK to build existing software is starting to highlight transient dependencies that have known vulnerabilities.
This has highlighted the use of
System.Security.SecureStringas it takes a transient dependency onSystem.Private.Uriv4.3.0:This only becomes a problem when trying to use MSAL against an Android or iOS target:
To reproduce this, create an application that targets Android or iOS and use the .NET 9 preview SDK to build your application.
Are there any plans to remove this dependency, or otherwise mitigate this?
Relevant code snippets
-Expected behavior
It should be possible to use MSAL with Android and iOS with the .NET 9 SDK without any warnings or errors.
Identity provider
Microsoft Entra ID (Work and School accounts and Personal Microsoft accounts)
Regression
No response
Solution and workarounds
No response
The text was updated successfully, but these errors were encountered: