Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Updated package versions to eliminate vulnerable and deprecated transitive dependencies #976

Merged
merged 29 commits into from
Oct 21, 2024

Conversation

NightOwl888
Copy link
Contributor

  • You've read the Contributor Guide and Code of Conduct.
  • You've included unit or integration tests for your change, where applicable.
  • You've included inline docs for your change, where applicable.
  • There's an open issue for the PR that you are making. If you'd like to propose a change, please open an issue to discuss the change or find an existing issue.

Summary of the changes (Less than 80 chars)

Updated package versions to eliminate vulnerable and deprecated transitive dependencies.

Description

  • Reviewed and upgraded older packages that have been deprecated and/or have vulnerable dependencies.
  • Bumped J2N to 2.1.0
  • Bumped ICU4N to 60.1.0-alpha.435 and did minimal integration with the new APIs

…dependencies on ICU4N.Collation, ICU4N.CurrencyData, ICU4N.LanguageData, ICU4N.RegionData, and ICU4N.Transliterator because these have all been merged into the main assembly. Did minimal integration to fix compile errors.
…dependency on System.Text.Json, since it was only used to pin the version
…kages on net6.0 and 8.0.0 for Microsoft.Extensions packages on net8.0
…System.Runtime.CompilerServices.Unsafe as it was only used to pin the version
… on net8.0. Only use 6.0.1 on net6.0 because lucene-cli is the only consumer. 6.0.0 has a vulnerability, so we must pin the version since we own the distribution.
…Services.RuntimeInformation and reference to System.Net.Http in net462
…cene.Net.CodeAnalysis.CSharp and Lucene.Net.CodeAnalysis.VisualBasic to ensure it is built prior to Lucene.Net
…asic): Added package references on System.Net.Http and System.Text.RegularExpressions
… dependencies NETStandardLibrary 1.6.1, System.Net.Http 4.3.4, and System.Text.RegularExpressions 4.3.1 because they have vulnerabilities.
…soft.Extensions.Configuration 8.x. In Lucene.Net.TestFramework and lucene-cli, we must reference Microsoft.Extensions.Configuration.Json 8.0.1 to avoid pulling in vulnerable transitive dependencies.
…ction.Abstractions to 8.0.0 and Microsoft.Extensions.DependencyInjection to 8.0.1 to be consistent with Microsoft.Extensions.Configuration
…ons to 2.1.1 because 2.0.0 has been deprecated
…1.1 on .NET Framework and 8.0.0 on other target frameworks
…ependency on System.Text.Encodings.Web to upgrade the version, since the version referenced by Microsoft.AspNetCore.Http.Abstractions is vulnerable and there is no upgrade.
…tCore.TestHost for the test target framework
…t472, added references to Microsoft.AspNetCore.Http and System.IO.Pipelines because the versions that Microsoft.AspNetCore.TestHost 2.1.1 references are vulnerable
…nce to System.Text.Json because the version that IKVM references transitively is vulnerable and we are blocked from upgrading IKVM due to disk space limitations on Azure DevOps.
…Xml to 8.0.1 to avoid bringing in vulnerable version of System.Formats.Asn1 by default.
…nstraint so we cannot depend on 3.x or higher (since it will break binary compatibility)
@NightOwl888 NightOwl888 requested a review from paulirwin October 20, 2024 18:47
@paulirwin paulirwin merged commit 2373399 into apache:master Oct 21, 2024
199 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants