-
Notifications
You must be signed in to change notification settings - Fork 273
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
add vuln check in pipeline and resolve package warnings #2691
base: v2.x
Are you sure you want to change the base?
Conversation
@@ -49,7 +49,7 @@ | |||
<Compile Include="**/*.cs" Exclude="Auth/*.cs;Correlation/*.cs;**/obj/**/*.cs" /> | |||
<!-- Don't increase below versions without significantly testing on Functions V1! | |||
Increasing these versions increments some dependencies that have binding redirects in Functions V1. --> | |||
<PackageReference Include="Azure.Identity" Version="1.1.1" /> | |||
<PackageReference Include="Azure.Identity" Version="1.10.2" /> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
the comment above about not increasing versions here makes me worry this might not be a safe update ^. However the Functions V1 tests pass and so does a manual local test.
Given this, that Functions V1 is close to EOL, and that DF is not an auto-upgrading component of Functions V1 (not bundles), I'm not too worried about this change.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Since Functions V1 is not EOL yet, let's make sure we at least smoke test this with Functions V1 to confirm whether or not it's a breaking change.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Something to consider: if we just update to .net8 SDK, the build will report vulnerabilities itself.
Would that be sufficient for us?
Added a step in our pipeline to scan for actionable vulnerabilities in our dependencies (i.e vulnerabilities fixed in a new release of the package) and block the PR if any are found.
Also updated our
Azure.Identity
dependency to respond to one such warning. Also updated one of our sample dependencies onNewtonsoft.JSON
for the same reason.