starred/radzen-blazor
1
0
Fork 0
mirror of https://github.com/radzenhq/radzen-blazor.git synced 2026-02-04 05:35:44 +00:00
Code Issues 1.3k Packages Projects Releases 22 Wiki Activity

Update Minimum Version of Microsoft.AspNetCore.Components #1036

New Issue
Closed
opened 2026-01-29 17:48:08 +00:00 by claunia · 4 comments
claunia commented 2026-01-29 17:48:08 +00:00
Owner
Copy Link

Originally created by @mattsmac on GitHub (Nov 15, 2023).

Is your feature request related to a problem? Please describe.
When reviewing security vulnerabilities via the dotnet list command, Microsoft.AspNetCore.Components 7.0.0 is listed as a vulnerability. See issue link.

Describe the solution you'd like
Update the minimum version of Microsoft.AspNetCore.Components to a non-vulnerable version.

Describe alternatives you've considered
I can mitigate this temporarily by manually including a non-vulnerable version of Microsoft.AspNetCore.Components, however that makes the nuget packages harder to maintain without knowing that this is installed specifically for Radzen

Additional context
Add any other context or screenshots about the feature request here.

Originally created by @mattsmac on GitHub (Nov 15, 2023). <!-- IMPORTANT: Read this first!!! 1. If you own a Radzen Professional or Еnterprise subscription you can request your feature via email at info@radzen.com. Radzen staff will reply within 24 hours (Professional) or 16 hours (Enterprise) 2. The Radzen staff guarantees a response to issues in this repo only to paid subscribers. 3. If you have a HOW TO question start a new forum thread in the Radzen Community forum: https://forum.radzen.com. Radzen staff will close issues that are HOWTO questions. 4. Please adhere to the issue template. --> **Is your feature request related to a problem? Please describe.** When reviewing security vulnerabilities via the dotnet list command, Microsoft.AspNetCore.Components 7.0.0 is listed as a vulnerability. [See issue link](https://github.com/advisories/GHSA-3fx3-85r4-8j3w). **Describe the solution you'd like** Update the minimum version of Microsoft.AspNetCore.Components to a non-vulnerable version. **Describe alternatives you've considered** I can mitigate this temporarily by manually including a non-vulnerable version of Microsoft.AspNetCore.Components, however that makes the nuget packages harder to maintain without knowing that this is installed specifically for Radzen **Additional context** Add any other context or screenshots about the feature request here.
claunia commented 2026-01-29 17:48:08 +00:00
Author
Owner
Copy Link

@enchev commented on GitHub (Nov 16, 2023):

Hey @mattsmac,

In my opinion if you have newer version of the NuGet package in your app this version will be used instead the one referred by our NuGet package.

@enchev commented on GitHub (Nov 16, 2023): Hey @mattsmac, In my opinion if you have newer version of the NuGet package in your app this version will be used instead the one referred by our NuGet package.
claunia commented 2026-01-29 17:48:09 +00:00
Author
Owner
Copy Link

@mattsmac commented on GitHub (Nov 16, 2023):

Hi @enchev, I get that as a temporary workaround. However after a while, if you have to manually keep supporting nuget packages up to date, it makes it a bit of a mess to know what packages you are actually using and what packages are just transitive. It also means that anyone that uses Radzen on .net 7 or below will be unknowingly installing a vulnerable nuget package. I only discovered this because I specifically scan for it, but otherwise would not have known that I was using a vulnerable package.

@mattsmac commented on GitHub (Nov 16, 2023): Hi @enchev, I get that as a temporary workaround. However after a while, if you have to manually keep supporting nuget packages up to date, it makes it a bit of a mess to know what packages you are actually using and what packages are just transitive. It also means that anyone that uses Radzen on .net 7 or below will be unknowingly installing a vulnerable nuget package. I only discovered this because I specifically scan for it, but otherwise would not have known that I was using a vulnerable package.
claunia commented 2026-01-29 17:48:09 +00:00
Author
Owner
Copy Link

@enchev commented on GitHub (Nov 16, 2023):

Upgrading to the latest version of the framework guarantees that you are using latest versions of the packages referenced by third party assemblies like Radzen.Blazor - there will be no mess since there will be only one loaded assembly, the latest.

@enchev commented on GitHub (Nov 16, 2023): Upgrading to the latest version of the framework guarantees that you are using latest versions of the packages referenced by third party assemblies like Radzen.Blazor - there will be no mess since there will be only one loaded assembly, the latest.
claunia commented 2026-01-29 17:48:09 +00:00
Author
Owner
Copy Link

@mattsmac commented on GitHub (Nov 16, 2023):

Hi @enchev, Unfortunately, that is not how Nuget appears to work. It always picks the lowest applicable version of transitive packages when a >= version requirement is set, unless a direct reference exists. So if Radzen requires Microsoft.AspNetCore.Components >= 7.0.0, Nuget will always choose 7.0.0, not 7.0.14 which is the patched version.

For this particular scenario, if you upgrade your whole project to .net 8, it would solve it because Microsoft.AspNetCore.Components version 8.0.0 does not have this vulnerability, but if another vulnerability is identified in Microsoft.AspNetCore.Components version 8.0.0, it would still not choose the patched version.

This could be corrected by using the * dependency notation rather than the >= notation, at least for this particular dependency. See the following article for details.

https://learn.microsoft.com/en-us/nuget/concepts/dependency-resolution#lowest-applicable-version

@mattsmac commented on GitHub (Nov 16, 2023): Hi @enchev, Unfortunately, that is not how Nuget appears to work. It always picks the lowest applicable version of transitive packages when a >= version requirement is set, unless a direct reference exists. So if Radzen requires Microsoft.AspNetCore.Components >= 7.0.0, Nuget will always choose 7.0.0, not 7.0.14 which is the patched version. For this particular scenario, if you upgrade your whole project to .net 8, it would solve it because Microsoft.AspNetCore.Components version 8.0.0 does not have this vulnerability, but if another vulnerability is identified in Microsoft.AspNetCore.Components version 8.0.0, it would still not choose the patched version. This could be corrected by using the * dependency notation rather than the >= notation, at least for this particular dependency. See the following article for details. [https://learn.microsoft.com/en-us/nuget/concepts/dependency-resolution#lowest-applicable-version](https://learn.microsoft.com/en-us/nuget/concepts/dependency-resolution#lowest-applicable-version)
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
enhancement
good first issue
pull-request
Mirrored from GitHub Pull Request
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
claunia
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/radzen-blazor#1036
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?