Fix package vulnerabilities

leancodepl · Dec 19, 2024 · 5e73f80 · 5e73f80
1 parent 71f19d3
commit 5e73f80
Show file tree

Hide file tree

Showing 4 changed files with 14 additions and 5 deletions.
diff --git a/Directory.Build.props b/Directory.Build.props
@@ -14,6 +14,11 @@
     <AnalysisMode>AllEnabledByDefault</AnalysisMode>
   </PropertyGroup>
 
+  <ItemGroup>
+    <NuGetAuditSuppress Include="https://github.com/advisories/GHSA-ff4q-64jc-gx98" />
+    <NuGetAuditSuppress Include="https://github.com/advisories/GHSA-55p7-v223-x366" />
+  </ItemGroup>
+
   <Import Project="$([MSBuild]::GetPathOfFileAbove('Directory.Build.props', '$(MSBuildThisFileDirectory)../'))"
           Condition="Exists($([MSBuild]::GetPathOfFileAbove('Directory.Build.props', '$(MSBuildThisFileDirectory)../')))"/>
 </Project>
diff --git a/Directory.Build.targets b/Directory.Build.targets
@@ -6,7 +6,6 @@
 
     <IdentityServerVersion>4.1.2</IdentityServerVersion>
     <MassTransitVersion>8.3.2</MassTransitVersion>
-    <SystemIdentityModelVersion>8.2.1</SystemIdentityModelVersion>
 
     <!-- Do not bump these dependencies if you don't want to force users to use newer .NET Core SDK -->
     <!-- Keep the major.minor values at exactly the one listed here: https://github.com/dotnet/roslyn/blob/main/docs/wiki/NuGet-packages.md -->
@@ -44,8 +43,6 @@
     <PackageReference Update="Serilog.Sinks.Seq" Version="8.0.0" />
 
     <PackageReference Update="IdentityModel" Version="7.0.0" />
-    <PackageReference Update="Microsoft.IdentityModel.Tokens" Version="$(SystemIdentityModelVersion)" />
-    <PackageReference Update="System.IdentityModel.Tokens.Jwt" Version="$(SystemIdentityModelVersion)" />
 
     <PackageReference Update="FirebaseAdmin" Version="3.1.0" />
     <PackageReference Update="Google.Cloud.Firestore" Version="3.9.0" />

diff --git a/...frastructure/LeanCode.ExternalIdentityProviders/LeanCode.ExternalIdentityProviders.csproj b/...frastructure/LeanCode.ExternalIdentityProviders/LeanCode.ExternalIdentityProviders.csproj
@@ -6,11 +6,14 @@
 
   <ItemGroup>
     <PackageReference Include="Microsoft.Extensions.Caching.Memory" />
-    <PackageReference Include="Microsoft.IdentityModel.Tokens" />
     <PackageReference Include="Google.Apis.Auth" />
     <PackageReference Include="IdentityServer4" />
     <PackageReference Include="Serilog" />
-    <PackageReference Include="System.IdentityModel.Tokens.Jwt" />
+
+    <!-- Packages required by IdentityServer4, but with patched versions -->
+    <PackageReference Include="System.Text.Encodings.Web" Version="4.7.2" />
+    <PackageReference Include="System.IdentityModel.Tokens.Jwt" Version="5.7.0" />
+    <PackageReference Include="Microsoft.IdentityModel.Tokens" Version="5.7.0" />
   </ItemGroup>
 
 </Project>
diff --git a/src/Infrastructure/LeanCode.IdentityServer.KeyVault/LeanCode.IdentityServer.KeyVault.csproj b/src/Infrastructure/LeanCode.IdentityServer.KeyVault/LeanCode.IdentityServer.KeyVault.csproj
@@ -7,6 +7,10 @@
     <PackageReference Include="Azure.Security.KeyVault.Keys" />
     <PackageReference Include="IdentityServer4" />
     <PackageReference Include="Microsoft.Extensions.Azure" />
+
+    <PackageReference Include="Microsoft.IdentityModel.JsonWebTokens" Version="5.7.0" />
+    <PackageReference Include="System.IdentityModel.Tokens.Jwt" Version="5.7.0" />
+    <PackageReference Include="Newtonsoft.Json" Version="13.0.3" />
   </ItemGroup>
 
 </Project>