Fixed security vulnerability in System.Linq.Dynamic.Core

jezzsantos · Feb 4, 2025 · d8a7fdf · d8a7fdf
1 parent 7687b79
commit d8a7fdf
Show file tree

Hide file tree

Showing 4 changed files with 16 additions and 3 deletions.
diff --git a/README_DERIVATIVE.md b/README_DERIVATIVE.md
@@ -343,6 +343,17 @@ Only run these kinds of tests when the code in the technology adapters changes.
 
 `dotnet test --filter:"Category=Integration.External" src\SaaStack.sln` (requires internet access to external services)
 
+# Upgrading .NET Version
+
+If you need to upgrade the version of .NET for this codebase, do the following:
+1. Download the new version of the .NET SDK from this page: https://dotnet.microsoft.com/en-us/download/dotnet
+2. Run the installer for your OS. This will add a new version to your local machine, but it will not change anything.
+3. Make a note of the version of the runtime, and the SDK (they are different numbers)
+4. In `Directory.Build.props`, change the value of the `<RoslynTargetFramework>` variable to the version of the runtime.
+5. In `RuntimeConstants.cs` change the value of both `DotNet.RuntimeVersion`, `Dotnet.SdkVersion` and `DotNet.Version`.
+6. (Optional) If necessary (i.e. moving from .NET 8 to .NET 9) then find and replace the `<TargetFramework>net8.0</TargetFramework>` attribute in every `*.csproj` file in the solution.
+7. Rebuild the solution
+
 # Versioning the Code
 
 > Note: We use the 2 dot [Semantic Versioning](https://semver.org/spec/v2.0.0.html) scheme.

diff --git a/src/Application.Interfaces/Application.Interfaces.csproj b/src/Application.Interfaces/Application.Interfaces.csproj
@@ -10,7 +10,9 @@
     </ItemGroup>
 
     <ItemGroup>
-        <PackageReference Include="System.Linq.Dynamic.Core" Version="1.3.5" />
+        <!-- We need to pin this specific version of System.Linq.Dynamic.Core to 1.5.1, since newer versions break our use of the library -->
+        <!-- we need to suppress the build warnings, since this version contains security vulnerabilities that we do accept -->
+        <PackageReference Include="System.Linq.Dynamic.Core" Version="[1.5.1]" NoWarn="NU1903" />
     </ItemGroup>
 
     <ItemGroup>

diff --git a/src/Directory.Build.props b/src/Directory.Build.props
@@ -57,7 +57,7 @@
     <PropertyGroup>
         <GenerateDocumentationFile>true</GenerateDocumentationFile>
         <NoWarn>$(NoWarn),1573,1574,1591,1712,1723,SAASDDD037</NoWarn>
-        <RoslynTargetFramework>8.0.6</RoslynTargetFramework> <!-- Must match the RuntimeConstants.Dotnet versions -->
+        <RoslynTargetFramework>8.0.6</RoslynTargetFramework> <!-- Update the RuntimeConstants.Dotnet versions also -->
     </PropertyGroup>
 
     <!-- Runs the analyzers (in memory) on build -->

diff --git a/src/Infrastructure.Persistence.Common/Infrastructure.Persistence.Common.csproj b/src/Infrastructure.Persistence.Common/Infrastructure.Persistence.Common.csproj
@@ -8,11 +8,11 @@
     <ItemGroup>
         <ProjectReference Include="..\Application.Persistence.Common\Application.Persistence.Common.csproj" />
         <ProjectReference Include="..\Infrastructure.Persistence.Interfaces\Infrastructure.Persistence.Interfaces.csproj" />
+        <ProjectReference Include="..\Application.Interfaces\Application.Interfaces.csproj" />
     </ItemGroup>
 
     <ItemGroup>
         <PackageReference Include="Polly" Version="7.2.4" />
-        <PackageReference Include="System.Linq.Dynamic.Core" Version="1.3.6" />
     </ItemGroup>
 
     <ItemGroup>