-
Notifications
You must be signed in to change notification settings - Fork 346
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[GHSA-6q8c-85p2-954c] In Progress Telerik UI for WPF versions prior to 2024 Q3 ... #5094
base: LanceMcCarthy/advisory-improvement-5094
Are you sure you want to change the base?
Conversation
Hi @LanceMcCarthy, I am unable to find any of the listed packages in https://www.nuget.org/. Could you provides to them? |
@JonathanLEvans That is correct, they are not public nuget.org packages (they are only provided via our NuGet Feed (https://nuget.telerik.com). It is an authenticated feed, when the developer passes credentials with the HTTP request (using packageSourceCredentials) and the server determines what packages they have the license to access/download. This topic is something I was going to bring up to the .NET team via Microsoft MVP back channels, there should probably be an easier way for you to automatically validate the package, possible through a private proxy that I can arrange with your team. However, this is a longer term thing that likely needs agreement and configuration. For now, I need to manually go through all the items and list them for you. |
@JonathanLEvans Here is a real world example where Dependabot will make the identification.
The main argument here is that it should matter where the packages come from. It is still a Ultimately, there doesn't even have to be a server-based feed like nuget.org. The NuGet package manager (and dotnet) supports using a local package source (a folder with .nupkg files in it). In this scenario, the project still has the same ExampleHere's a short walkthrough of a common multi-source scenario. In the nuget.config, there are three sources defined; <configuration>
<packageSources>
<add key="NuGetOrg" value="https://api.nuget.org/v3/index.json" protocolVersion="3" />
<add key="TelerikServer" value="https://nuget.telerik.com/v3/index.json" protocolVersion="3"/>
<add key="MyLocalPackages" value="\local-folder\my-packages" />
</packageSources>
...
</configuration> In the project's csproj file, there exists a <Project Sdk="Microsoft.NET.Sdk">
<PropertyGroup>
<OutputType>Exe</OutputType>
<TargetFramework>net9.0</TargetFramework>
</PropertyGroup>
<!-- Packages can come from any source, public, private, or local -->
<ItemGroup>
<!-- This get restored from nuget.org -->
<PackageReference Include="Newtonsoft.Json" Version="13.03" />
<PackageReference Include="CommonHelpers" Version="1.4.0" />
<!-- This gets restored from nuget.telerik.com -->
<PackageReference Include="Telerik.UI.for.Wpf" Version="2024.4.1106" />
<!-- This gets restored from a local folder source -->
<PackageReference Include="MyApp.ClassLibrary" Version="1.0.0" />
</ItemGroup>
</Project> [edit] Clarified further with expanded example. Spelling corrections. |
👋 This pull request has been marked as stale because it has been open with no activity. You can: comment on the issue or remove the stale label to hold stale off for a while, add the |
Hi @JonathanLEvans do you have an update for us? As a reminder, here's short summary...
Problem => This PR is being held up because that package name not on nuget.org. I am requesting this be approved, regardless of where the package is hosted. Any project that is referencing such a PackageReference should be allowed to see the advisory, regardless if its source is nuget.org, nuget.telerik.com or a local folder source (all are valid NuGet package sources). |
This Pull Request replaces #5087