Skip to content

[Bug] dependency System.Security.SecureString 4.3.0 reporting transient dependency vulnerabilities #4900

New issue
Jump to bottom
New issue
Jump to bottom
Open
Open
[Bug] dependency System.Security.SecureString 4.3.0 reporting transient dependency vulnerabilities#4900
Labels
bugconfidential-clientpublic-clienttracked-ado
Milestone
 
4.67.0
@mikegoatly

Description

@mikegoatly
mikegoatly
opened on Aug 20, 2024

Library version used

4.63.0

.NET version

Compiling against 9.0.100-preview.7.24407.12

Scenario

PublicClient - desktop app

Is this a new or an existing app?

This is a new app or experiment

Issue description and reproduction steps

Nuget audit in .NET 9 has changed the default NuGetAuditMode from “direct” to “all” (Related article). This means that using the the .NET 9 SDK to build existing software is starting to highlight transient dependencies that have known vulnerabilities.

This has highlighted the use of System.Security.SecureString as it takes a transient dependency on System.Private.Uri v4.3.0:

image

This only becomes a problem when trying to use MSAL against an Android or iOS target:

image

To reproduce this, create an application that targets Android or iOS and use the .NET 9 preview SDK to build your application.

Are there any plans to remove this dependency, or otherwise mitigate this?

Relevant code snippets

-

Expected behavior

It should be possible to use MSAL with Android and iOS with the .NET 9 SDK without any warnings or errors.

Identity provider

Microsoft Entra ID (Work and School accounts and Personal Microsoft accounts)

Regression

No response

Solution and workarounds

No response

Metadata

Assignees

No one assigned

    Labels

    bugconfidential-clientpublic-clienttracked-ado

    Type

    No type

    Projects

    MSAL Customer Trust / QM

    • Status

      In Progress

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions