Skip to content

[All] Pin transitive dependencies in Fable.Cli to avoid CVE warnings #4304

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
dbrattli wants to merge 1 commit into
base: main
Choose a base branch
from
Open

[All] Pin transitive dependencies in Fable.Cli to avoid CVE warnings #4304

dbrattli wants to merge 1 commit into from
+4 −0

Conversation

@dbrattli
Copy link
Collaborator

@dbrattli dbrattli commented Dec 18, 2025

Pin Microsoft.Build transitive dependencies for now to fix CVE-2025-55247 and avoid warnings, or should we instead do it in the Buildalyzer 8.0.0-fable-001? Not sure where that package comes from?

Fable/src/Fable.Cli/Fable.Cli.fsproj : warning NU1903: Package 'Microsoft.Build' 17.10.4 has a known high severity vulnerability, https://github.com/advisories/GHSA-w3q9-fxm7-j8fq
Fable/src/Fable.Cli/Fable.Cli.fsproj : warning NU1903: Package 'Microsoft.Build.Tasks.Core' 17.10.29 has a known high severity vulnerability, https://github.com/advisories/GHSA-w3q9-fxm7-j8fq
Fable/src/Fable.Cli/Fable.Cli.fsproj : warning NU1903: Package 'Microsoft.Build.Utilities.Core' 17.10.29 has a known high severity vulnerability, https://github.com/advisories/GHSA-w3q9-fxm7-j8fq
Fable/src/Fable.Cli/Fable.Cli.fsproj : warning NU1903: Package 'Microsoft.Build' 17.10.4 has a known high severity vulnerability, https://github.com/advisories/GHSA-w3q9-fxm7-j8fq
Fable/src/Fable.Cli/Fable.Cli.fsproj : warning NU1903: Package 'Microsoft.Build.Tasks.Core' 17.10.29 has a known high severity vulnerability, https://github.com/advisories/GHSA-w3q9-fxm7-j8fq
Fable/src/Fable.Cli/Fable.Cli.fsproj : warning NU1903: Package 'Microsoft.Build.Utilities.Core' 17.10.29 has a known high severity vulnerability, https://github.com/advisories/GHSA-w3q9-fxm7-j8fq

@dbrattli
[All] pin transitive dependencies
95475f6 
Pin Microsoft.Build transitive dependencies to fix CVE-2025-55247
@ncave
Copy link
Collaborator

ncave commented Dec 18, 2025

@dbrattli It's from the Buildalyzer, unfortunately their latest release 8.0.0 is still vulnerable.

@dbrattli
Copy link
Collaborator Author

dbrattli commented Dec 18, 2025

Ok, but should we then just pin them for now?

@ncave
Copy link
Collaborator

ncave commented Dec 18, 2025
edited
Loading

@dbrattli Sure, perhaps we can do it as local package Buildalyzer 8.0.0-fable-002

@ncave
Copy link
Collaborator

ncave commented Dec 18, 2025

@dbrattli I wonder if we can eventually drop Buildalyzer altogether as legacy. The less dependencies, the better.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@MangelMaxime MangelMaxime Awaiting requested review from MangelMaxime

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@dbrattli @ncave