Add a direct reference to Asn1 to force version without a CVE (#7109)

* Try remove the dependency on crypto * Try if we can fix it * Move asn1 reference to a separate item group * Fix typos and formatting * Sort PackageReferences --------- Co-authored-by: Brandon Ording <[email protected]>
Particular · Jul 19, 2024 · a2ca1a7 · a2ca1a7
1 parent d7b35c1
commit a2ca1a7
Showing 1 changed file with 5 additions and 1 deletion.
diff --git a/src/NServiceBus.Core/NServiceBus.Core.csproj b/src/NServiceBus.Core/NServiceBus.Core.csproj
@@ -10,9 +10,9 @@
 
   <ItemGroup Label="Public dependencies">
     <PackageReference Include="Microsoft.Extensions.DependencyInjection" Version="8.0.0" />
+    <PackageReference Include="Microsoft.Extensions.Diagnostics" Version="8.0.0" />
     <PackageReference Include="NServiceBus.MessageInterfaces" Version="[1.0.0, 2.0.0)" />
     <PackageReference Include="System.Security.Cryptography.Xml" Version="8.0.0" />
-    <PackageReference Include="Microsoft.Extensions.Diagnostics" Version="8.0.0" />
   </ItemGroup>
 
   <ItemGroup Label="Private dependencies">
@@ -24,6 +24,10 @@
     <PackageReference Include="Particular.Packaging" Version="4.1.0" PrivateAssets="All" />
   </ItemGroup>
 
+  <ItemGroup Label="Direct references to transitive dependencies to avoid versions with CVE">
+    <PackageReference Include="System.Formats.Asn1" Version="8.0.1" />
+  </ItemGroup>
+
   <PropertyGroup>
     <PackageId>NServiceBus</PackageId>
     <Description>Build, version, and monitor better microservices with the most powerful service platform for .NET</Description>