[Bug Report] Upgrade dependency on Microsoft.Rest.ClientRuntime to Azure.Core

Question

[Bug Report] Upgrade dependency on Microsoft.Rest.ClientRuntime to Azure.Core

kristofferpagels opened this issue a year ago · 2 comments

Description of the issue

The Microsoft.Azure.Devices version 1.39 depends on the Microsoft.Rest.ClientRuntime version 2.3.21, which has a security vulnerability (GHSA-whph-446h-6m9v).

Furthermore, this package has been deprecated, see https://www.nuget.org/packages/Microsoft.Rest.ClientRuntime/

Microsoft.Rest.ClientRuntime will no longer receive security fixes after September 2023.
The dependency should probably be updated to Azure.Core.

Answer 1 · 2023-12-01T22:45:21.000Z

We have upgraded this dependency via #3400 to fix the security vulnerability.

We do plan on removing the dependency on this deprecated library in the v2 of this SDK, but we don't have a timeline on when that will be released. We can't remove it from our v1 client without causing breaking changes, unfortunately.

Answer 2 · 2023-12-13T23:29:37.000Z

Given that we can't remove/replace the Microsoft.Rest.ClientRuntime in the v1 of this SDK, I'll close this issue since the latest release contains the security fixes relevant to that library.

We still plan on making the switch to Azure.Core in our v2 SDK, though.