Vulnerability in ImageSharp dependency

Question

Vulnerability in ImageSharp dependency

Closed this issue a month ago · 5 comments

The currently used SixLabors.ImageSharp version has a vulnerability, which produces following compiler warning:
NU1903 Warning As Error: Package 'SixLabors.ImageSharp' 2.1.6 has a known high severity vulnerability, https://github.com/advisories/GHSA-65x7-c272-7g7r

SixLabors.ImageSharp should be updated to 3.1.3.

Answer 1 · 2024-03-06T09:59:03.000Z

ImageSharp 3 has a less permissive license requiring payment for commercial projects IIRC. I'm not sure if this is an option for commercial projects using Aardvark.

https://github.com/SixLabors/ImageSharp/blob/main/LICENSE

Answer 2 · 2024-03-06T10:18:36.000Z

According to the license text, indirect usage of ImageSharp falls under the Apache 2.0 license. If I understand this correctly, for commercial Aardvark users that don't use ImageSharp directly, no license changes should happen.

Answer 3 · 2024-03-06T10:35:20.000Z

That's how I understand it as well. Back then we had some concerns, but I don't remember the details. It's probably fine as it is worded.

Answer 4 · 2024-03-07T08:29:10.000Z

Apparently, they backported the fix and released 2.1.7. You should be able to use that without requiring a new Aardvark.Base version. Still, it might be a good idea to move to 3.X eventually.

Edit: ImageSharp 3.X only supports .NET >= 6

Answer 5 · 2024-03-07T09:34:32.000Z

OK, then I think an update to 2.1.7 would bei sufficient 👍