Update vulnerable Microsoft.Data.SqlClient dependency

[georg-jung]

Thanks for creating Respawner!

I use Postgres and thus, Respawner is the only reason my Test project takes a (transitive) dependency on Microsoft.Data.SqlClient. As Respawner depends on v4.0.0, this version will be installed because NuGet always installs the lowest requested version of a dependency. I have automated vulnerability scanning with trivy in one of my CI pipelines. That made me aware that 4.0.0 has a vulnerability. I think, Respawner could instead depend on the fixed version 4.0.5. This way, users wouldn't automatically have a vulnerable version installed.

See also:

• GHSA-98g6-xh36-x2p7
• https://www.nuget.org/packages/Microsoft.Data.SqlClient/4.0.0
• https://www.nuget.org/packages/Microsoft.Data.SqlClient/4.0.5

[georg-jung]

Forgot to mention, but obviously it is possible to work around this by either directly depending on Microsoft.Data.SqlClient or by using Directory.Packages.props and pinning a fixed version there without taking a direct dependency. Thus, my point is not that I'm blocked or vulnerable in anyway myself. I rather just wanted to note this so that you can consider if it makes sense to depend on a fixed version so that the dependency tree is secure by default.

[georg-jung]

Closing since I think v6.2.1 and #133 fixed this. Thanks!