Compromised 3rd party libraries


Our security auditing has shown your recent .NET SDK (v3.2.4) and DependencyInjection v3.2.0 are using 2 libraries that have security alerts on them ranked as “High”.
Can you please upgrade them in your next build?

System.Net.Http 4.3.0 => 4.3.4
System.Text.RegularExpressions 4.3.0 => 4.3.1


These are not direct dependencies of CouchbaseNetClient, but are transitive dependencies from NetStandard.Library. They are a result of targeting .NET Standard 2.0. Unfortunately, NETStandard.Library is published by Microsoft and not something we can change.

That said, those dependencies aren’t actually referenced, that I can see, except when targeting versions of .NET that we don’t support (.NET < 4.6.1 or .NET Core 1.x). Can you provide further details about how/where you’re seeing these dependencies? I can’t find them anywhere else in the dependency graph.