Updated jsreport.Client

Reply to Updated jsreport.Client on Invalid Date

neilmercer — Invalid Date

Hi,

Are there any plans to publish an updated jsreport.Client package? Our vulnerability scanning is reporting that version 3.8.1 has a dependency on System.Text.RegularExpressions 4.3.0 which has a known vulnerability. It's not a critical vulnerability but it would be nice to have it not show up, so if there is any thought to publishing a new jsreport.Client, can it include the dependency update?

Cheers,
Neil.

Reply to Updated jsreport.Client on Invalid Date

admin — Invalid Date

I apologize if I missed something. It’s been a long time since I last worked with .NET...
I don't see the jsreport.Client would be dependent on the System.Text.RegularExpressions

Could you check the following?

dotnet list package --include-transitive
dotnet list package --vulnerable --include-transitive

Reply to Updated jsreport.Client on Invalid Date

neilmercer — Invalid Date

Hi,
OK, I've done some digging around, and I think I've worked it out.
If I clone the jsreport.Client repo and look at it's packages, there's a dependency on jsreport.Types 3.8.1, which in turn has a dependency on NetStandard.Library 2.0.3 and no vulnerabilities.
However in the application where I'm using jsreport.Client, it's showing jsReport.Types 3.8.1 as using NetStandard.Library 1.6.1 as it's dependency.
I've removed the cached copy of NetStandard.Library 1.6.1, removed jsreport.Client from my app and then re-added it and it's picking up NetStandard.Library 2.0.3.

Having a look at jsreport.Types, I can see it lists NetStandard.Library >= 1.6.1 as it's dependency, so it's just the unique situation where I had that version cached locally, so Visual Studio was using that, rather than the latest 2.0.3.

Thanks,
Neil.