3. Updated jsreport.Client

Updated jsreport.Client

  • N

    Hi,

    Are there any plans to publish an updated jsreport.Client package? Our vulnerability scanning is reporting that version 3.8.1 has a dependency on System.Text.RegularExpressions 4.3.0 which has a known vulnerability. It's not a critical vulnerability but it would be nice to have it not show up, so if there is any thought to publishing a new jsreport.Client, can it include the dependency update?

    Cheers,
    Neil.

    0

  • I apologize if I missed something. It’s been a long time since I last worked with .NET...
    I don't see the jsreport.Client would be dependent on the System.Text.RegularExpressions

    Could you check the following?

    dotnet list package --include-transitive
dotnet list package --vulnerable --include-transitive
    0
  • N

    Hi,
    OK, I've done some digging around, and I think I've worked it out.
    If I clone the jsreport.Client repo and look at it's packages, there's a dependency on jsreport.Types 3.8.1, which in turn has a dependency on NetStandard.Library 2.0.3 and no vulnerabilities.
    However in the application where I'm using jsreport.Client, it's showing jsReport.Types 3.8.1 as using NetStandard.Library 1.6.1 as it's dependency.
    I've removed the cached copy of NetStandard.Library 1.6.1, removed jsreport.Client from my app and then re-added it and it's picking up NetStandard.Library 2.0.3.

    Having a look at jsreport.Types, I can see it lists NetStandard.Library >= 1.6.1 as it's dependency, so it's just the unique situation where I had that version cached locally, so Visual Studio was using that, rather than the latest 2.0.3.

    Thanks,
    Neil.

    0
Log in to reply
 

Looks like your connection to jsreport forum was lost, please wait while we try to reconnect.