Microsoft.Identity.Web Library
Microsoft.Identity.Web
Microsoft.Identity.Web version
4.3.0
Web app
Not Applicable
Web API
Not Applicable
Token cache serialization
Not Applicable
Description
When installing Microsoft.Identity.Web 4.3.0 on a .net 8.0 app, the transitive dependencies include the Package 'System.Formats.Asn1' 8.0.0 that has a known high severity vulnerability
Reproduction steps
Given the next csproj file
<Project Sdk="Microsoft.NET.Sdk">
<PropertyGroup>
<OutputType>Exe</OutputType>
<TargetFramework>net8.0</TargetFramework>
<NuGetAuditMode>all</NuGetAuditMode>
<TreatWarningsAsErrors>true</TreatWarningsAsErrors>
</PropertyGroup>
<ItemGroup>
<PackageReference Include="Microsoft.Identity.Web" Version="4.3.0" />
</ItemGroup>
</Project>Error message
dotnet restore fails with
error NU1903: Warning As Error: Package 'System.Formats.Asn1' 8.0.0 has a known high severity vulnerability, https://github.com/advisories/GHSA-447r-wph3-92pm
### Id Web logs
_No response_
### Relevant code snippets
```csharp
<Project Sdk="Microsoft.NET.Sdk">
<PropertyGroup>
<OutputType>Exe</OutputType>
<TargetFramework>net8.0</TargetFramework>
<NuGetAuditMode>all</NuGetAuditMode>
<TreatWarningsAsErrors>true</TreatWarningsAsErrors>
</PropertyGroup>
<ItemGroup>
<PackageReference Include="Microsoft.Identity.Web" Version="4.3.0" />
</ItemGroup>
</Project>
Regression
4.1.0
Expected behavior
Transitive dependencies should not include vulnerable packages
Microsoft.Identity.Web Library
Microsoft.Identity.Web
Microsoft.Identity.Web version
4.3.0
Web app
Not Applicable
Web API
Not Applicable
Token cache serialization
Not Applicable
Description
When installing
Microsoft.Identity.Web 4.3.0on a .net 8.0 app, the transitive dependencies include the Package 'System.Formats.Asn1' 8.0.0 that has a known high severity vulnerabilityReproduction steps
Given the next csproj file
Error message
dotnet restorefails withRegression
4.1.0
Expected behavior
Transitive dependencies should not include vulnerable packages