Security warning in YamlDotNet.Signed 4.2.1

15 views
Skip to first unread message

Joar Øyen

unread,
Oct 17, 2018, 3:19:54 AM10/17/18
to resharper-plugins
I got a security warning about my ReSharper extension on GitHub today due to an issue with YamlDotNet.Signed 4.3.2 and earlier; https://nvd.nist.gov/vuln/detail/CVE-2018-1000210

I've updated my extension to the latest ReSharper SDK (2108.2.3), but I'm not able to update to a patched YamlDotNet.Signed version due to a restrictive reference to this package in JetBrains.Psi.Features.Core 182.0.20180912.155425:
Unable to resolve dependencies. 'YamlDotNet.Signed 5.2.1' is not compatible with 'JetBrains.Psi.Features.Core 182.0.20180912.155425 constraint: YamlDotNet.Signed (= 4.2.1)', 'JetBrains.Psi.Features.src 182.0.20180912.155425 constraint: YamlDotNet.Signed (= 4.2.1)'.

I guess we need to wait for an updated ReSharper SDK to fix this?

Matt Ellis

unread,
Oct 17, 2018, 4:02:45 AM10/17/18
to resharper-plugins
Thanks for letting us know - let me look into this.

Regards
Matt

Matt Ellis

unread,
Oct 19, 2018, 8:02:44 AM10/19/18
to resharper-plugins
We've had a look at this, and the vulnerability is in a call path that we're not using, but we'll still be updating the dependency as part of 2018.3.

Regards
Matt
Reply all
Reply to author
Forward
0 new messages