This policy applies to the DotNetAgents public core package surface.
Do not disclose suspected vulnerabilities through public issues. Until the public coordinated-disclosure contact is published, report findings through the maintainer contact channel used for the release candidate. The public mirror must not be enabled until this section carries a public security contact.
The public-core DotNetAgents.Documents package depends on
DocumentFormat.OpenXml for Office file parsing. That dependency previously
flowed a transitive reference to System.Security.Cryptography.Xml 9.0.0,
which is affected by GHSA-37gx-xxp4-5rgx and GHSA-w3x6-4m5h-cxqf.
The patched line is 10.0.x.
To keep the public build clean of NU1903 advisories, Directory.Build.props
pins the package directly to 10.0.6 for the DotNetAgents.Documents project:
<PackageReference
Include="System.Security.Cryptography.Xml"
Version="10.0.6"
Condition="'$(MSBuildProjectName)' == 'DotNetAgents.Documents'" />The conditional limits the pin to the one project that actually uses the transitive; every other public-core package builds unchanged.
The pin can produce a cosmetic NU1510 not-prunable warning. That trade-off is
intentional: an advisory-free build matters more than a clean prune report on a
single package.
Remove the pin once both of the following are true:
DocumentFormat.OpenXmlships a release whose own transitive graph resolvesSystem.Security.Cryptography.Xmlat10.0.xor higher.- A clean
dotnet restoreagainstDotNetAgents.Public.slnreports noNU1903advisory forDotNetAgents.Documentswithout theDirectory.Build.propspin.
Owner: the DotNetAgents maintainer driving the public-core release.