Details
-
Improvement
-
Resolution: Fixed
-
Major
-
None
-
None
-
None
-
1
Description
https://forums.couchbase.com/t/compromised-3rd-party-libraries/32278
I think the security scanning tool you're using to find that dependency may either be flawed or misconfigured. There is actually no combination of target frameworks for the Couchbase SDK that would ever bring in that dependency. The NETStandard.Library 1.6.1 dependency is overridden by NETStandard.Library 2.0.3 dependencies closer to the bottom of the dependency tree.
That said, this may be mitigated by an upgrade to App.Metrics 4.3.0, which offers a specific netstandard2.0 dependency list. Depends, again, on how your security scanning tool is looking at it.