Using DotNetZip 1.16.0

[CWolffIF]

Hi,

I think eXpandIO/24.1.701 is using DotNetZip 1.16.0 and there is no newer Version.

DotNetZip Directory Traversal vulnerability.
https://github.com/advisories/GHSA-xhg6-9j5j-w4vf

Can you change it?

[apobekiaris]

I did not checked yet how many resources needed to this task, however I want to give u my perspective about those vulnerability warnings. In short they are endless and can lead to spent a great number of resources to constantly upgrade all these packages we use, not to say that each upgrade may cost us another problem.

So, my strategy is not to change anything unless there is a reason and at least a basic research. Because yes there is a vunerability there but does it affect us? does it affect your projects? in what level?

Please provide details and then happy to put some time to see what's going on there.

Note this package is only used from the IO module (Windows) and to upgrade it to the System.IO.Compression it requires the following steps

1. Create sample
2. Upgrade the code
3. Test the code

they may look simple but timing wise it can take from a few hrs to a full day depending on what u find in your way.

[CWolffIF]

In principle I agree with you.
That´s why we try to avoid too many nugets, espacially if the function can be used by standard system. We use Devexpress as base system. Devexpress is maintened. eXpandFramework is based on Devexpress. Can ZIP/Compression functions be used by Devexpress, so that DotNetZip is not needed?

[apobekiaris]

eXpandFramework is based on Devexpress

not entirely true, eXpand uses packages from all nugget ecosystem. As I said there is no clarification where this vunerability affects u and making changes has a cost. When the IO module was authored there was no build in support so I chose this external lib