We just started using Sonatype Nexus Repository to protect ourselves from supply chain attacks, but we are unable to build our Azure Function project because it has critically vulnerable dependencies in the generated WorkerExtensions.csproj project, which we have no control over.
This is a security risk, especially in the kind of environment we work in, so we might have to ditch the idea of using Azure Functions altogether and just stick to ASP.NET Core, which is less than ideal since we will most likely benefit from the different features Functions have to offer...
The vulnerable packages are:
- Newtonsoft.Json.11.0.2
- Microsoft.AspNetCore.Routing.2.2.2
- Microsoft.Azure.WebJobs.Script.ExtensionsMetadataGenerator.4.0.1
Example from build output:
1>C:\Program Files\Microsoft Visual Studio\18\Professional\Common7\IDE\CommonExtensions\Microsoft\NuGet\NuGet.targets(198,5): warning : -------------------->>> Requested item is quarantined -------------------->>> FOR DETAILS SEE ------>>> https://redacted.iq.sonatype.app/ui/links/firewall/repositories/quarantinedComponent/REDACTED <<<------
1> Failed to download package 'Microsoft.AspNetCore.Routing.2.2.2' from 'https://redacted.repo.sonatype.app/repository/redacted-nuget/v3/content/0/microsoft.aspnetcore.routing/2.2.2/microsoft.aspnetcore.routing.2.2.2.nupkg'.
Would it be possible to at least update these? I don't know what ExtensionsMetadataGenerator is (seems like it's related to the legacy in-process model which isn't even supported in .NET 10) but it was last updated in 2021 which seems like a very long time, and even if I manage to somehow force updated the others, there is no update for this one...
We are using .NET 10, isolated worker model, and Visual Studio 2026, everything is as up to date as possible as far as I know...
Thank you!
We just started using Sonatype Nexus Repository to protect ourselves from supply chain attacks, but we are unable to build our Azure Function project because it has critically vulnerable dependencies in the generated
WorkerExtensions.csprojproject, which we have no control over.This is a security risk, especially in the kind of environment we work in, so we might have to ditch the idea of using Azure Functions altogether and just stick to ASP.NET Core, which is less than ideal since we will most likely benefit from the different features Functions have to offer...
The vulnerable packages are:
Example from build output:
Would it be possible to at least update these? I don't know what
ExtensionsMetadataGeneratoris (seems like it's related to the legacy in-process model which isn't even supported in .NET 10) but it was last updated in 2021 which seems like a very long time, and even if I manage to somehow force updated the others, there is no update for this one...We are using .NET 10, isolated worker model, and Visual Studio 2026, everything is as up to date as possible as far as I know...
Thank you!