I've been using Radzen Studio to create a major application which we haven't move to Radzen Blazor Studio as yet as it's currently based on .NET 7. Radzen Studio uses the above package which has been identified in a security review engaged by the client as having vulnerabilities related to remote code execution attacks.
Could I manually update the package to use v1.6.7 (the latest version) without impacting how the Radzen generated code works or breaking the application?
We cannot guarantee if just updating the package will remove the vulnerability error or will not change how the application works since we completely abandoned this library and we haven’t tested such cases.
Thank you for your reply.
Understand that this package isn't yours so whether it removes the vulnerability isn't your responsibility or something I would expect you to guarantee.
I was more interested in finding out whether updating to 1.6.7 might break code generated by Radzen Studio as it seems to as of current still use this package.
I did noticed that Radzen Blazor Studio doesn't seem to be using it and it might be what you referring to as "completely abandoned".
We do have plans to update this app to use code generated by Radzen Blazor Studio but thought in the meantime you might have some input given it's used by Radzen Studio but won't risk updating the package given we are even in a less of a position than you to determine the impact it would have on code generated by Radzen Studio.
Radzen Studio nor Radzen Blazor Studio
Is tied to this package in any way, our component library Radzen.Blazor was referring the Dynamic LINQ library which we abandoned after Radzen.Blazor 6.0 release exactly because of all vulnerability issues. You can try to update just this library and if the library authors made it backwards compatible after the vulnerability fixes it will work - what I was saying is that we don’t know that since we never tested any of their new versions.