@DavoudEshtehari Should I close#2578 then?

@ErikEJ Thank you for mentioning your PRs here. I hesitated to remove MIC on servicing versions.
@David-Engel What's your preference?

@DavoudEshtehari Agree, I will close my PRs

LGTM

This was fixed in the main branch by#2577 Wouldn't it make sense to use that change for the 5.1 branch too?
Related question:#2568 (comment)

Also, here is a request to bump further:#1108 (comment)

This was fixed in the main branch by#2577 Wouldn't it make sense to use that change for the 5.1 branch too? Related

This is already asked by Erik and he's agree with the argue.

Ok, but what about#1108 (comment)?
If I understand that correctly then the Azure dependency currently causes SqlClient to depend on the Windows Desktop runtime. And that dependency also flows to EF Core. (And that is relevant here because EF Core depends on SqlClient v5.1.)

Have you tried adding an Explict reference to the latest version??

Yes, I'm already doing that.
But still, if nothing speaks against it, the issue should be fixed here to spare others from losing time to it.

can we please get a patch out for this

@SimonCropp and others: Please read this:https://devblogs.microsoft.com/nuget/nugetaudit-2-0-elevating-security-and-trust-in-package-management/

In particular the section "Recommended way to resolve warnings"

@ErikEJ that doc is poorly worded. it should be phrased

the way to temporary work around a transitive CVE is to add a direct reference. then, when the transitive CVE is fixed, that direct reference can be removed

we are are now at the second part.

if this is important enough to be included in a hotfix for an older version, doesnt it also qualify for a release of hotfix on the current version?

@SimonCropp See#2648 (comment)