[Bug] Microsoft.Data.SqlClient references Microsoft.Identity.Client v 4.61.3

[DataJuggler]

Library version used

6.0.2

.NET version

.NET 9

Scenario

Other - please specify

Is this a new or an existing app?

None

Issue description and reproduction steps

10 minutes ago I received this email from NuGet.org:

Dear Team,
We are reaching out to inform you of a critical update requirement for the Microsoft.Identity.Client package referenced in your project.
A previous version of this package contained a typo in a comment URL that inadvertently pointed to a typosquatting phishing site:
🔗 hXXps[:]//login[.]microsfoftonline[.]com/common
This URL has been flagged as ConfirmedMaliciousURL by multiple security vendors, including Avira, Sophos, and Bitdefender.
To address this, the team released a fix in version 4.72.1, published on May 20, as documented in their https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/releases/tag/4.72.1.
🚨 Required Action:
Please update to version 4.72.1 or later of Microsoft.Identity.Client immediately on your below packages:
DataJuggler.Blazor.Components 9.17.1
DataJuggler.Blazor.Components 9.17.0
We appreciate your prompt attention to this matter to help maintain a secure and trustworthy ecosystem.
If you have any questions or need assistance, feel free to reach out.

Best Regards,
NuGet Admin

After looking through several of my packages, I found the source package that references Microsoft.Identity.Client is MIcrosoft.Data.SqlClient. I have the latest version of of Microsoft.Data.SqlClient installed, version 6.0.2.

If it is urgent to update Microsoft.Identity.Client shouldn't Microsoft.Data.SqlClient updated?

If you look in the attached image, you can see the transitive reference is for Microsoft.Data.SqlClient

When I get off work I will test installing a later version of Microsoft.Identity.Client, I just feel like if this was discovered in May Microsoft.Data.SqlClient should be updated.

I didn't know how to answer your question about MSAL as I have no idea what that is.

One interesting thing to note is, NuGet package manager shows 4.61.2 as Vulnerable not 4.61.3.

Relevant code snippets

N/A.

Expected behavior

Microsoft.Data.SqlClient would be updated with the latest version of Microsoft.Identity.Client.

Identity provider

Other

Regression

No response

Solution and workarounds

I don't use Identity at all in this scenario. I am using Microsoft.Data.SqlClient, which references Microsoft.Identity.Client and you are telling me it is vulnerable. I am going to update my packages, but it seems your package should get updated if it is as Urgent as Nuget says it is.

Strange they notified me about this package, but not several others that use it.

[github-actions]

This issue is related to security. Please pay attention.

Powered by issue-sentinel

[bgavrilMS]

You are absolutely right @DataJuggler . Just to underline that the bad URL is in an XML comment, not in the executable code. We are working on this and I'll provide updates.

[Frulfump]

Isn't this an issue for Microsoft.Data.SqlClient i.e https://github.com/dotnet/SqlClient/issues?
See NuGet/Home#14413 for some more discussion regarding this issue.
Your packages https://www.nuget.org/packages/DataJuggler.Blazor.Components/9.17.1 and https://www.nuget.org/packages/DataJuggler.Blazor.Components/9.17.0 have been deleted see the comment in the linked issue if you want them restored NuGet/Home#14413 (comment)

[DataJuggler]

If you are deleting mine, shouldn't you delete Microsoft.Data.SqlClient, v 6.0.2, the source of the error. I have already released an updated package.