System.IO.Packaging version 8.0.0 transitive reference issue via DocumentFormat.OpenXml version 3.1.0 - CVE-2024-43483, CVE-2024-43484

[tvbishan]

Describe the bug
I encountered an issue with a transitive reference to System.IO.Packaging version 8.0.0 when using DocumentFormat.OpenXml version 3.1.0. The package reference appears as a warning in the NuGet package manager (screenshot attached).

Screenshots

To Reproduce

Steps to reproduce the behavior:

1. Add DocumentFormat.OpenXml version 3.1.0 to the project.
2. Observe the transitive dependency on System.IO.Packaging 8.0.0 in the package manager.

Observed behavior
A warning is displayed in the NuGet package manager.

Expected behavior
No warning or a clear explanation of the transitive dependency being safe to use.

Desktop (please complete the following information):

• OS: Windows 11, Alpine 3.20.3
• .NET Target: .NET Core 8
• DocumentFormat.OpenXml Version: 3.1.0

[MaCToXiIcK]

Hello,

I noticed that you have updated the package, but no release has been made. Could you let me know when it is scheduled?

Regards

[udlose]

@mikeebowen I can see that there is now a 3.1.1 release. I cleared my nuget package cache. However, I don't see the new version on nuget.org. Any ideas?

[mikeebowen]

Hi @udlose, 3.1.1 is available now on NuGet. Sometimes the feed can take a little while to update.