Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Appearance settings

Clarification on Licensing When Upgrading Transitive Dependency #2860

Answered by JimBobSquarePants
mrange asked this question in Q&A
Clarification on Licensing When Upgrading Transitive Dependency #2860
@mrange mrange
Jan 14, 2025 · 4 comments · 2 replies
Answered by JimBobSquarePants Return to top
Discussion options

mrange
Jan 14, 2025

Hi,

Apologies if this has been addressed elsewhere—I couldn't find it.

We use IronPdf 2024.11.4, which has a transitive dependency on SixLabors.ImageSharp 3.1.5 and SixLabors.ImageSharp.Drawing 3.1.5. Based on my understanding, this qualifies us to use ImageSharp under the Apache 2.0 license.

Our Software Composition Analysis tool flagged a vulnerability in SixLabors.ImageSharp 3.1.5, so I’d like to upgrade to 3.1.6. To do this, I would typically add a direct dependency on SixLabors.ImageSharp 3.1.6 in our .csproj file.

Does adding this direct dependency (solely to upgrade the transient dependency, without directly using ImageSharp in our code) still fall within the terms of the Apache 2.0 license?

Thank you for your guidance!

Best regards,
Mårten
You must be logged in to vote
Answered by JimBobSquarePants Jan 14, 2025

The issue misreports the bug as a vulnerability. It cannot be triggered by any form of external input.

If you want IronPdf to upgrade you will need to contact them directly. Any change to utilising a direct dependency will change your license terms.

View full answer

Replies: 4 comments · 2 replies

Comment options

JimBobSquarePants
Jan 14, 2025
Maintainer

Hi Mårten,

Yes, adding a direct reference means that the dependency no longer becomes transitive and, as such, falls under the terms of the commercial license.

I'm very curious about the potential vulnerability that was flagged. We have no known vulnerability for that version of the library. Any and all detail that can be provided regarding the analysis tool and the potential vulnerability itself be very useful.
You must be logged in to vote
0 replies
Comment options

mrange
Jan 14, 2025
Author

Here is public link to the issue: https://intel.aikido.dev/cve/AIKIDO-2024-10455

How can we upgrade this dependency and still keep the Apache v2 license?
You must be logged in to vote
2 replies
@JimBobSquarePants
Comment options

JimBobSquarePants Jan 14, 2025
Maintainer

The issue misreports the bug as a vulnerability. It cannot be triggered by any form of external input.

If you want IronPdf to upgrade you will need to contact them directly. Any change to utilising a direct dependency will change your license terms.
Answer selected by mrange
@willem-delbare
Comment options

willem-delbare Jan 14, 2025

@JimBobSquarePants Thanks for the heads up! We have retracted the vulnerability from the database.
Comment options

mrange
Jan 14, 2025
Author

Thanks for your help.
You must be logged in to vote
0 replies
Comment options

mrange
Jan 14, 2025
Author

Just FYI I talked to Aikido and they said they will delete the issue.
You must be logged in to vote
0 replies
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Category
🙏
Q&A
Labels
None yet
3 participants
@mrange @JimBobSquarePants @willem-delbare
Morty Proxy This is a proxified and sanitized view of the page, visit original site.