Target netstandard2.0 in OneOf.Extended

[Swimburger]

We enjoy using OneOf and are also using OneOf.Extended. Unfortunately, OneOf.Extended targets netstandard1.3, but not more recent versions, which introduce vulnerable transitive dependencies to consumers of our libraries.

Our libraries don't target netstandard1.3, but because netstandard1.3 is the highest version and is compatible with our .NET (Core) TFMs, it uses the netstandard1.3 build.
As a result, we're forced to include System.Net.Http as a direct nuget dependency to overwrite the version used.

Here's the .NET CLI reporting the vulnerable dependency:

dotnet list OneOf.Extended package --vulnerable --include-transitive

The following sources were used:
   https://api.nuget.org/v3/index.json

Project `OneOf.Extended` has the following vulnerable packages
   [net35]: No vulnerable packages for this framework.
   [net451]: No vulnerable packages for this framework.
   [netstandard1.3]: 
   Transitive Package                    Resolved   Severity   Advisory URL                                     
   > System.Net.Http                     4.3.0      High       https://github.com/advisories/GHSA-7jgj-8wvc-jh57
   > System.Text.RegularExpressions      4.3.0      High       https://github.com/advisories/GHSA-cmhx-cq75-c4mj

This PR adds netstandard2.0 as a TFM which will fix the issue for consumers using netstandard2.0 or above.

output:

dotnet list OneOf.Extended package --vulnerable --include-transitive

The following sources were used:
   https://api.nuget.org/v3/index.json

Project `OneOf.Extended` has the following vulnerable packages
   [net35]: No vulnerable packages for this framework.
   [net451]: No vulnerable packages for this framework.
   [netstandard1.3]: 
   Transitive Package                    Resolved   Severity   Advisory URL                                     
   > System.Net.Http                     4.3.0      High       https://github.com/advisories/GHSA-7jgj-8wvc-jh57
   > System.Text.RegularExpressions      4.3.0      High       https://github.com/advisories/GHSA-cmhx-cq75-c4mj

   [netstandard2.0]: No vulnerable packages for this framework.

---

Update: I conditionally include a package reference to the vulnerable packages to set their minimum version only when building for netstandard1.3. (Also fixed in OneOf main). I can revert this change tho. Our customers don't use netstandard1.3, so building for 2.0 is sufficient for us.

dotnet list OneOf.Extended package --vulnerable --include-transitive

The following sources were used:
   https://api.nuget.org/v3/index.json

The given project `OneOf.Extended` has no vulnerable packages given the current sources.

[Swimburger]

Can this be merged? We really appreciate this project, but we cannot depend on it if it isn't patched for security vulnerabilities. We'll have to fork it or find an alternative.

[rogerbarreto]

@Swimburger forking maybe, 2mo is quite some time for no interactions regarding a vulnerability issue.

[emperador-ming]

@mcintyre321 it would be awesome for OneOf to accept this vulnerability patch!

[MPapst]

Info: you can pin the transient package versions using Central Package Management

Especially these two are pinned in all my projects, because of dependencies in some library in my test projects.

[Swimburger]

@MPapst that only works for consumers of libraries, but we're providing libraries to other customers, so it's not a working solution for us unfortunately.

[drauch]

I want to re-ask about whether this can be merged. Please.

Best regards,
D.R.