Clarification on Licensing When Upgrading Transitive Dependency

[mrange]

Hi,

Apologies if this has been addressed elsewhere—I couldn't find it.

We use IronPdf 2024.11.4, which has a transitive dependency on SixLabors.ImageSharp 3.1.5 and SixLabors.ImageSharp.Drawing 3.1.5. Based on my understanding, this qualifies us to use ImageSharp under the Apache 2.0 license.

Our Software Composition Analysis tool flagged a vulnerability in SixLabors.ImageSharp 3.1.5, so I’d like to upgrade to 3.1.6. To do this, I would typically add a direct dependency on SixLabors.ImageSharp 3.1.6 in our .csproj file.

Does adding this direct dependency (solely to upgrade the transient dependency, without directly using ImageSharp in our code) still fall within the terms of the Apache 2.0 license?

Thank you for your guidance!

Best regards,
Mårten

[JimBobSquarePants]

Hi Mårten,

Yes, adding a direct reference means that the dependency no longer becomes transitive and, as such, falls under the terms of the commercial license.

I'm very curious about the potential vulnerability that was flagged. We have no known vulnerability for that version of the library. Any and all detail that can be provided regarding the analysis tool and the potential vulnerability itself be very useful.

[mrange]

Here is public link to the issue: https://intel.aikido.dev/cve/AIKIDO-2024-10455

How can we upgrade this dependency and still keep the Apache v2 license?

[JimBobSquarePants]

The issue misreports the bug as a vulnerability. It cannot be triggered by any form of external input.

If you want IronPdf to upgrade you will need to contact them directly. Any change to utilising a direct dependency will change your license terms.

[willem-delbare]

@JimBobSquarePants Thanks for the heads up! We have retracted the vulnerability from the database.

[mrange]

Thanks for your help.

[mrange]

Just FYI I talked to Aikido and they said they will delete the issue.