Version of MongoDB.Driver.Core contain vulerability

[thompson-tomo]

APM Agent version

Elastic.Apm.MongoDb

Describe the bug

All versions of the library are using a version of MongoDB.Driver.Core which has an identified vulnerability which has been fixed in newer version of the library

To Reproduce

Install Elastic.Apm.MongoDb
Observe when looking at transitive packages that the vulenerable System.Net.Security is there which has been added due to the version of MongoDB.Driver.Core being used

Expected behavior

No vulnerabilities being added to projects

Expected actions

The version of MongoDB.Driver.Core included in the library is increased to atleast 2.8.0 or removed if not needed

[Mpdreamz]

We'll update this dependency, however its rare MongoDB.Driver.Core is a transitive dependency that is pulled in through our instrumentation.

More typically they are both installed and listed explicitly and the highest version will win.

[thompson-tomo]

Thanks I think it is more common than you think as all users of Elastic.Apm.NetCoreAll are affected and what % of those users are actually using mongodb. I alone am up to 20 affected projects none of which use mongodb

[Mpdreamz]

That's a great callout @thompson-tomo, will see to it we'll bump this dependency this week.