Skip to content

Fix vulnerable dependencies in newtonsoft.json #1489

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 4 commits into from
Jun 18, 2025
Merged

Fix vulnerable dependencies in newtonsoft.json #1489

merged 4 commits into from
Jun 18, 2025

Conversation

@WanjohiSammy
Copy link
Member

Issues

This pull request fixes #xxx.

Description

Newtonsoft.Json prior to version 13.0.1 is vulnerable to Insecure Defaults due to improper handling of expressions with high nesting level that lead to StackOverFlow exception or high CPU and RAM usage.

This PR handles this security vulnerabilities by updating affected dependencies:

Checklist (Uncheck if it is not completed)

  • Test cases added
  • Build and test with one-click build and test script passed

Additional work necessary

If documentation update is needed, please add "Docs Needed" label to the issue and provide details about the required document change in the issue.

@WanjohiSammy
Copy link
Member Author

/AzurePipeline run OData-AspNetCoreOData-main-rolling-1ES

@azure-pipelines
Copy link

No pipelines are associated with this pull request.

Copilot AI reviewed Jun 16, 2025
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR fixes a known vulnerability by updating key package dependencies used by Newtonsoft.Json.

  • Upgrade Microsoft.AspNetCore.Mvc.NewtonsoftJson from version 5.0.0 to 8.0.17
  • Upgrade Microsoft.CodeAnalysis.FxCopAnalyzers from version 2.9.8 to 3.3.2
Comments suppressed due to low confidence (2)

src/Microsoft.AspNetCore.OData.NewtonsoftJson/Microsoft.AspNetCore.OData.NewtonsoftJson.csproj:19

  • The upgrade to version 8.0.17 may introduce breaking changes in API behavior compared to version 5.0.0. It is recommended to review the migration guide and update related code if necessary.
<PackageReference Include="Microsoft.AspNetCore.Mvc.NewtonsoftJson" Version="8.0.17" />

src/Microsoft.AspNetCore.OData.NewtonsoftJson/Microsoft.AspNetCore.OData.NewtonsoftJson.csproj:20

  • The new version of FxCopAnalyzers may enforce additional or modified rules. Please verify that the codebase complies with any new analyzer recommendations.
<PackageReference Include="Microsoft.CodeAnalysis.FxCopAnalyzers" Version="3.3.2">

KenitoInc
KenitoInc previously approved these changes Jun 16, 2025
View reviewed changes
gathogojr
gathogojr previously approved these changes Jun 16, 2025
View reviewed changes
xuzhg
xuzhg previously approved these changes Jun 16, 2025
View reviewed changes
@WanjohiSammy
Copy link
Member Author

/AzurePipeline run

@azure-pipelines
Copy link

No pipelines are associated with this pull request.

@WanjohiSammy
Copy link
Member Author

/AzurePipeline run

@azure-pipelines
Copy link

No pipelines are associated with this pull request.

@WanjohiSammy
Copy link
Member Author

/AzurePipeline run

@azure-pipelines
Copy link

No pipelines are associated with this pull request.

@WanjohiSammy
Copy link
Member Author

/AzurePipeline run

@azure-pipelines
Copy link

No pipelines are associated with this pull request.

@WanjohiSammy WanjohiSammy dismissed stale reviews from xuzhg, gathogojr, and KenitoInc via 78ca070 June 18, 2025 10:56
@WanjohiSammy
Copy link
Member Author

/AzurePipelines run OData-AspNetCoreOData-main-rolling-1ES

@azure-pipelines
Copy link

No pipelines are associated with this pull request.

@WanjohiSammy WanjohiSammy requested review from gathogojr and xuzhg June 18, 2025 11:00
@WanjohiSammy WanjohiSammy requested a review from KenitoInc June 18, 2025 11:00
@WanjohiSammy WanjohiSammy merged commit 7c6fdbb into main Jun 18, 2025
2 checks passed
@WanjohiSammy WanjohiSammy deleted the fix/upgrade-dependencies-vulnerability branch June 18, 2025 19:28
ArnaudB88 added a commit to ArnaudB88/OData2Linq that referenced this pull request Jul 16, 2025
@ArnaudB88
Update reference to ASP.NET Core OData v9.3.2 (#7)
1a01275 
* Migrate to ESRP v5 (OData#1421)

* Migrate to ESRP v5

* Replace raw resource identifiers with variables

* Fix typo in KV variable

* Add Obsolete attribute to EdmDeltaResourceObject and
EdmDeltaComplexObject type

* Fix regression causing navigation properties to be auto-expanded in typeless scenarios (OData#1424)

* Bump version to 9.2.1 (OData#1437)

* Fix an issue where multiple flags are set and ensure correct deserialization (OData#1442)

* Fixes OData#1455 Add ISearchQueryValidator (OData#1456)

* Restructure AggregationBinder and ComputeBinder for extensibility (port OData#1378) (OData#1457)

* Bump version to 9.3.0 (OData#1464)

* Fix the typo of generaticType

* Fixes OData#580 Change PageResult<T> property names on serialization

* Fixes OData#1472: Custom ISearchBinder does not support deeply nested $expand (OData#1474)

* Fixes OData#1472: Custom ISearchBinder does not support deeply nested $expand

* Address the comments.

* Ensuring Url safe string key values. Aligning with ODL Client. Fixes OData#1390. (OData#1396)

* CA2254 fixes possible formatting errors

* bump to release version 9.3.1

* Enable minimal API OData (OData#1469)

* Enable minimal API OData

* Simple exclude the metadata and servicedocument reault out from the filter.

* add content-type into response header

* Enable Delta<T> as parameter

* update the comments and public api

* Bump to version 9.4.0 preview

* Fixes OData#1483: Regression with computed in $orderby with 'Could not find a property named xxx on ....' (OData#1486)

* Fixes OData#1483: Regression with computed in $orderby with 'Could not find a property named xxx on ....'

* Bump version to 9.3.2

* Fixes OData#1487 : Minimal API TimeZoneInfo for Serialization (OData#1488)

* Fixes OData#1487 : Minimal API TimeZoneInfo for Serialization
minimalApi

Enable ODataActionParameter and ODataUntypedActionParameter binding

* Address the comment to move the error messge to Resources

* Resolve the issue with IAsyncEnumerable (OData#1467)

* Resolve the issue with IAsyncEnumerable

* Resolve FormatException by escaping curly brackets and add tests for SRResources (OData#1475)

* Fix vulnerable dependencies in newtonsoft.json (OData#1489)

* Fix vulnerable dependencies
* Replace Microsoft.CodeAnalysis.FxCopAnalyzers with Microsoft.CodeAnalysis.NetAnalyzers

* Fixes OData#1494: Enable DeltaSet<T> for minimal API parameter binding
ArnaudB88 added a commit to ArnaudB88/OData2Linq that referenced this pull request Jul 16, 2025
@ArnaudB88
Update reference to ASP.NET Core OData v9.3.2 (#8)
87993dc 
* bump version

* Update reference to ASP.NET Core OData v9.3.2 (#7)

* Migrate to ESRP v5 (OData#1421)

* Migrate to ESRP v5

* Replace raw resource identifiers with variables

* Fix typo in KV variable

* Add Obsolete attribute to EdmDeltaResourceObject and
EdmDeltaComplexObject type

* Fix regression causing navigation properties to be auto-expanded in typeless scenarios (OData#1424)

* Bump version to 9.2.1 (OData#1437)

* Fix an issue where multiple flags are set and ensure correct deserialization (OData#1442)

* Fixes OData#1455 Add ISearchQueryValidator (OData#1456)

* Restructure AggregationBinder and ComputeBinder for extensibility (port OData#1378) (OData#1457)

* Bump version to 9.3.0 (OData#1464)

* Fix the typo of generaticType

* Fixes OData#580 Change PageResult<T> property names on serialization

* Fixes OData#1472: Custom ISearchBinder does not support deeply nested $expand (OData#1474)

* Fixes OData#1472: Custom ISearchBinder does not support deeply nested $expand

* Address the comments.

* Ensuring Url safe string key values. Aligning with ODL Client. Fixes OData#1390. (OData#1396)

* CA2254 fixes possible formatting errors

* bump to release version 9.3.1

* Enable minimal API OData (OData#1469)

* Enable minimal API OData

* Simple exclude the metadata and servicedocument reault out from the filter.

* add content-type into response header

* Enable Delta<T> as parameter

* update the comments and public api

* Bump to version 9.4.0 preview

* Fixes OData#1483: Regression with computed in $orderby with 'Could not find a property named xxx on ....' (OData#1486)

* Fixes OData#1483: Regression with computed in $orderby with 'Could not find a property named xxx on ....'

* Bump version to 9.3.2

* Fixes OData#1487 : Minimal API TimeZoneInfo for Serialization (OData#1488)

* Fixes OData#1487 : Minimal API TimeZoneInfo for Serialization
minimalApi

Enable ODataActionParameter and ODataUntypedActionParameter binding

* Address the comment to move the error messge to Resources

* Resolve the issue with IAsyncEnumerable (OData#1467)

* Resolve the issue with IAsyncEnumerable

* Resolve FormatException by escaping curly brackets and add tests for SRResources (OData#1475)

* Fix vulnerable dependencies in newtonsoft.json (OData#1489)

* Fix vulnerable dependencies
* Replace Microsoft.CodeAnalysis.FxCopAnalyzers with Microsoft.CodeAnalysis.NetAnalyzers

* Fixes OData#1494: Enable DeltaSet<T> for minimal API parameter binding
This was referenced Aug 27, 2025
Merged
Merged
Merged
This was referenced Oct 16, 2025
Closed
Closed
Closed
Closed
This was referenced Oct 23, 2025
Merged
Closed
Closed
Open
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@xuzhg xuzhg xuzhg approved these changes

@habbes habbes Awaiting requested review from habbes

@gathogojr gathogojr Awaiting requested review from gathogojr

@KenitoInc KenitoInc Awaiting requested review from KenitoInc

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@WanjohiSammy @KenitoInc @xuzhg @gathogojr