Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update dependencies to remove Newtonsoft.Json. (GHSA-5crp-9r3c-p9vr) #2615

Merged
merged 4 commits into from
Jun 29, 2022
Merged

Update dependencies to remove Newtonsoft.Json. (GHSA-5crp-9r3c-p9vr) #2615

merged 4 commits into from
Jun 29, 2022

Conversation

TimothyMothra
Copy link
Member

@TimothyMothra TimothyMothra commented Jun 28, 2022
edited
Loading

#2468

Newtonsoft.Json has a security vulnerability that affects all versions < 13.0.1.

This is an implicit dependency in the Microsoft.ApplicationInsights.AspNetCore SDK.

  • Microsoft.ApplicationInsights.AspNetCore v2.20.0
    • Microsoft.Extensions.Configuration.Json v2.1.0
      • Newtonsoft.Json v11.02

Changes

  • Upgrade Microsoft.Extensions.Configuration.Json from v2.1.0 to v3.1.0.
    Microsoft.Extensions.Configuration.Json removed its dependency on Newtonsoft.Json in v3.0.0. v3.0.0 is no longer supported, next lowest supported version is v3.1.0.
  • Upgrade System.Text.Encodings.Web from 4.5.1 to 4.7.2.
    Upgrading Microsoft.Extensions.Configuration.Json has a side effect of implicitly upgrading our dependency on System.Text.Encodings.Web from v4.5.1 to v4.7.0. Unfortunately, v4.7.0 also has a security vulnerability. Next lowest supported version is v4.7.2.
  • Remove dependency from Test project.

@TimothyMothra TimothyMothra changed the title [WIP] Testing removing Newtonsoft (GHSA-5crp-9r3c-p9vr) Update dependencies to remove Newtonsoft.Json. (GHSA-5crp-9r3c-p9vr) Jun 29, 2022
@TimothyMothra TimothyMothra marked this pull request as ready for review June 29, 2022 17:26
@TimothyMothra TimothyMothra added this to the 2.21 milestone Jun 29, 2022
cijothomas
cijothomas reviewed Jun 29, 2022
View reviewed changes
NETCORE/test/FunctionalTests.WebApi.Tests/FunctionalTests.WebApi.Tests.csproj
@@ -26,7 +26,6 @@
<PackageReference Include="Microsoft.AspNetCore.Mvc" Version="2.1.1" />
<PackageReference Include="Microsoft.AspNetCore.Mvc.WebApiCompatShim" Version="2.1.1" />
<PackageReference Include="Microsoft.AspNetCore.StaticFiles" Version="2.2.0" />
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

separately, these tests still use 2.. It should be bumped to 3.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this is out of scope for this PR. I'll make a note to review all of these when we start assessing .NET 7

cijothomas
cijothomas reviewed Jun 29, 2022
View reviewed changes
CHANGELOG.md Outdated Show resolved Hide resolved
@TimothyMothra TimothyMothra mentioned this pull request Jun 29, 2022
Closed
3 tasks
@TimothyMothra TimothyMothra enabled auto-merge (squash) June 29, 2022 18:07
@TimothyMothra TimothyMothra merged commit d85fadc into main Jun 29, 2022
@TimothyMothra TimothyMothra deleted the tilee/newtonsoft branch June 29, 2022 18:19
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rajkumar-rangaraj rajkumar-rangaraj rajkumar-rangaraj approved these changes

@cijothomas cijothomas cijothomas approved these changes

Assignees
No one assigned
Labels
sdl
Projects
None yet
Milestone
2.21
Development

Successfully merging this pull request may close these issues.
3 participants
@TimothyMothra @cijothomas @rajkumar-rangaraj