Skip to content

Bump System.Text.Json to 8.0.4 due to CVE-2024-30105 #1945

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 4 commits into from
Jul 11, 2024
Merged

Bump System.Text.Json to 8.0.4 due to CVE-2024-30105 #1945

merged 4 commits into from
Jul 11, 2024

Conversation

@Kielek
Copy link
Member

@Kielek Kielek commented Jul 10, 2024
edited
Loading

Follow up to open-telemetry/opentelemetry-dotnet#5744
Handles GHSA-hh2w-p6rv-4g7w

Changes

Bump System.Text.Json to 8.0.4
It fixes build pipelines. Now, packages referencing System.Text.Json are failing.

Merge requirement checklist

  • CONTRIBUTING guidelines followed (license requirements, nullable enabled, static analysis, etc.)
  • [ ] Unit tests added/updated
  • Appropriate CHANGELOG.md files updated for non-trivial changes
  • [ ] Changes in public API reviewed (if applicable)

@github-actions github-actions bot added infra Infra work - CI/CD, code coverage, linters comp:extensions.aws Things related to OpenTelemetry.Extensions.AWS comp:instrumentation.confluentkafka Things related to OpenTelemetry.Instrumentation.ConfluentKafka comp:instrumentation.elasticsearchclient Things related to OpenTelemetry.Instrumentation.ElasticsearchClient comp:resources.aws Things related to OpenTelemetry.Resources.AWS comp:resources.azure Things related to OpenTelemetry.Resources.Azure comp:resources.gcp Things related to OpenTelemetry.Resources.Gcp comp:sampler.aws Things related to OpenTelemetry.Samplers.AWS comp:instrumentation.http Things related to OpenTelemetry.Instrumentation.Http labels Jul 10, 2024
@codecov
Copy link

codecov bot commented Jul 10, 2024
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 66.78%. Comparing base (71655ce) to head (001e70a).
Report is 354 commits behind head on main.

Additional details and impacted files

Impacted file tree graph

@@            Coverage Diff             @@
##             main    #1945      +/-   ##
==========================================
- Coverage   73.91%   66.78%   -7.14%     
==========================================
  Files         267      182      -85     
  Lines        9615     8005    -1610     
==========================================
- Hits         7107     5346    -1761     
- Misses       2508     2659     +151
Flag Coverage Δ
unittests-Instrumentation.Http 81.41% <ø> (?)

Flags with carried forward coverage won't be shown. Click here to find out more.

see 316 files with indirect coverage changes

@github-actions github-actions bot requested review from CodeBlanch and reyang July 10, 2024 08:45
@github-actions github-actions bot added the comp:exporter.onecollector Things related to OpenTelemetry.Exporter.OneCollector label Jul 10, 2024
@Kielek Kielek changed the title Bump System.Text.Json to 8.0.5 due to CVE-2024-30105 Bump System.Text.Json to 8.0.4 due to CVE-2024-30105 Jul 10, 2024
@Kielek Kielek marked this pull request as ready for review July 10, 2024 08:54
@Kielek Kielek requested a review from a team July 10, 2024 08:54
@cremor
Copy link

cremor commented Jul 10, 2024

FYI: open-telemetry/opentelemetry-dotnet#5744 (comment)

@github-actions github-actions bot removed the infra Infra work - CI/CD, code coverage, linters label Jul 11, 2024
@github-actions github-actions bot removed the comp:instrumentation.elasticsearchclient Things related to OpenTelemetry.Instrumentation.ElasticsearchClient label Jul 11, 2024
@github-actions github-actions bot removed comp:extensions.aws Things related to OpenTelemetry.Extensions.AWS comp:resources.azure Things related to OpenTelemetry.Resources.Azure comp:exporter.onecollector Things related to OpenTelemetry.Exporter.OneCollector comp:sampler.aws Things related to OpenTelemetry.Samplers.AWS comp:resources.gcp Things related to OpenTelemetry.Resources.Gcp labels Jul 11, 2024
@github-actions github-actions bot removed the comp:resources.aws Things related to OpenTelemetry.Resources.AWS label Jul 11, 2024
@Kielek Kielek merged commit 50c055c into open-telemetry:main Jul 11, 2024
@Kielek Kielek deleted the bump-system-text-json branch July 11, 2024 04:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ejsmith ejsmith Awaiting requested review from ejsmith

@g7ed6e g7ed6e Awaiting requested review from g7ed6e

@matt-hensley matt-hensley Awaiting requested review from matt-hensley

@ppittle ppittle Awaiting requested review from ppittle

@pyohannes pyohannes Awaiting requested review from pyohannes

@rajkumar-rangaraj rajkumar-rangaraj Awaiting requested review from rajkumar-rangaraj

@srprash srprash Awaiting requested review from srprash

@CodeBlanch CodeBlanch Awaiting requested review from CodeBlanch

@reyang reyang Awaiting requested review from reyang

1 more reviewer

@vishweshbankwar vishweshbankwar vishweshbankwar approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@g7ed6e g7ed6e

@ppittle ppittle

@srprash srprash

Labels

comp:instrumentation.confluentkafka Things related to OpenTelemetry.Instrumentation.ConfluentKafka comp:instrumentation.http Things related to OpenTelemetry.Instrumentation.Http

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@Kielek @cremor @vishweshbankwar @g7ed6e @ppittle @srprash