Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update system text json to non vulnerable version #3207

Open
wants to merge 2 commits into
base: master
Choose a base branch
from

Conversation

Adishone
Copy link

@Adishone Adishone commented Dec 20, 2024

Pull Request

The issue or feature being addressed

Used System.Text.Json package is really outdated and has known vulnerabilties

Details on the issue fix or feature implementation

System.Text.Json is known to have vulnerabilities so I'm updating it to version that has them fixed
image

@martincostello
Copy link
Collaborator

Thanks for your PR - this package is specifically pinned to the minimum compatible version because:

  1. It's only used for 3 packages, and then only for the netstandard2.0 target framework - other targets will use the in-box version of System.Text.Json, whatever it happens to be for the consuming application.
  2. It avoids creating any compatibility issues from a giant leap forward in the version of System.Text.Json (4 major versions, or 5 if we used 9.0.0 instead) used with .NET Framework applications. Testing that such a change doesn't break things is too much of a burden for us to test.
  3. We don't want to create churn by having to release a new version of Swashbuckle every time there's a vulnerability in a dependency we happen to use.

Users who aren't otherwise already using a newer patched version in their application's dependency tree can add an explicit reference to a newer version.

You can see which packages we pin here:

ignore:
# Ignore the libraries which are "pinned"
- dependency-name: "IdentityServer4"
- dependency-name: "IdentityServer4.AccessTokenValidation"
- dependency-name: "Microsoft.AspNetCore"
- dependency-name: "Microsoft.AspNetCore.App"
- dependency-name: "Microsoft.AspNetCore.Mvc.ApiExplorer"
- dependency-name: "Microsoft.AspNetCore.Mvc.DataAnnotations"
- dependency-name: "Microsoft.AspNetCore.Mvc.Formatters.Json"
- dependency-name: "Microsoft.AspNetCore.Mvc.NewtonsoftJson"
- dependency-name: "Microsoft.AspNetCore.Mvc.Testing"
- dependency-name: "Microsoft.AspNetCore.Routing"
- dependency-name: "Microsoft.AspNetCore.StaticFiles"
- dependency-name: "Microsoft.Extensions.FileProviders.Embedded"
- dependency-name: "Microsoft.OpenApi"
- dependency-name: "Microsoft.OpenApi.Readers"
- dependency-name: "System.Text.Json"

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants