You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
From running dotnet list package --vulnerable --include-transitive in CloudNative.CloudEvents.AspNetCore:
Project `CloudNative.CloudEvents.AspNetCore` has the following vulnerable packages
[netstandard2.0]:
Transitive Package Resolved Severity Advisory URL
> Newtonsoft.Json 9.0.1 High https://github.com/advisories/GHSA-5crp-9r3c-p9vr
> System.Text.Encodings.Web 4.5.0 Critical https://github.com/advisories/GHSA-ghhp-997w-qr28
[netstandard2.1]:
Transitive Package Resolved Severity Advisory URL
> Newtonsoft.Json 9.0.1 High https://github.com/advisories/GHSA-5crp-9r3c-p9vr
> System.Text.Encodings.Web 4.5.0 Critical https://github.com/advisories/GHSA-ghhp-997w-qr28
Both of these come from Microsoft.Extensions.DependencyModel 2.1.0. There's no upgrade in the 2.x line for this. We could potentially upgrade just Newtonsoft.Json and System.Text.Encodings.Web, but we don't really want a Newtonsoft.Json dependency at all.
Upgrading to 3.1.25 would fix this. It does contain a breaking change: DependencyContextJsonReader.ReadTargetLibraryDependencies has been removed.
It looks like we don't actually use the Mvc.Core dependency anyway. Dropping that would fix the Newtonsoft.Json issue, and we can update System.Text.Encodings.Web explicitly.
The text was updated successfully, but these errors were encountered:
jskeet
added a commit
to jskeet/sdk-csharp
that referenced
this issue
Oct 10, 2022
From running
dotnet list package --vulnerable --include-transitive
in CloudNative.CloudEvents.AspNetCore:Both of these come from Microsoft.Extensions.DependencyModel 2.1.0. There's no upgrade in the 2.x line for this. We could potentially upgrade just Newtonsoft.Json and System.Text.Encodings.Web, but we don't really want a Newtonsoft.Json dependency at all.
Upgrading to 3.1.25 would fix this. It does contain a breaking change:
DependencyContextJsonReader.ReadTargetLibraryDependencies
has been removed.It looks like we don't actually use the Mvc.Core dependency anyway. Dropping that would fix the Newtonsoft.Json issue, and we can update System.Text.Encodings.Web explicitly.
The text was updated successfully, but these errors were encountered: