Skip to content

Feature/upgrade newtonsoft.json to its latest package #2489

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 4 commits into
base: dev
Choose a base branch
from
Open

Feature/upgrade newtonsoft.json to its latest package #2489

wants to merge 4 commits into from

Conversation

taufique-06
Copy link

No description provided.

@taufique-06
Copy link
Author

Upgrade Newtonsoft.Json to v13.0.3 across all projects to address vulnerabilities and standardize versions

This PR updates Newtonsoft.Json to version 13.0.3 across all projects for the following reasons:

Fixing Vulnerabilities:
The previous versions (e.g., 5.0.1 and 9.0.1) had known vulnerabilities. Upgrading to the latest stable version resolves these issues and improves security.

Version Consistency:
Different projects were using mismatched versions:

Hangfire.Core and related tests: 5.0.1
ConsoleSample: 13.0.2
Hangfire.SqlServer.msmq.Tests: 9.0.1
Standardizing to 13.0.3 ensures compatibility, reduces potential runtime issues, and simplifies maintenance.

Future-proofing:
Using the latest version ensures we're up-to-date with the latest features, bug fixes, and performance improvements.

@KirkMunroSagent
Copy link

Be nice to see the build failures fixed so that this can be merged in and released...

@SamirSliti
Copy link

Why hasn't any one looked at the failed tests? Newtonsoft.Json 11.0.1 has a known high severity vulnerability, and should be updated asap

@taufique-06
Copy link
Author

image

Got the ubuntu image to be passed but not sure what's holding back VS image. Will have a proper look in evening

@soleimanHammoud
Copy link

Whats the ETA of this ? We are waiting for this PR since newtonsoft is exploitable

@KirkMunroSagent
Copy link

@odinserj: It seems that you're actively submitting changes to this repo and having them pass checks and build properly in AppVeyor. If you could look at the AppVeyor failure in this PR to help move it along, that would be appreciated.

@odinserj
Copy link
Member

odinserj commented Jun 5, 2025

Newtonsoft.Json is already bumped for the net6.0 target and above in the dev branch in this commit, and will be released with Hangfire 1.9.0. The workaround to avoid warnings is to add Newtonsoft.Json of any desired version explicitly to the project – it works perfectly.

<PackageReference Include="Newtonsoft.Json" Version="13.0.3" />

Please see #2468 (comment) for details.

@odinserj odinserj closed this Jun 5, 2025
@KirkMunroSagent
Copy link

I wish you hadn't closed this PR, unless 1.9.0 is on the verge of release. This warning has been around for a while, would be nice to see it addressed at the root rather than push work onto every Hangfire client by suggesting they take on dependencies they don't otherwise need, which also means maintaining those dependencies as well over time.

...will be released with Hangfire 1.9.0.

Can you share a non-committing ETA for Hangfire 1.9.0? Even if it's just when you hope to release it?

@odinserj
Copy link
Member

I'm planning to release it before the release of .NET 10 that will re-enable transient dependency checks again.

@odinserj odinserj reopened this Jun 12, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@taufique-06 @KirkMunroSagent @SamirSliti @soleimanHammoud @odinserj