Simplify Newtonsoft.Json dependency #4054
Conversation
bdovaz
commented
Jun 21, 2022
bdovaz
commented
- Use the minimum version compatible with .NET Standard 2.0 (11.0.1)
- Remove dependency when solving transitively
- Use the minimum version compatible with .NET Standard 2.0 (11.0.1) - Remove dependency when solving transitively
|
@RicoSuter how is this going? Not relying on at least Newtonsoft.Json version 11.0.1 exposes us to the following vulnerabilities: https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2019-0820 https://access.redhat.com/errata/RHSA-2019:1259 Can you merge this PR and release a new version in NuGet? Actually, according to NuGet's website, we are still exposed to more vulnerabilities that are only fixed in the latest version (13.0.1 as of today): https://www.nuget.org/packages/Newtonsoft.Json/ If necessary I can change the minimum version of this PR from 11.0.1 to 13.0.1 but I didn't want to make such a "radical" change. Edit: What I mention also affects this other PR which is also mine: |
|
@RicoSuter friendly ping! |
|
v14 will use Newtonsoft.Json v13 and also requires at least netstd 2.0 |
