Hangfire
Hangfire copied to clipboard
HangfireIO
Feature/upgrade newtonsoft.json to its latest package
Upgrade Newtonsoft.Json to v13.0.3 across all projects to address vulnerabilities and standardize versions
This PR updates Newtonsoft.Json to version 13.0.3 across all projects for the following reasons:
Fixing Vulnerabilities: The previous versions (e.g., 5.0.1 and 9.0.1) had known vulnerabilities. Upgrading to the latest stable version resolves these issues and improves security.
Version Consistency: Different projects were using mismatched versions:
Hangfire.Core and related tests: 5.0.1 ConsoleSample: 13.0.2 Hangfire.SqlServer.msmq.Tests: 9.0.1 Standardizing to 13.0.3 ensures compatibility, reduces potential runtime issues, and simplifies maintenance.
Future-proofing: Using the latest version ensures we're up-to-date with the latest features, bug fixes, and performance improvements.
Be nice to see the build failures fixed so that this can be merged in and released...
Why hasn't any one looked at the failed tests? Newtonsoft.Json 11.0.1 has a known high severity vulnerability, and should be updated asap
Got the ubuntu image to be passed but not sure what's holding back VS image. Will have a proper look in evening
Whats the ETA of this ? We are waiting for this PR since newtonsoft is exploitable
@odinserj: It seems that you're actively submitting changes to this repo and having them pass checks and build properly in AppVeyor. If you could look at the AppVeyor failure in this PR to help move it along, that would be appreciated.
Newtonsoft.Json is already bumped for the net6.0 target and above in the dev branch in this commit, and will be released with Hangfire 1.9.0. The workaround to avoid warnings is to add Newtonsoft.Json of any desired version explicitly to the project – it works perfectly.
<PackageReference Include="Newtonsoft.Json" Version="13.0.3" />
Please see https://github.com/HangfireIO/Hangfire/issues/2468#issuecomment-2943610883 for details.
I wish you hadn't closed this PR, unless 1.9.0 is on the verge of release. This warning has been around for a while, would be nice to see it addressed at the root rather than push work onto every Hangfire client by suggesting they take on dependencies they don't otherwise need, which also means maintaining those dependencies as well over time.
...will be released with Hangfire 1.9.0.
Can you share a non-committing ETA for Hangfire 1.9.0? Even if it's just when you hope to release it?
I'm planning to release it before the release of .NET 10 that will re-enable transient dependency checks again.
Newtonsoft.Jsonis already bumped for thenet6.0target and above in thedevbranch in this commit, and will be released with Hangfire 1.9.0. The workaround to avoid warnings is to addNewtonsoft.Jsonof any desired version explicitly to the project – it works perfectly.<PackageReference Include="Newtonsoft.Json" Version="13.0.3" />Please see #2468 (comment) for details.
Great to hear! The vulnerability warning in Visual Studio is a bit annoying. I'm looking forward to the release of Hangfire 1.9.0 containing the Newsonsoft.Json version bump, it will be great!
Newtonsoft.Jsonis already bumped for thenet6.0target and above in thedevbranch in this commit, and will be released with Hangfire 1.9.0. The workaround to avoid warnings is to addNewtonsoft.Jsonof any desired version explicitly to the project – it works perfectly.<PackageReference Include="Newtonsoft.Json" Version="13.0.3" />Please see #2468 (comment) for details.
Great to hear! The vulnerability warning in Visual Studio is a bit annoying. I'm looking forward to the release of Hangfire 1.9.0 containing the Newsonsoft.Json version bump, it will be great!
Onde other option is tô change tô system.text.json or tô abstract the serialization
