Microsoft.Owin.Security.WsFederation has a vulnerable Newtonsoft.Json package dependency

[suuyashgupta]

Microsoft.Owin.Security.WsFederation has a Newtonsoft.Json v10.0.3 package dependency which is vulnerable as can be seen here as well. Could you please upgrade this package to latest to resolve this vulnerability so we could also upgrade it? Thanks.

[suuyashgupta]

The version has already been updated, it looks like, on Sep 8, 2022. We just have to create a new release?

[Tratcher]

You can update your Newtonsoft.Json dependency with a direct reference, you don't require any updates from Microsoft.Owin. This is common practice for patching.

[suuyashgupta]

@Tratcher Actually, I'm already using the latest version of Newtonsoft.Json in my project but MEND is still detecting the vulnerabilities of transitive packages such as Microsoft.Owin.

[Tratcher]

Then the tool isn't checking what you're actually using, just what some dependencies have referenced. You're fine if you've updated the dependency locally.

[suuyashgupta]

@Tratcher There was one more thing I forgot to mention. project.assets.json file is showing those dependencies as well with lower versions of Newtonsoft. Could that cause any issue?

[Tratcher]

? I thought project.assets.json was only for .NET Core projects.

[suuyashgupta]

@Tratcher Not sure how it's generated in our project built with .NET Framework. No one in the team seems to know about this.

[suuyashgupta]

Do we have a timeline when 4.2.3 would be released?

[Tratcher]

No, you'd have to convince @adityamandaleeka that it's urgent.

[jthorpe80]

I'm also waiting on 4.2.3 for #513 . 4.2.2 was last released almost two years ago, so why the delay?