spark icon indicating copy to clipboard operation
spark copied to clipboard

Published 20 hours ago verified publisher icon dotnet

[BUG]: Newtonsoft.Json update for CWE-755 vulnerability

Open cutecycle opened this issue 3 years ago • 1 comments

https://github.com/advisories/GHSA-5crp-9r3c-p9vr

Describe the bug Snyk/lgtm et al. are reporting end users' projects vulnerable as a result of a transitive dependency on Newtonsoft.Json 11 in Microsoft.Spark.

To Reproduce

Steps to reproduce the behavior:

  1. Include Microsoft.Spark in a project/solution.
  2. Scan with snyk.io, etc.

cutecycle avatar Jun 27 '22 14:06 cutecycle

(Side note: what happened with this PR? it seemed like it was approved but then got closed spontaneously... https://github.com/dotnet/spark/pull/358)

cutecycle avatar Jun 27 '22 14:06 cutecycle