Reference to vulnerable version of Newtonsoft.Json Newtonsoft.Json 11.0.2

[denislevin]

I am getting a build failure in ADO build pipeline for a Web job that uses Microsoft.Azure.WebJobs 3.0.33 assembly (the latest version): [INFO] |Security Alerts [INFO] |GHSA-5crp-9r3c-p9vr |Newtonsoft.Json 11.0.2 |High |2022-07-29T21:14:31.3718047Z |

This breaks our build. Nothing else in our build is using v11.0.2 of Newtonsoft.Json. We use Newtonsoft.Json 13.0.1

Please update the component ASAP.

Looks like the issue is in https://github.com/Azure/azure-webjobs-sdk/blob/206e194e03d82a101a6b5dffb7b4c3904730801d/src/Microsoft.Azure.WebJobs.Host/WebJobs.Host.csproj

[FrankBurmo]

@brettsam any updates? Newtonsoft.Json needs to be bumped to at least 13.0.1 to clear the vulnerability

[brettsam]

You should be able to directly reference Newtonsoft 13.x in whatever project you are using WebJobs from. The vulnerability has been patched in Functions v3 (which is on v11 and cannot move forward) with the workaround posted in the link above:

JsonConvert.DefaultSettings = () => new JsonSerializerSettings { MaxDepth = 128 };

We're discussing how to approach this with this package. Bumping to 13.x here would technically require a major version bump for WebJobs, which has a lot of tricky downstream implications to Functions.

We're not rushing to bump this version because of the downstream issues and because there are available solutions for all customers today -- but we'll update here when we come up with a plan.