azure-activedirectory-identitymodel-extensions-for-dotnet icon indicating copy to clipboard operation
azure-activedirectory-identitymodel-extensions-for-dotnet copied to clipboard

Published 20 hours ago verified publisher icon AzureAD

Remove superfluous System.Text.Encodings.Web explicit references

Open TimHannMSFT opened this issue 1 year ago • 3 comments

What? We have some partners which are running into issues due to an explicit/forced usage of 4.7.2 version of System.Text.Encodings.Web. It appears that the explicit reference is not required for Wilson to build correctly.

Why? extra references which enforce higher than necessary versions limit partners' ability to leverage our library.

To confirm: would removing this reference open us back up to #1985 ?

TimHannMSFT avatar Aug 29 '23 20:08 TimHannMSFT

Can we also remove the explicit reference to System.Text.Json 4.7.2?

jmprieur avatar Aug 29 '23 21:08 jmprieur

My understanding may be off, but I think as far as our targets, only net6 and net8 include STJ as a reference in the framework?

keegan-caruso avatar Aug 30 '23 00:08 keegan-caruso

From https://github.com/advisories/GHSA-ghhp-997w-qr28

Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 5.0, .NET Core 3.1, and .NET Core 2.1

Our System.Text.Json references are only needed in pre-netcore targets so we can avoid pulling in the encodings.web library for core targets by making SJT conditional to older targets.

TimHannMSFT avatar Aug 30 '23 22:08 TimHannMSFT