WebApi icon indicating copy to clipboard operation
WebApi copied to clipboard
verified publisher icon OData

Please update your dependencies - warnings for vulnerable dependencies as well as downgraded assemblies

Open ericstj opened this issue 2 months ago • 0 comments

Vulnerability

When using the latest version of Microsoft.AspNet.OData a very old, and vulnerable version of Newtonsoft.Json is referenced.

 Package 'Newtonsoft.Json' 6.0.4 has a known high severity vulnerability, https://github.com/advisories/GHSA-5crp-9r3c-p9vr

Downgrade

Also when building I get a warning about a downgrade of Newtonsoft.Json:

    C:\Program Files\dotnet\sdk\9.0.305\Microsoft.Common.CurrentVersion.targets(2433,5): warning MSB3277:
      Found conflicts between different versions of "Newtonsoft.Json" that could not be resolved.
      There was a conflict between "Newtonsoft.Json, Version=6.0.0.0, Culture=neutral, PublicKeyToken=30ad4fe6b2a6aeed" and "Newtonsoft.Json, Version=13.0.0.0, Culture=neutral, PublicKeyToken=30ad4fe6b2a6
      aeed".
          "Newtonsoft.Json, Version=6.0.0.0, Culture=neutral, PublicKeyToken=30ad4fe6b2a6aeed" was chosen because it was primary and "Newtonsoft.Json, Version=13.0.0.0, Culture=neutral, PublicKeyToken=30a
      d4fe6b2a6aeed" was not.
          References which depend on "Newtonsoft.Json, Version=6.0.0.0, Culture=neutral, PublicKeyToken=30ad4fe6b2a6aeed" [C:\Users\ericstj\.nuget\packages\newtonsoft.json\6.0.4\lib\net45\Newtonsoft.Json.dll].
              C:\Users\ericstj\.nuget\packages\newtonsoft.json\6.0.4\lib\net45\Newtonsoft.Json.dll
                Project file item includes which caused reference "C:\Users\ericstj\.nuget\packages\newtonsoft.json\6.0.4\lib\net45\Newtonsoft.Json.dll".
                  C:\Users\ericstj\.nuget\packages\newtonsoft.json\6.0.4\lib\net45\Newtonsoft.Json.dll
          References which depend on or have been unified to "Newtonsoft.Json, Version=13.0.0.0, Culture=neutral, PublicKeyToken=30ad4fe6b2a6aeed" [].
              C:\Users\ericstj\.nuget\packages\microsoft.aspnet.odata\7.7.9\lib\net45\Microsoft.AspNet.OData.dll
                Project file item includes which caused reference "C:\Users\ericstj\.nuget\packages\microsoft.aspnet.odata\7.7.9\lib\net45\Microsoft.AspNet.OData.dll".
                  C:\Users\ericstj\.nuget\packages\microsoft.aspnet.odata\7.7.9\lib\net45\Microsoft.AspNet.OData.dll
              C:\Users\ericstj\.nuget\packages\microsoft.aspnet.webapi.client\5.2.2\lib\net45\System.Net.Http.Formatting.dll
                Project file item includes which caused reference "C:\Users\ericstj\.nuget\packages\microsoft.aspnet.webapi.client\5.2.2\lib\net45\System.Net.Http.Formatting.dll".
                  C:\Users\ericstj\.nuget\packages\microsoft.aspnet.webapi.client\5.2.2\lib\net45\System.Net.Http.Formatting.dll
                  C:\Users\ericstj\.nuget\packages\microsoft.aspnet.odata\7.7.9\lib\net45\Microsoft.AspNet.OData.dll
                  C:\Users\ericstj\.nuget\packages\microsoft.aspnet.webapi.core\5.2.2\lib\net45\System.Web.Http.dll
              C:\Users\ericstj\.nuget\packages\microsoft.aspnet.webapi.core\5.2.2\lib\net45\System.Web.Http.dll
                Project file item includes which caused reference "C:\Users\ericstj\.nuget\packages\microsoft.aspnet.webapi.core\5.2.2\lib\net45\System.Web.Http.dll".
                  C:\Users\ericstj\.nuget\packages\microsoft.aspnet.webapi.core\5.2.2\lib\net45\System.Web.Http.dll
                  C:\Users\ericstj\.nuget\packages\microsoft.aspnet.odata\7.7.9\lib\net45\Microsoft.AspNet.OData.dll

Analysis

If I examine these dependencies with a ref scanner tool, I can see the problem as well.

refscanner assembly Newtonsoft.Json --path bin\Debug\net48\
All done (19 assemblies scanned in 0:00:00.0998627, or 170 assemblies per second)!
The Newtonsoft.Json assembly is referenced as follows:
6.0.0.0
        System.Net.Http.Formatting.dll
        System.Web.Http.dll

13.0.0.0
        Microsoft.AspNet.OData.dll

So Microsoft.AspNet.OData.dll itself already builds against a higher version of Newtonsoft.Json than it's package references. This is happening because this project authors it's own nuspec which differs from it's actual build. https://github.com/OData/WebApi/blob/1b8f45e74a791784fe7cac071320bf70469f48a5/src/Microsoft.AspNet.OData/Microsoft.AspNet.OData.csproj#L45-L48 https://github.com/OData/WebApi/blob/1b8f45e74a791784fe7cac071320bf70469f48a5/src/Microsoft.AspNet.OData/Microsoft.AspNet.OData.Release.nuspec#L20-L26

This ancient version of Newtonsoft.Json is brought in by Microsoft.AspNet.WebApi.Client Image

Workaround

A newer version of Microsoft.AspNet.WebApi.Client exists which does not have this old dependency.

    <PackageReference Include="Microsoft.AspNet.WebApi.Client" Version="6.0.0" />

Proposed fix

I think you should update your reference to use this new version. You should also consider adding a direct reference to avoid this mismatch in the future. https://github.com/OData/WebApi/blob/1b8f45e74a791784fe7cac071320bf70469f48a5/tools/WebStack.versions.settings.targets#L14

A better fix would be to also stop using your hand-authored nuspec, and instead run pack on your csproj.

cc @danroth27

ericstj avatar Oct 10 '25 17:10 ericstj