Require upgrade Newtonsoft.Json for high severity security issue

[iamzhaoxu]

According to the https://github.com/advisories/GHSA-5crp-9r3c-p9vr, the current version (9.0.1) of Newtonsoft.Json used in NJsonSchema has a high-risk vulnerability

Can we upgrade the Newtonsoft.Json in NJsonSchema to resolve the issue?

[alexeygritsenko]

hi, I think you should completely abandon Newtonsoft.Json, now it is considered old and has low performance. Instead use System.Text.Json

[matherm-aboehm]

Before abandon Newtonsoft.Json it would help to consolidate all references to the newest version used by all packages, which also includes NSwag. There are environments (VSIX extension for VS2017) where you can't reference both 9.0.1 and newer versions of Newtonsoft.Json at the same time by different libraries which also do reference each other, like NSwag and NJsonSchema does. Microsoft recommends to not use [ProvideBindingRedirection] for Newtonsoft.Json, because older versions are used by core components of Visual Studio itself. See this blog post. If all packages would reference the same new version of Newtonsoft.Json there would be no problem in loading them from the extension folder.

There are already 2 open pull requests for this purpose: #1531 RicoSuter/NSwag#4054

Please merge them into master.