NSwag icon indicating copy to clipboard operation
NSwag copied to clipboard

Published 20 hours ago verified publisher icon RicoSuter

Simplify Newtonsoft.Json dependency

Open bdovaz opened this issue 2 years ago • 1 comments

  • Use the minimum version compatible with .NET Standard 2.0 (11.0.1)
  • Remove dependency when solving transitively

bdovaz avatar Jun 21 '22 17:06 bdovaz

@RicoSuter how is this going?

Not relying on at least Newtonsoft.Json version 11.0.1 exposes us to the following vulnerabilities:

https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2019-0820

https://access.redhat.com/errata/RHSA-2019:1259

Can you merge this PR and release a new version in NuGet?

Actually, according to NuGet's website, we are still exposed to more vulnerabilities that are only fixed in the latest version (13.0.1 as of today):

https://www.nuget.org/packages/Newtonsoft.Json/

If necessary I can change the minimum version of this PR from 11.0.1 to 13.0.1 but I didn't want to make such a "radical" change.

Edit: What I mention also affects this other PR which is also mine:

https://github.com/RicoSuter/NJsonSchema/pull/1531

bdovaz avatar Aug 31 '22 13:08 bdovaz

@RicoSuter friendly ping!

bdovaz avatar Jul 07 '23 06:07 bdovaz

v14 will use Newtonsoft.Json v13 and also requires at least netstd 2.0

RicoSuter avatar Sep 27 '23 09:09 RicoSuter