NSwag
NSwag copied to clipboard
Simplify Newtonsoft.Json dependency
- Use the minimum version compatible with .NET Standard 2.0 (11.0.1)
- Remove dependency when solving transitively
@RicoSuter how is this going?
Not relying on at least Newtonsoft.Json version 11.0.1 exposes us to the following vulnerabilities:
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2019-0820
https://access.redhat.com/errata/RHSA-2019:1259
Can you merge this PR and release a new version in NuGet?
Actually, according to NuGet's website, we are still exposed to more vulnerabilities that are only fixed in the latest version (13.0.1 as of today):
https://www.nuget.org/packages/Newtonsoft.Json/
If necessary I can change the minimum version of this PR from 11.0.1 to 13.0.1 but I didn't want to make such a "radical" change.
Edit: What I mention also affects this other PR which is also mine:
https://github.com/RicoSuter/NJsonSchema/pull/1531
@RicoSuter friendly ping!
v14 will use Newtonsoft.Json v13 and also requires at least netstd 2.0