Is Release 4.12 available on nuget.org? 4.08 Flagged as Security issue

[IanGoddard]

SlowCheetah 4.0.8 is the only version on nuget.org which comes packages with newtonsoft.json 9.0.1. This is being flagged by static code analysis tools as a security vulnerability.

This is fixed in release 4.0.12 however, this has not been pushed to nuget and therefore means that SlowCheetah 4.0.8 and 3.2.26 are both not allowed to be used by teams that maintaining security best practises against software vulnerabilities.

The release folder contains source code for 4.0.12 but the released version on nuget is 4.0.8 and there are no beta versions available.

Sonatype-2021-0713 was related to a potential stack overflow that could cause a DoS attack and was fixed in newtonsoft.json version 13.0.1. However it seems that Microsoft has not updated the SlowCheetah package to use the newly fixed version of NewtonSoft.json.dll and continues to use version 9.0.1.19813 in both the 3.2.26 and 4.0.8 versions of SlowCheetah.

[molekamp]

+1 We have the same issue. Is there any update or ETA on this?

[LB1979-dev]

Same issue here. When can 4.0.12 be released to nuget to mitigate this vulnerability?

[tsprouls]

@adrianvmsft Is there any way to release the 4.0.12 nuget?

[zdfowler]

Bump.

The source code for tag v4.0.12 has Newtonsoft.Json 13.0.1

The Newtonsoft.Json DLL packaged on nuget is still showing 9.0.1. (Scanners are also seeing the version as 9.0.1, as @IanGoddard mentioned)

[mrpolaris]

Any updates on this

[SteveQueenMarquam]

Still looking for a 4.0.12 release to NuGet.

[vancouverbcd]

+1, no solution for non-Visual Studio user I assume?

[zdfowler]

Appears that the https://github.com/microsoft/slow-cheetah/tree/v4.0.50 release includes https://github.com/microsoft/slow-cheetah/commit/7ae268bac0b361737af7a32eb7db84233d665de7, which updates Newtonsoft to 13.0.01

4.0.52 hasn't been pushed to NuGet, but for the purposes of this issue, since 4.0.50 includes the fix I'd call it closed as soon as someone can get to it.