Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update newtonsoft.json from 11.0.2 to 13.0.1 #870

Merged
merged 4 commits into from
Mar 28, 2023
Merged

Update newtonsoft.json from 11.0.2 to 13.0.1 #870

merged 4 commits into from
Mar 28, 2023

Conversation

davidmrdavid
Copy link
Collaborator

This will remove certain static analysis warnings due to vulnerabilities. At runtime, our dependency is already being replaced with the newtonsoft.json version brought in by WebJobs, which is already 13.0.1, so this change should be safe.

The change also required that we update the code in a few places to account for the possibility of the deserialization returning null. You will a few types being updated to include the ? modifier as a result.

cgillum
cgillum approved these changes Feb 27, 2023
View reviewed changes
Copy link
Member

@cgillum cgillum left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, though I wouldn't be surprised if we had some test projects that also needed to be updated.

src/DurableTask.AzureStorage/DurableTask.AzureStorage.csproj Outdated
@@ -41,7 +41,7 @@

<ItemGroup Condition="'$(TargetFramework)' == 'netstandard2.0'">
<PackageReference Include="Microsoft.Extensions.Logging.Abstractions" Version="2.2.0" />
<PackageReference Include="Newtonsoft.Json" Version="11.0.2" />
<PackageReference Include="Newtonsoft.Json" Version="13.0.1" />
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's probably better to just remove this entirely since it's picked up transitively from DurableTask.Core.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah, good idea. Will do

@cgillum
Copy link
Member

cgillum commented Feb 27, 2023

At runtime, our dependency is already being replaced with the newtonsoft.json version brought in by WebJobs, which is already 13.0.1, so this change should be safe.

Note that this comment only applies to Durable Functions and not to any direct consumers of this framework.

@jviau
Copy link
Collaborator

jviau commented Mar 13, 2023

Do we need to do any version rev for this?

@davidmrdavid
Copy link
Collaborator Author

davidmrdavid commented Mar 13, 2023
edited
Loading

@jviau: Yeah, perhaps. I know for DF users this is a non-breaking change, but I struggle to determine if this is a major, minor, or patch release for DTFx users. After all, we're increasing a dependency by 2 major versions, and that seems significant. Thoughts, @jviau, @cgillum ?

@davidmrdavid davidmrdavid merged commit 2ed42be into main Mar 28, 2023
@davidmrdavid davidmrdavid deleted the dajusto/update-newtonsoft-json-dep branch March 28, 2023 18:18
@davidmrdavid davidmrdavid mentioned this pull request Mar 28, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@cgillum cgillum cgillum approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@davidmrdavid @cgillum @jviau