Transitive dependency (System.Text.Json) with vulnerability

[crfrolik]

Automapper v15.0.1 wants Microsoft.IdentityModel.JsonWebTokens v8.0.1
... which wants Microsoft.IdentityModel.Tokens v8.0.1
... which wants System.Text.Json v8.0.4
... which has high severity vulnerability: github.com/advisories/GHSA-8g4q-xg66-9fp4

Two options:

1. Upgrade to the latest version of Microsoft.IdentityModel.JsonWebTokens, which will pull in System.Text.Json v8.0.5, which does not have the vulnerablity
2. Add System.Text.Json as a direct dependency at v8.0.5 or later

As a workaround, consumers of AutoMapper can perform option 2 in their own repos.

[jbogard]

This is likely an issue with MediatR too. Lousy transitive dependencies...

I'll bump this version in the next minor release.

[github-actions]

This issue has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.