Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

References to versions of System.Text.Json with CVEs #425

Closed
Numpsy opened this issue Jul 10, 2024 · 2 comments
Closed

References to versions of System.Text.Json with CVEs #425

Numpsy opened this issue Jul 10, 2024 · 2 comments

Comments

@Numpsy
Copy link
Member

Numpsy commented Jul 10, 2024

I see that similar situations to this have been reported in the past, with some debate about whether the references here should be updated or not (e.g. #341), but raising the question in case:

There is a transitive dependency to System.Text.Json v8.0.0 via Microsoft.Extensions.DependencyModel v8.0.0.

Microsoft just announced a set of CVEs in that version - GHSA-hh2w-p6rv-4g7w

This got flagged up by Mend in a project at work that uses Serilog.Settings.Configuration.

Microsoft have now released a version 8.0.1 of Microsoft.Extensions.DependencyModel which bumps the System.Text.Json dependency to 8.0.4, which has fixed the issue.

So - I'm wondering what thoughts are on updating the Microsoft.Extensions.DependencyModel dependency here to 8.0.1 ?
@nblumhardt
Copy link
Member

An update here would be welcome; thanks for flagging this @Numpsy 👍

This was referenced Jul 11, 2024
Closed
Merged
Merged
Closed
@Numpsy
Copy link
Member Author

Numpsy commented Jul 12, 2024

The 8.0.2 release has fixed the issue for me, so I'll close this one.

@Numpsy Numpsy closed this as completed Jul 12, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@nblumhardt @Numpsy