Skip to content

Commit

Permalink
bump transitive System.Text.Json dependency to fix .NET 9 build warnings
Browse files Browse the repository at this point in the history 
The previously resolved 8.0.0 is vulnerable according to GHSA-hh2w-p6rv-4g7w, so pin it to 9.0.0 for now to fix build warnings (and whatever vulnerability that is).

Once Silk.NET publishes a 2.22.1+ this can theoretically be removed.
  • Loading branch information
@Morilli
Morilli committed Dec 1, 2024
1 parent cd7605d commit cf464d4
Showing 1 changed file with 1 addition and 0 deletions.
1 change: 1 addition & 0 deletions Directory.Packages.props
View file
Original file line number Diff line number Diff line change
Expand Up @@ -41,6 +41,7 @@
<PackageVersion Include="System.Reflection.Emit" Version="4.7.0" />
<PackageVersion Include="System.Resources.Extensions" Version="7.0.0" />
<PackageVersion Include="System.Runtime.CompilerServices.Unsafe" Version="6.0.0" />
<PackageVersion Include="System.Text.Json" Version="9.0.0" /> <!-- transitive dependency of Silk.NET; 8.0.0 generates build warnings -->
<PackageVersion Include="Vortice.Direct3D11" Version="2.4.2" /> <!-- last version with .NET Standard 2.0 support -->
<PackageVersion Include="Vortice.D3DCompiler" Version="2.4.2" /> <!-- last version with .NET Standard 2.0 support -->
<PackageVersion Include="Vortice.MediaFoundation" Version="2.4.2" /> <!-- last version with .NET Standard 2.0 support -->
Expand Down

2 comments on commit cf464d4

@YoshiRulz
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I expect this change is harmless, but we shouldn't be doing this to hide such a warning. Do you have both .NET 8 and .NET 9 installed? I would have thought /global.json would determine which is used. (Or maybe that's exactly the problem.)

@Morilli
Copy link
Collaborator Author

@Morilli Morilli commented on cf464d4 Dec 3, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I only have the .NET 9 SDK installed and am building with that. Even installing the .NET 8 SDK will not cause the solution to be built with it, because the global.json specifies a rollForward policy of latestMajor, which is documented as Uses the highest installed .NET SDK with a version that's greater than or equal to the specified value. If not found, fail.

I disagree that we "shouldn't be doing this to hide such a warning", the warning is valid and just because it's not shown with the .NET 8 SDK doesn't mean the problem magically disappears. I expect lots of packages to bump their dependencies now that the .NET 9 SDK shows warnings for vulnerable ones on build.

Please sign in to comment.