[C#] Security issue in JSON dependency

[amol-]

It seems that C# integration tests have started failing due to a security issue having been reported for System.Text.Json

  /arrow/csharp/test/Apache.Arrow.IntegrationTest/Apache.Arrow.IntegrationTest.csproj : error NU1903: Warning As Error: Package 'System.Text.Json' 8.0.4 has a known high severity vulnerability, https://github.com/advisories/GHSA-8g4q-xg66-9fp4 [/arrow/csharp/Apache.Arrow.sln]

Component(s)

C#

[CurtHagenlocher]

Odd; it's been days since Dependabot has sent a PR for this in the arrow-adbc repo. Maybe it's backed up for Arrow?

This is an easy enough change -- just update to 8.0.5 -- and if no one else does it I'll be able to do it later today.

[raulcd]

@CurtHagenlocher is this required for 18.0.0?

[CurtHagenlocher]

@CurtHagenlocher is this required for 18.0.0?

Yes, we should update this for 18.0.0.

[CurtHagenlocher]

@raulcd I take that back, the dependency in question is used only in test code so it probably doesn't need to be a blocker for 18.0.0.

[raulcd]

Thanks, that makes sense. There's a couple more issues found that will make us create a new release candidate.
Let's leave it as 18.0.0 for now and if it's done before those I'll cherry pick it.

[CurtHagenlocher]

I should have looked more closely at this yesterday. The warning is not coming on the main branch (which was indeed fixed due to Dependabot) but probably from the release branch? In any event, the PR which addressed this in main was #44343.

[raulcd]

Thanks @CurtHagenlocher. I've added the backport-candidate label to the PR. I'll cherry-pick manually if we end up doing a new RC. I close this as completed.