-
Notifications
You must be signed in to change notification settings - Fork 334
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Microsoft.Owin.Security.WsFederation has a vulnerable Newtonsoft.Json package dependency #522
Comments
The version has already been updated, it looks like, on Sep 8, 2022. We just have to create a new release? |
You can update your Newtonsoft.Json dependency with a direct reference, you don't require any updates from Microsoft.Owin. This is common practice for patching. |
@Tratcher Actually, I'm already using the latest version of Newtonsoft.Json in my project but MEND is still detecting the vulnerabilities of transitive packages such as Microsoft.Owin. |
Then the tool isn't checking what you're actually using, just what some dependencies have referenced. You're fine if you've updated the dependency locally. |
@Tratcher There was one more thing I forgot to mention. project.assets.json file is showing those dependencies as well with lower versions of Newtonsoft. Could that cause any issue? |
? I thought project.assets.json was only for .NET Core projects. |
@Tratcher Not sure how it's generated in our project built with .NET Framework. No one in the team seems to know about this. |
Do we have a timeline when 4.2.3 would be released? |
No, you'd have to convince @adityamandaleeka that it's urgent. |
I'm also waiting on 4.2.3 for #513 . 4.2.2 was last released almost two years ago, so why the delay? |
Microsoft.Owin.Security.WsFederation has a Newtonsoft.Json v10.0.3 package dependency which is vulnerable as can be seen here as well. Could you please upgrade this package to latest to resolve this vulnerability so we could also upgrade it? Thanks.
The text was updated successfully, but these errors were encountered: