Newtonsoft.Json in Microsoft.Owin.Security.OpenIdConnect 4.2.1+
LeaFrock opened this issue · 3 comments
I notice that Newtonsoft.Json is imported into Microsoft.Owin.Security.OpenIdConnect at the beginning of 4.2.1, by the commit #445 .
But it seems not necessary in the lib (which not exists <= 4.2.0). Would it be a mistake?
Hmm, it was a dependency in the packages.config and csproj before, just not in the nuspec.
https://github.com/aspnet/AspNetKatana/pull/445/files#diff-084275d594dd04922d1dc3761776817dcd827c5bf5fe439ef5db27471f4f6050L8
https://github.com/aspnet/AspNetKatana/pull/445/files#diff-3d491409cd3c055cdf88c0a70191d8b0b2db6bf622dbf2f58d1599b273a8e2d4L64
https://github.com/aspnet/AspNetKatana/pull/445/files#diff-ee9f728333c800f2f9a62aee6c92ce27022386748eb5229dc86850408cd19960L22
I'll have to check if it works without that reference. The Microsoft.IdentityModel dependencies used to require Newtonsoft.Json.
Oh, System.IdentityModel.Tokens.Jwt 5.3 pulled in Newtonsoft.Json transitively, so it was required, it just didn't need to be listed in the top level nuspec/nupkg.
https://www.nuget.org/packages/System.IdentityModel.Tokens.Jwt/5.3.0#dependencies-body-tab
it just didn't need to be listed in the top level nuspec/nupkg.
Ah, got it. Thanks!
The reason of this issue is that, the Nuget manager shows a security warning of Newtonsoft.Json after I upgrade Microsoft.Owin.Security.* packages. As the nupkg lists Newtonsoft.Json 10.0.3(which not show in list before) and that version has been outdated, I feel confused. Now I've upgraded Newtonsoft.Json to 13.0.1 to fix the warnning.