BDSA-2018-5195 vulnerability by BD hub for newtonsoft version JamesNK/Newtonsoft.Json11.0.2

Question

BDSA-2018-5195 vulnerability by BD hub for newtonsoft version JamesNK/Newtonsoft.Json11.0.2

rsrinivasanhome opened this issue 2 years ago · 2 comments

rsrinivasanhome commented 2 years ago

Hi,

Can the version of the Newtonsoft.Json be bumped up to 13.0.1. ? BD hub is raising a vulnerability - BDSA-2018-5195

For more info refer link
JamesNK/Newtonsoft.Json#2535

Answer 1 · 2022-11-09T05:17:24.000Z

Working on this in #352 but the change is going poorly for this legacy repository

Answer 2 · 2023-02-08T21:44:11.000Z

This will be fixed in the next ASP.NET / MVC release. We're hoping to do that before the end of February but have more work to do. The code is no longer impacted by the vulnerability referenced here.

Relevant PRs included:

Other PRs in the gaps above helped get us from old versions of Newtonsoft.Json and NewtonSoft.Json.Bson. But those were the main ones that actually changed the versions and reacted (mostly in tests) to changes in the new packages.

If it matters, the next release will likely be versioned 3.3.0 and 5.3.0. The Microsoft.AspNet.WebApi.Client package will probably jump to 6.0.0 due to significant changes there.