'Newtonsoft.Json' severity vulnerability issue and dependency constraint with 'Prime.Kernel.TestMethodResources.Release'

Question

'Newtonsoft.Json' severity vulnerability issue and dependency constraint with 'Prime.Kernel.TestMethodResources.Release'

Closed this issue 5 months ago · 3 comments

Hi Bryan,

I encountered one Newtonsoft.Json severity vulnerability issue when I use Visual Studio 2022 (Rev 17.9.4 or later rev, no issue on earlier rev) to build my repo, it will cause build fail or some files missing after build. Error description shows here:

I tried to follow the link (GHSA-5crp-9r3c-p9vr) to update the package 'Newtonsoft.Json' to rev >13.0.1, but it failed since there is a dependency constraint with another package 'Prime.Kernel.TestMethodResources.Release', error shows below:

The 'Prime.Kernel.TestMethodResources.Release' is already the latest stable rev, but it requests the Newtonsoft.json rev = 12.0.3.

Could you please help on it? Any help on it will be appreciated!

Answer 1 · 2024-04-02T01:48:04.000Z

Ah, I see the confusion. 'Prime.Kernel.TestMethodResources.Release' has nothing to do with my package. You are confusing my package with someone else's. My nuget package, Prime, is a pure functional programming library for F# - https://www.nuget.org/packages/Prime/ https://github.com/bryanedds/Prime You however are using some other package, albeit with a similar name. Please figure out which package you're actually using and follow up with its maintainer instead. Thank you! - Bryan

…

On Mon, Apr 1, 2024 at 9:22 PM dongruiy ***@***.***> wrote: Hi Bryan, I encountered one Newtonsoft.Json severity vulnerability issue when I use Visual Studio 2022 (Rev 17.9.4 or later rev, no issue on earlier rev) to build my repo, it will cause build fail or some files missing after build. Error description shows here: 1.png (view on web) <https://github.com/bryanedds/Prime/assets/117890400/84c65830-6a01-4b62-89f6-7e0a937aa58f> I tried to follow the link (GHSA-5crp-9r3c-p9vr <https://github.com/advisories/GHSA-5crp-9r3c-p9vr>) to update the package 'Newtonsoft.Json' to rev >13.0.1, but it failed since there is a dependency constraint with another package 'Prime.Kernel.TestMethodResources.Release', error shows below: 2.png (view on web) <https://github.com/bryanedds/Prime/assets/117890400/59baa9bd-736b-4df9-83ad-8fdd90a7e5f1> The 'Prime.Kernel.TestMethodResources.Release' is already the latest stable rev, but it requests the Newtonsoft.json rev = 12.0.3. 3.png (view on web) <https://github.com/bryanedds/Prime/assets/117890400/bb06719b-4279-4991-8a03-71fc58dc50c3> Could you please help on it? Any help on it will be appreciated! — Reply to this email directly, view it on GitHub <#52>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAMM3WEHKJKNN2ZWG3EFMT3Y3IB5XAVCNFSM6AAAAABFSO5NMKVHI2DSMVQWIX3LMV43ASLTON2WKOZSGIYTSMZYHAYTAMI> . You are receiving this because you are subscribed to this thread.Message ID: ***@***.***>

Answer 2 · 2024-04-02T01:49:07.000Z

Closed because the package at issue is not related to ours (they merely have similar names).

Answer 3 · 2024-04-02T02:41:44.000Z

Oh I see. Let me try to find the correct package owner. Thank you for your help, Bryan.