You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
There have already been some issues regarding transitive dependencies to the the vulnerable System.Text.Json 8.0.0 (e.g.#104619, #104705, #104669).
My question is: since System.Text.Json is shipped inbox with .NET itself, why do e.g. net8.0 targeted assemblies even depend on the System.Text.Json package? Is there a technical reason for this?
Removing the dependency altogether would avoid a lot of false positives from NuGet audit and avoid the chore of keeping the package up-to-date.
Some affected packages that we noticed in our project (I assume there are a lot more):
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
-
There have already been some issues regarding transitive dependencies to the the vulnerable System.Text.Json 8.0.0 (e.g.#104619, #104705, #104669).
My question is: since System.Text.Json is shipped inbox with .NET itself, why do e.g. net8.0 targeted assemblies even depend on the System.Text.Json package? Is there a technical reason for this?
Removing the dependency altogether would avoid a lot of false positives from NuGet audit and avoid the chore of keeping the package up-to-date.
Some affected packages that we noticed in our project (I assume there are a lot more):
Microsoft.Extensions.Logging.Console
Microsoft.Extensions.Configuration.Json
System.Memory.Data
Beta Was this translation helpful? Give feedback.
All reactions