davidmrdavid
commented
5 months ago @shankarsama: is this change ok with you for DTFx.AzureServiceFabric?
Closed davidmrdavid closed 3 months ago
davidmrdavid
commented
5 months ago @shankarsama: is this change ok with you for DTFx.AzureServiceFabric?
davidmrdavid
commented
3 months ago @shankarsama and I sync'ed offline, got approval to merge.
Follow up to: https://github.com/Azure/durabletask/pull/1023
As of recently, building the DTFx project failed with errors of the following kind:
"Warning as Error: Package has a known high severity vulnerability" and it points to this advisory: "
The warnings were for:
Newtonsoft.Json < 13.0.1, which linked to: https://github.com/advisories/GHSA-5crp-9r3c-p9vr
This issue was addressed (by supressing the warning) in DTFx.Core and DTFx.AzureStorage here: https://github.com/Azure/durabletask/pull/1023. Suppressing the warning was chosen because it prevents breaking changes and the advisory is only triggered when customers have immensely nested objects, something they have direct control over.
In this PR, we address it across other backends by removing Newtonsoft.Json as a direct dependency of these backends. Moving forward, we'd obtain this dependency transitively from DTFx.Core, which reduces our dependency management burden.