Closed LeaFrock closed 2 years ago
Hmm, it was a dependency in the packages.config and csproj before, just not in the nuspec. https://github.com/aspnet/AspNetKatana/pull/445/files#diff-084275d594dd04922d1dc3761776817dcd827c5bf5fe439ef5db27471f4f6050L8 https://github.com/aspnet/AspNetKatana/pull/445/files#diff-3d491409cd3c055cdf88c0a70191d8b0b2db6bf622dbf2f58d1599b273a8e2d4L64 https://github.com/aspnet/AspNetKatana/pull/445/files#diff-ee9f728333c800f2f9a62aee6c92ce27022386748eb5229dc86850408cd19960L22
I'll have to check if it works without that reference. The Microsoft.IdentityModel
dependencies used to require Newtonsoft.Json.
Oh, System.IdentityModel.Tokens.Jwt 5.3 pulled in Newtonsoft.Json transitively, so it was required, it just didn't need to be listed in the top level nuspec/nupkg. https://www.nuget.org/packages/System.IdentityModel.Tokens.Jwt/5.3.0#dependencies-body-tab
it just didn't need to be listed in the top level nuspec/nupkg.
Ah, got it. Thanks!
The reason of this issue is that, the Nuget manager shows a security warning of Newtonsoft.Json
after I upgrade Microsoft.Owin.Security.*
packages. As the nupkg lists Newtonsoft.Json 10.0.3
(which not show in list before) and that version has been outdated, I feel confused. Now I've upgraded Newtonsoft.Json
to 13.0.1 to fix the warnning.
I notice that Newtonsoft.Json is imported into
Microsoft.Owin.Security.OpenIdConnect
at the beginning of 4.2.1, by the commit #445 .But it seems not necessary in the lib (which not exists <= 4.2.0). Would it be a mistake?