Newtonsoft.Json in Microsoft.Owin.Security.OpenIdConnect 4.2.1+

[LeaFrock]

I notice that Newtonsoft.Json is imported into Microsoft.Owin.Security.OpenIdConnect at the beginning of 4.2.1, by the commit #445 .

But it seems not necessary in the lib (which not exists <= 4.2.0). Would it be a mistake?

[Tratcher]

Hmm, it was a dependency in the packages.config and csproj before, just not in the nuspec. https://github.com/aspnet/AspNetKatana/pull/445/files#diff-084275d594dd04922d1dc3761776817dcd827c5bf5fe439ef5db27471f4f6050L8 https://github.com/aspnet/AspNetKatana/pull/445/files#diff-3d491409cd3c055cdf88c0a70191d8b0b2db6bf622dbf2f58d1599b273a8e2d4L64 https://github.com/aspnet/AspNetKatana/pull/445/files#diff-ee9f728333c800f2f9a62aee6c92ce27022386748eb5229dc86850408cd19960L22

I'll have to check if it works without that reference. The Microsoft.IdentityModel dependencies used to require Newtonsoft.Json.

[Tratcher]

Oh, System.IdentityModel.Tokens.Jwt 5.3 pulled in Newtonsoft.Json transitively, so it was required, it just didn't need to be listed in the top level nuspec/nupkg. https://www.nuget.org/packages/System.IdentityModel.Tokens.Jwt/5.3.0#dependencies-body-tab

[LeaFrock]

it just didn't need to be listed in the top level nuspec/nupkg.

Ah, got it. Thanks!

The reason of this issue is that, the Nuget manager shows a security warning of Newtonsoft.Json after I upgrade Microsoft.Owin.Security.* packages. As the nupkg lists Newtonsoft.Json 10.0.3(which not show in list before) and that version has been outdated, I feel confused. Now I've upgraded Newtonsoft.Json to 13.0.1 to fix the warnning.