suuyashgupta
commented
5 months ago The version has already been updated, it looks like, on Sep 8, 2022. We just have to create a new release?
Open suuyashgupta opened 5 months ago
suuyashgupta
commented
5 months ago The version has already been updated, it looks like, on Sep 8, 2022. We just have to create a new release?
Tratcher
commented
5 months ago You can update your Newtonsoft.Json dependency with a direct reference, you don't require any updates from Microsoft.Owin. This is common practice for patching.
suuyashgupta
commented
5 months ago @Tratcher Actually, I'm already using the latest version of Newtonsoft.Json in my project but MEND is still detecting the vulnerabilities of transitive packages such as Microsoft.Owin.
Tratcher
commented
5 months ago Then the tool isn't checking what you're actually using, just what some dependencies have referenced. You're fine if you've updated the dependency locally.
suuyashgupta
commented
5 months ago @Tratcher There was one more thing I forgot to mention. project.assets.json file is showing those dependencies as well with lower versions of Newtonsoft. Could that cause any issue?
Tratcher
commented
5 months ago ? I thought project.assets.json was only for .NET Core projects.
suuyashgupta
commented
4 months ago @Tratcher Not sure how it's generated in our project built with .NET Framework. No one in the team seems to know about this.
suuyashgupta
commented
4 months ago Do we have a timeline when 4.2.3 would be released?
Tratcher
commented
4 months ago No, you'd have to convince @adityamandaleeka that it's urgent.
jthorpe80
commented
4 months ago I'm also waiting on 4.2.3 for #513 . 4.2.2 was last released almost two years ago, so why the delay?
Microsoft.Owin.Security.WsFederation has a Newtonsoft.Json v10.0.3 package dependency which is vulnerable as can be seen here as well. Could you please upgrade this package to latest to resolve this vulnerability so we could also upgrade it? Thanks.