Vulnerable version of Newtonsoft.json installed

[waissbluth]

SUMMARY

Installing PSWSMan brings Newtonsoft.Json version 12.0.3 as a dependency. This is noted in the bin/PSWSMan.deps.json file after installation.

Newtonsoft.Json has a vulnerability (https://nvd.nist.gov/vuln/detail/CVE-2024-21907) which it is fixed in version 13.0.1.

Would it be possible to release new version with updated dependencies? Thank you!

MODULE VERSION

#26 16.11 ModuleType Version    PreRelease Name                                ExportedCommands                                         
#26 16.11 ---------- -------    ---------- ----                                ----------
#26 16.11 Script     2.3.1                 PSWSMan                             {Disable-…

OS / ENVIRONMENT

powershell-7.4.1-linux-musl-x64

[jborean93]

See https://github.com/jborean93/PSWSMan/issues/11. This library has no dependencies of its own. The only things you are seeing are probably references to System.Management.Automation as the module was built a whole ago.

[waissbluth]

Wow @jborean93 thanks for the quick response!

What I mean is would there be a chance to rebuild it current dependencies? Would that need to be a new version?

[jborean93]

This library has no dependencies, the values in the json file are just a snapshot of the dependencies of PowerShell (System.Management.Automation) when the module was built. There is nothing that meeds to be updated as this module doesn’t ship or rely on any of it.

[rafaelm-br]

Hey @waissbluth , did you manage to find a solution for your dependency issue? I'm having the same issue and I'm wondering how you solved it

[waissbluth]

Hey @waissbluth , did you manage to find a solution for your dependency issue? I'm having the same issue and I'm wondering how you solved it

Not really. Went a different direction. If you do figure it out please report back!