System.Text.Json version 8.0.5 not detecting while upgrading from 8.0.4

[jithuin]

System.Text.Json version 8.0.4 has marked as vulnerable so i just upgraded to 8.0.5

Project type Dotnet Framework V 4.6

System.Text.Json version 8.0.5 not detecting while upgrading from 8.0.4

i expect to upgrade to 8.0.5

[alexeyzimarev]

If you install the package directly, it should be picked up as a reference.

[berndorin]

The minimum required version is set to 8.04 for .net471, net48 and netstandard2.0 which is vulnarable. Vulnaribilty checks like osv-scanner marks the package as vulnarable cause of the dependency

[alexeyzimarev]

Yeah but scanning by certain tools and avoiding dependency on a vulnerable package are two different things. If 8.0.5 is referenced directly, the application won't have that vulnerability.

[h-h-]

Please update to 8.0.5! Because of the way our apps are loaded into a seperate app domain I cannot redirect to 8.0.5 and get the error System.IO.FileLoadException: Could not load file or assembly 'System.Text.Json, Version=8.0.0.4, Culture=neutral, PublicKeyToken=cc7b13ffcd2ddd51' or one of its dependencies. The located assembly's manifest definition does not match the assembly reference. (Exception from HRESULT: 0x80131040). The only way to avoid this is using the vulnerable 8.0.4