System.Text.Json version 8.0.4 transitive reference issue via Serilog.AspNetCore 8.0.2 - CVE-2024-43485

[tvbishan]

Description I encountered an issue with a transitive reference to System.Text.Json version 8.0.4 when using Serilog.AspNetCore version 8.0.2. The package reference is shown as a warning in the NuGet package manager (screenshot attached).

Reproduction

1. Add Serilog.AspNetCore version 8.0.2 to the project.
2. Observe the transitive dependency on System.Text.Json 8.0.4 in the package manager.

Expected behavior Either no warning or an explanation of how this transitive dependency is safe to use.

Relevant package, tooling and runtime versions

• Serilog.AspNetCore: 8.0.2
• Target Framework: .NET Core 6, .NET Core 8
• System.Text.Json: Transitive version 8.0.4

[Numpsy]

Serilog.Settings.Configuration has been updated to a new version of Microsoft.Extensions.DependencyModel to avoid this issue, but the dependency here hasn't been updated yet - you can update to the newer version of one of those in your own app to fix the issue prior to that happening though