search

serilog / serilog-settings-configuration

A Serilog configuration provider that reads from Microsoft.Extensions.Configuration
Apache License 2.0
444 stars 129 forks source link

References to versions of System.Text.Json with CVEs #425

Closed Numpsy closed 1 month ago

Numpsy commented 1 month ago

I see that similar situations to this have been reported in the past, with some debate about whether the references here should be updated or not (e.g. #341), but raising the question in case:

There is a transitive dependency to System.Text.Json v8.0.0 via Microsoft.Extensions.DependencyModel v8.0.0.

Microsoft just announced a set of CVEs in that version - https://github.com/advisories/GHSA-hh2w-p6rv-4g7w

This got flagged up by Mend in a project at work that uses Serilog.Settings.Configuration.

Microsoft have now released a version 8.0.1 of Microsoft.Extensions.DependencyModel which bumps the System.Text.Json dependency to 8.0.4, which has fixed the issue.

So - I'm wondering what thoughts are on updating the Microsoft.Extensions.DependencyModel dependency here to 8.0.1 ?

nblumhardt commented 1 month ago

An update here would be welcome; thanks for flagging this @Numpsy :+1:

Numpsy commented 1 month ago

The 8.0.2 release has fixed the issue for me, so I'll close this one.