Open User8943242 opened 10 months ago
Hello @User8943242 ! Can you check your configuration file and confirm you have bindingRedirect entry to Newtonsoft.json? See this Stack Overflow answer for an example.
If this doesn't resolve this issue, can you provide the version of Newtonsoft.Json you are using and the exception details you are seeing?
Thanks. I'll check it out. Would it not be better for Stripe to use the latest version anyway for security?
Hi @User8943242 , this is something we are considering. As this would be a breaking change, we'll upgrade this dependency in the next major version.
Hi @User8943242 , this is something we are considering. As this would be a breaking change, we'll upgrade this dependency in the next major version.
Thanks.
FYI, in the meantime if anyone needs to downgrade their Newtonsoft.Json version to 9.0.1 for Stripe.net to work, there's a high severity vulnerability that can be mitigated by adding the following under the Application_Start of your Global.asax, as described here:
C#: JsonConvert.DefaultSettings = () => new JsonSerializerSettings { MaxDepth = 128 };
VB: JsonConvert.DefaultSettings = Function() New JsonSerializerSettings With {.MaxDepth = 128}
We definitely need system.text.json version of stripe.net
NOTE: The current 'Newtonsoft.Json' 12.0.3 release also has a known high severity vulnerability, https://github.com/advisories/GHSA-5crp-9r3c-p9vr
This prevents building the project in the latest Visual Studio preview (which treats transient dependency vulnerabilities as errors).
CC: @anniel-stripe
Thanks for reporting this @iamcarbon We will be picking this up next month for sure
Meanwhile, does the bindingRedirect solution @anniel-stripe mentioned above help in your case?
Quick update here: we are planning to upgrade Json.NET to 13.0.3 as part of our next release.
Regarding the vulnerability we actually mitigated this in our default serializer settings v40.2.0 of the SDK (https://github.com/stripe/stripe-dotnet/releases/tag/v40.2.0). If you are unable to upgrade to the next release of the SDK (when it is available), as long as you are using v40.2.0 or later of the SDK, you should be protected from this vulnerability.
The PR for this issue https://github.com/stripe/stripe-dotnet/pull/2930 has been merged and will be included in our 9/30 release.
Describe the bug
This is compiled using an old version of Newtonsoft.Json. When I download the Nuget package it says it needs version 9.0.0.0. I need to use this in a project which has a new version.
To Reproduce
Install via nuget compile
Expected behavior
I expected it to use the latest or near latest version of netwonsoft.json.
Code snippets
No response
OS
iis
.NET version
.NET framework 4.6.1
Library version
current
API version
current
Additional context
No response