This is compiled using an old version of Newtonsoft.Json

stripe / stripe-dotnet

Stripe.net is a sync/async .NET 4.6.1+ client, and a portable class library for stripe.com.

Apache License 2.0

1.36k stars 570 forks source link

This is compiled using an old version of Newtonsoft.Json #2800

Open User8943242 opened 10 months ago

User8943242 commented 10 months ago

Describe the bug

This is compiled using an old version of Newtonsoft.Json. When I download the Nuget package it says it needs version 9.0.0.0. I need to use this in a project which has a new version.

To Reproduce

Install via nuget compile

Expected behavior

I expected it to use the latest or near latest version of netwonsoft.json.

Code snippets

No response

OS

iis

.NET version

.NET framework 4.6.1

Library version

current

API version

current

Additional context

No response

anniel-stripe commented 10 months ago

Hello @User8943242 ! Can you check your configuration file and confirm you have bindingRedirect entry to Newtonsoft.json? See this Stack Overflow answer for an example.

If this doesn't resolve this issue, can you provide the version of Newtonsoft.Json you are using and the exception details you are seeing?

User8943242 commented 10 months ago

Thanks. I'll check it out. Would it not be better for Stripe to use the latest version anyway for security?

anniel-stripe commented 9 months ago

Hi @User8943242 , this is something we are considering. As this would be a breaking change, we'll upgrade this dependency in the next major version.

User8943242 commented 9 months ago

Hi @User8943242 , this is something we are considering. As this would be a breaking change, we'll upgrade this dependency in the next major version.

Thanks.

equinoxe3d commented 7 months ago

FYI, in the meantime if anyone needs to downgrade their Newtonsoft.Json version to 9.0.1 for Stripe.net to work, there's a high severity vulnerability that can be mitigated by adding the following under the Application_Start of your Global.asax, as described here:

C#: JsonConvert.DefaultSettings = () => new JsonSerializerSettings { MaxDepth = 128 };

VB: JsonConvert.DefaultSettings = Function() New JsonSerializerSettings With {.MaxDepth = 128}

ismkdc commented 7 months ago

We definitely need system.text.json version of stripe.net

iamcarbon commented 1 month ago

NOTE: The current 'Newtonsoft.Json' 12.0.3 release also has a known high severity vulnerability, https://github.com/advisories/GHSA-5crp-9r3c-p9vr

This prevents building the project in the latest Visual Studio preview (which treats transient dependency vulnerabilities as errors).

CC: @anniel-stripe

ramya-stripe commented 1 month ago

Thanks for reporting this @iamcarbon We will be picking this up next month for sure

Meanwhile, does the bindingRedirect solution @anniel-stripe mentioned above help in your case?

jar-stripe commented 3 days ago

Quick update here: we are planning to upgrade Json.NET to 13.0.3 as part of our next release.

Regarding the vulnerability we actually mitigated this in our default serializer settings v40.2.0 of the SDK (https://github.com/stripe/stripe-dotnet/releases/tag/v40.2.0). If you are unable to upgrade to the next release of the SDK (when it is available), as long as you are using v40.2.0 or later of the SDK, you should be protected from this vulnerability.

jar-stripe commented 2 days ago

The PR for this issue https://github.com/stripe/stripe-dotnet/pull/2930 has been merged and will be included in our 9/30 release.