Skip to content

Update version for AspNetPackageDependency to resolve issue #2884#2886

Open
marabooy wants to merge 2 commits into
masterfrom
marabooy/update-webstack-aspnet-package-dependency
Open

Update version for AspNetPackageDependency to resolve issue #2884#2886
marabooy wants to merge 2 commits into
masterfrom
marabooy/update-webstack-aspnet-package-dependency

Conversation

@marabooy

Copy link
Copy Markdown
Member

Updates dependency AspNetPackageDependency to resolve issue #2884

Description

https://www.nuget.org/packages/Microsoft.AspNet.WebApi.Client/5.2.2 Pins a Newtonsoft.Json version that is vulnerable. Although we require a newer package >= 13.0.0 some users can download the Vulnerable version.

The dependencies of these two versions should be compatible with our code

## New Package (6.0.0)
.NETFramework 4.5
Newtonsoft.Json (>= 13.0.1)
Newtonsoft.Json.Bson (>= 1.0.2)
System.Memory (>= 4.5.5)
System.Threading.Tasks.Extensions (>= 4.5.4)
.NETStandard 1.3
Microsoft.Net.Http (>= 2.2.22)
Newtonsoft.Json (>= 13.0.1)
Newtonsoft.Json.Bson (>= 1.0.2)
System.Collections.Specialized (>= 4.3.0)
System.ComponentModel.EventBasedAsync (>= 4.3.0)
System.Data.Common (>= 4.3.0)
System.Diagnostics.Contracts (>= 4.3.0)
System.Memory (>= 4.5.5)
System.Runtime.Serialization.Json (>= 4.3.0)
System.Runtime.Serialization.Xml (>= 4.3.0)
System.Threading.Tasks.Extensions (>= 4.5.4)
.NETStandard 2.0
Newtonsoft.Json (>= 13.0.1)
Newtonsoft.Json.Bson (>= 1.0.2)
System.Memory (>= 4.5.5)
System.Threading.Tasks.Extensions (>= 4.5.4)


## Old Package(5.2.2)

.NETFramework 4.5
Newtonsoft.Json (>= 6.0.4)
Portable Class Library (.NETFramework 4.5, .NETCore 4.5, WindowsPhone 8.0, WindowsPhone 8.1, WindowsPhoneApp 8.1)
Microsoft.Net.Http (>= 2.2.22)
Newtonsoft.Json (>= 6.0.4)

Checklist (Uncheck if it is not completed)

@marabooy

Copy link
Copy Markdown
Member Author

/AzurePipelines run

@azure-pipelines

Copy link
Copy Markdown
No pipelines are associated with this pull request.

@marabooy

Copy link
Copy Markdown
Member Author

/AzurePipelines run OData-WebApi7-rolling-1ES

@azure-pipelines

Copy link
Copy Markdown
No pipelines are associated with this pull request.

)

---
updated-dependencies:
- dependency-name: Microsoft.AspNetCore.Server.Kestrel.Core
  dependency-version: 2.3.6
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
WanjohiSammy
WanjohiSammy previously approved these changes Oct 22, 2025
@xuzhg xuzhg dismissed WanjohiSammy’s stale review May 29, 2026 00:48

The merge-base changed after approval.

@xuzhg xuzhg force-pushed the marabooy/update-webstack-aspnet-package-dependency branch from 546a971 to 5b10c2e Compare May 29, 2026 01:05
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants