Replies: 2 comments
-
Beta Was this translation helpful? Give feedback.
0 replies
-
|
This was actually fixed by #106172 |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
There have already been some issues regarding transitive dependencies to the the vulnerable System.Text.Json 8.0.0 (e.g.#104619, #104705, #104669).
My question is: since System.Text.Json is shipped inbox with .NET itself, why do e.g. net8.0 targeted assemblies even depend on the System.Text.Json package? Is there a technical reason for this?
Removing the dependency altogether would avoid a lot of false positives from NuGet audit and avoid the chore of keeping the package up-to-date.
Some affected packages that we noticed in our project (I assume there are a lot more):
Microsoft.Extensions.Logging.Console
Microsoft.Extensions.Configuration.Json
System.Memory.Data
Beta Was this translation helpful? Give feedback.
All reactions