Unneeded(?) dependencies on System.Text.Json package #105014

mus65 · 2024-07-17T08:16:39Z

mus65
Jul 17, 2024

There have already been some issues regarding transitive dependencies to the the vulnerable System.Text.Json 8.0.0 (e.g.#104619, #104705, #104669).

My question is: since System.Text.Json is shipped inbox with .NET itself, why do e.g. net8.0 targeted assemblies even depend on the System.Text.Json package? Is there a technical reason for this?

Removing the dependency altogether would avoid a lot of false positives from NuGet audit and avoid the chore of keeping the package up-to-date.

Some affected packages that we noticed in our project (I assume there are a lot more):

Microsoft.Extensions.Logging.Console
Microsoft.Extensions.Configuration.Json
System.Memory.Data

huoyaoyuan · 2024-07-30T06:34:03Z

huoyaoyuan
Jul 30, 2024
Collaborator

See #95626 and #97937

0 replies

mus65 · 2024-10-26T09:56:44Z

mus65
Oct 26, 2024
Author

This was actually fixed by #106172

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Unneeded(?) dependencies on System.Text.Json package #105014

{{title}}

Replies: 2 comments

{{title}}

{{title}}

Select a reply

Unneeded(?) dependencies on System.Text.Json package #105014

mus65 Jul 17, 2024

Replies: 2 comments

huoyaoyuan Jul 30, 2024 Collaborator

mus65 Oct 26, 2024 Author

mus65
Jul 17, 2024

huoyaoyuan
Jul 30, 2024
Collaborator

mus65
Oct 26, 2024
Author