Issue
SendGrid.Extensions.DependencyInjection brings in packages Newtonsoft.Json v9.0.1 and starkbank-ecdsa v1.3.1. Both of which contain vulnerabilities.
See GHSA-5crp-9r3c-p9vr
and GHSA-j3jw-j2j8-2wv9
Currently we have to curcomvent this by manually including these packages with a higher version number.
<!-- These are only here because the base dependencies from SendGrid.Extensions.DependencyInjection contain vulnerabilities-->
<ItemGroup>
<PackageReference Include="Newtonsoft.Json" Version="13.0.3" />
<PackageReference Include="starkbank-ecdsa" Version="1.3.3" />
</ItemGroup>Reproduce
- Incude NugetPackage
SendGrid.Extensions.DependencyInjection in your project.
- Compile
- Error NU1903 : Warning As Error: Package 'Newtonsoft.Json' 9.0.1 has a known high severity vulnerability, GHSA-5crp-9r3c-p9vr
Solution
The sendgrid client project imports the SendGrid project which has already been updated to Newtonsoft 13.0.1. All that needs to be done is to release a new package.
Issue
SendGrid.Extensions.DependencyInjectionbrings in packagesNewtonsoft.Jsonv9.0.1 andstarkbank-ecdsav1.3.1. Both of which contain vulnerabilities.See GHSA-5crp-9r3c-p9vr
and GHSA-j3jw-j2j8-2wv9
Currently we have to curcomvent this by manually including these packages with a higher version number.
Reproduce
SendGrid.Extensions.DependencyInjectionin your project.Solution
The sendgrid client project imports the SendGrid project which has already been updated to Newtonsoft 13.0.1. All that needs to be done is to release a new package.