New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[flagd] Brings vulnerable version of Newtonsfot.Json #316

Open

Kielek opened this issue Mar 6, 2025 · 1 comment

Labels

security

Kielek commented Mar 6, 2025

Flagd is referencing JsonLogic.Net v 1.11.1.

https://github.com/open-feature/dotnet-sdk-contrib/blob/9ae74e646da868eed4931e506841d651023c31d2/src/OpenFeature.Contrib.Providers.Flagd/OpenFeature.Contrib.Providers.Flagd.csproj#L25C32-L25C45

It brings known vulnerable dependency Newtonsoft.Json 9.0.1,

Potential solutions:

Fix and release: Bump Newtonsoft.Json to 9.0.1 and release new version MaxHayman/JsonLogic.Net#1 then bump package here
Directly reference Newtonsoft.Json 13.0.3 and verify if it is compatible with 9.0.1
Drop/replace reference to JsonLogin.Net

beeme1mr added the security label

Member

toddbaert commented Apr 5, 2025 •

edited

Loading

I think we can go path 3 and migrate to the implementation in https://github.com/json-everything/json-everything/ . The author is a contributor along with me to the upcoming JSONLogic spec.

I'll take a stab at this next week unless @askpt is interested in taking a shot at it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment