Skip to content

After creating a Worker service project, "System.text.json" 8.0.0 was referenced and identified as a vulnerable package #105120

@v-bennettyue

Description

@v-bennettyue

Repro steps

  1. dotnet new worker
  2. Open project in Visual Studio
  3. Right-client project > Manage NuGet Packages

Expected results

The project shouldn't have vulnerability warnings

Actual results

Check 'Show only vulnerable' checkbox, then you can see that the warning is because the following packages have a dependency on System.text.json 8.0.0, which has been detected as the vulnerable package

Original issue

INSTALL STEPS

  1. Clean machine: Win11 x64 23h2 ENU
  2. Install Dev17.10.4 (Include Aspire 8.0.0) latest release build
    • Web workload

REPRO STEPS

  1. File > New project > .NET Aspire App Host > .NET 8.0 > Create
  2. Right-check project > Manage NuGet Packages

ACTUAL
Check 'Show only vulnerable' checkbox, then you can see that the warning is because the following packages have a dependency on System.text.json 8.0.0, which has been detected as the vulnerable package
Aspire.Hosting.AppHost "Version=" 8.0.0
image

NOTE:

  1. This issue can be repro in any aspire project or in a project with aspire
    This issue also repro on Dev17.10 + Aspire 8.0.2/8.1 and Dev17.11 + Aspire 8.0.2/8.1

EXPECTED
The packages should be updated to depend on a newer version of System.text.json that is not vulnerable.

Metadata

Metadata

Assignees

Labels

area-Extensions-Hostingin-prThere is an active PR which will close this issue when it is merged

Type

No type

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions