Microsoft.Azure.Cosmos.Table 1.0.5 brings in Newtonsoft 10.x, and Linqpad 7 pops up a Warning

[Noctis-]

The specific warning is :

Warning: LINQPad has identified the following vulnerabilties in NuGet package Newtonsoft.Json 10.0.2:

Level 2 (High): https://github.com/advisories/GHSA-5crp-9r3c-p9vr
Try updating NuGet packages to latest. You can suppress this warning in Edit | Preferences > Advanced > Execution.

I've tried pulling the code and updating newtonsoft to version 13, but, i have no idea how to build / publish / test this :(

There's a newer version of the Microsoft.Azure.Cosmos.Table (1.0.8) , which it fails to install (doubt it'll fix the issue though, as that vulnerability was fixed in the newtosoft v 13, which was released in Mach '21, and the 1.0.8 was done in august '20).

The whole Microsoft.Azure.Cosmos.Table is deprecated as well ...
not sure if it's an easy fix, or worth fixing, but figured i'll post it in case you do want to give it a go .

(oh, and cheers for you work BTW, regardless 🙏 )

[madd0]

@Noctis- thanks for the heads up. I'll look into it.

[Noctis-]

Legend. Cheers

…

On Wed, 12 Oct 2022, 18:24 Mauricio Díaz Orlich, ***@***.***> wrote: @Noctis- <https://github.com/Noctis-> thanks for the heads up. I'll look into it. — Reply to this email directly, view it on GitHub <#22 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ABO76C3PT3CXA5BH2SSIS3LWCZYSJANCNFSM6AAAAAARC3YL3E> . You are receiving this because you were mentioned.Message ID: ***@***.***>

[Noctis-]

Any thoughts / updates ? (asking from pure curiosity, as i've seen something about forcing a newer version of a package by including it in the csproj. I tried doing it, but i have no idea how to make linqpad use the dll, as it only accepts linqpad drivers and stuff)

[madd0]

Hi,
I looked into it (just now 😅) and the short-term work-around is simply reference a more recent version of Json.NET in your query's references and properties (F4).
I'll look into updating the Nuget package so that it includes a version without the vulnerability, but it looks like I'm quite a bit behind, so there's a bit of work before I can publish that.
I'll keep the issue open while I work on it.

[Noctis-]

No worries, thanks for the update!

…

On Sun, 13 Nov 2022, 22:21 Mauricio Díaz Orlich, ***@***.***> wrote: Hi, I looked into it (just now 😅) and the short-term work-around is simply reference a more recent version of Json.NET in your query's references and properties (F4). I'll look into updating the Nuget package so that it includes a version without the vulnerability, but it looks like I'm quite a bit behind, so there's a bit of work before I can publish that. I'll keep the issue open while I work on it. — Reply to this email directly, view it on GitHub <#22 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ABO76CYO2PUNRTIBBUP3JH3WIDMLXANCNFSM6AAAAAARC3YL3E> . You are receiving this because you were mentioned.Message ID: ***@***.***>

[madd0]

v2.1.2 has been published to Nuget, it includes the latest version of Json.Net

Thanks

[Noctis-]

Thank you!

…

On Mon, Nov 14, 2022 at 12:13 AM Mauricio Díaz Orlich < ***@***.***> wrote: Closed #22 <#22> as completed. — Reply to this email directly, view it on GitHub <#22 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ABO76C5UONLWOPNZCEKV25LWIDZQDANCNFSM6AAAAAARC3YL3E> . You are receiving this because you were mentioned.Message ID: ***@***.***>