[QUERY] Azure.Security.KeyVault.Secrets - latest Package uses outdated System.Text.Json 6.0.10 #48219
Comments
github-actions
bot
added
Client
|
Thank you for your feedback. Tagging and routing to the team member best able to assist. |
|
Hi @oliverabrahamserrala. There is no vulnerability in the 6.0.10 version of The Azure SDK packages are currently based on the 6.x line of BCL dependency packages, by design. Our dependencies are managed very deliberately, as we have a need to maintain compatibility across a wide variety of runtime environments, some of which have strict requirements. For example, Azure Functions and Azure PowerShell both have built-in package sets with versions we cannot exceed. We are in the process of migrating to the 8.x line, which requires extensive testing, so not likely to hit until at least April. We have no plans to move to the 9.x range, as we align with the packages from the latest LTS. That all said, the version of System.Text.Json referenced by the Azure SDK packages does not constrain the version that you're able to use. By taking a direct reference to |
jsquire
added
the
issue-addressed
|
Hi @oliverabrahamserrala. Thank you for opening this issue and giving us the opportunity to assist. We believe that this has been addressed. If you feel that further discussion is needed, please add a comment with the text "/unresolve" to remove the "issue-addressed" label and continue the conversation. |
github-actions
bot
removed
the
needs-team-attention
Library name and version
Azure.Security.KeyVault.Secrets
Query/Question
Mend reports System.Text.Json having a known vulnerability [CVE-2024-43485].
Can you please update to the latest version?
Environment
No response
The text was updated successfully, but these errors were encountered: