Skip to content

SendGrid.Extensions.DependencyInjection brings in packages with vulnerabilities. #1218

New issue
New issue
Open
Open
SendGrid.Extensions.DependencyInjection brings in packages with vulnerabilities.#1218
@Joren-Thijs-KasparSolutions

Description

@Joren-Thijs-KasparSolutions
Joren-Thijs-KasparSolutions
opened on Feb 21, 2025

Issue
SendGrid.Extensions.DependencyInjection brings in packages Newtonsoft.Json v9.0.1 and starkbank-ecdsa v1.3.1. Both of which contain vulnerabilities.

See GHSA-5crp-9r3c-p9vr
and GHSA-j3jw-j2j8-2wv9

Currently we have to curcomvent this by manually including these packages with a higher version number.

<!--  These are only here because the base dependencies from SendGrid.Extensions.DependencyInjection contain vulnerabilities-->
  <ItemGroup>
    <PackageReference Include="Newtonsoft.Json" Version="13.0.3" />
    <PackageReference Include="starkbank-ecdsa" Version="1.3.3" />
  </ItemGroup>

Reproduce

  • Incude NugetPackage SendGrid.Extensions.DependencyInjection in your project.
  • Compile
  • Error NU1903 : Warning As Error: Package 'Newtonsoft.Json' 9.0.1 has a known high severity vulnerability, GHSA-5crp-9r3c-p9vr

Solution
The sendgrid client project imports the SendGrid project which has already been updated to Newtonsoft 13.0.1. All that needs to be done is to release a new package.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions