Please update your dependencies - warnings for vulnerable dependencies as well as downgraded assemblies

[ericstj]

Vulnerability

When using the latest version of Microsoft.AspNet.OData a very old, and vulnerable version of Newtonsoft.Json is referenced.

 Package 'Newtonsoft.Json' 6.0.4 has a known high severity vulnerability, https://github.com/advisories/GHSA-5crp-9r3c-p9vr

Downgrade

Also when building I get a warning about a downgrade of Newtonsoft.Json:

    C:\Program Files\dotnet\sdk\9.0.305\Microsoft.Common.CurrentVersion.targets(2433,5): warning MSB3277:
      Found conflicts between different versions of "Newtonsoft.Json" that could not be resolved.
      There was a conflict between "Newtonsoft.Json, Version=6.0.0.0, Culture=neutral, PublicKeyToken=30ad4fe6b2a6aeed" and "Newtonsoft.Json, Version=13.0.0.0, Culture=neutral, PublicKeyToken=30ad4fe6b2a6
      aeed".
          "Newtonsoft.Json, Version=6.0.0.0, Culture=neutral, PublicKeyToken=30ad4fe6b2a6aeed" was chosen because it was primary and "Newtonsoft.Json, Version=13.0.0.0, Culture=neutral, PublicKeyToken=30a
      d4fe6b2a6aeed" was not.
          References which depend on "Newtonsoft.Json, Version=6.0.0.0, Culture=neutral, PublicKeyToken=30ad4fe6b2a6aeed" [C:\Users\ericstj\.nuget\packages\newtonsoft.json\6.0.4\lib\net45\Newtonsoft.Json.dll].
              C:\Users\ericstj\.nuget\packages\newtonsoft.json\6.0.4\lib\net45\Newtonsoft.Json.dll
                Project file item includes which caused reference "C:\Users\ericstj\.nuget\packages\newtonsoft.json\6.0.4\lib\net45\Newtonsoft.Json.dll".
                  C:\Users\ericstj\.nuget\packages\newtonsoft.json\6.0.4\lib\net45\Newtonsoft.Json.dll
          References which depend on or have been unified to "Newtonsoft.Json, Version=13.0.0.0, Culture=neutral, PublicKeyToken=30ad4fe6b2a6aeed" [].
              C:\Users\ericstj\.nuget\packages\microsoft.aspnet.odata\7.7.9\lib\net45\Microsoft.AspNet.OData.dll
                Project file item includes which caused reference "C:\Users\ericstj\.nuget\packages\microsoft.aspnet.odata\7.7.9\lib\net45\Microsoft.AspNet.OData.dll".
                  C:\Users\ericstj\.nuget\packages\microsoft.aspnet.odata\7.7.9\lib\net45\Microsoft.AspNet.OData.dll
              C:\Users\ericstj\.nuget\packages\microsoft.aspnet.webapi.client\5.2.2\lib\net45\System.Net.Http.Formatting.dll
                Project file item includes which caused reference "C:\Users\ericstj\.nuget\packages\microsoft.aspnet.webapi.client\5.2.2\lib\net45\System.Net.Http.Formatting.dll".
                  C:\Users\ericstj\.nuget\packages\microsoft.aspnet.webapi.client\5.2.2\lib\net45\System.Net.Http.Formatting.dll
                  C:\Users\ericstj\.nuget\packages\microsoft.aspnet.odata\7.7.9\lib\net45\Microsoft.AspNet.OData.dll
                  C:\Users\ericstj\.nuget\packages\microsoft.aspnet.webapi.core\5.2.2\lib\net45\System.Web.Http.dll
              C:\Users\ericstj\.nuget\packages\microsoft.aspnet.webapi.core\5.2.2\lib\net45\System.Web.Http.dll
                Project file item includes which caused reference "C:\Users\ericstj\.nuget\packages\microsoft.aspnet.webapi.core\5.2.2\lib\net45\System.Web.Http.dll".
                  C:\Users\ericstj\.nuget\packages\microsoft.aspnet.webapi.core\5.2.2\lib\net45\System.Web.Http.dll
                  C:\Users\ericstj\.nuget\packages\microsoft.aspnet.odata\7.7.9\lib\net45\Microsoft.AspNet.OData.dll

Analysis

If I examine these dependencies with a ref scanner tool, I can see the problem as well.

refscanner assembly Newtonsoft.Json --path bin\Debug\net48\
All done (19 assemblies scanned in 0:00:00.0998627, or 170 assemblies per second)!
The Newtonsoft.Json assembly is referenced as follows:
6.0.0.0
        System.Net.Http.Formatting.dll
        System.Web.Http.dll

13.0.0.0
        Microsoft.AspNet.OData.dll

So Microsoft.AspNet.OData.dll itself already builds against a higher version of Newtonsoft.Json than it's package references. This is happening because this project authors it's own nuspec which differs from it's actual build.

WebApi/src/Microsoft.AspNet.OData/Microsoft.AspNet.OData.csproj

Lines 45 to 48 in 1b8f45e

	<Reference Include="Newtonsoft.Json, Version=13.0.0.0, Culture=neutral, PublicKeyToken=30ad4fe6b2a6aeed, processorArchitecture=MSIL">
	<HintPath>..\..\sln\packages\Newtonsoft.Json.13.0.1\lib\net45\Newtonsoft.Json.dll</HintPath>
	<Private>True</Private>
	</Reference>

WebApi/src/Microsoft.AspNet.OData/Microsoft.AspNet.OData.Release.nuspec

Lines 20 to 26 in 1b8f45e

	<dependencies>
	<dependency id="Microsoft.AspNet.WebApi.Client" version="$AspNetPackageDependency$" />
	<dependency id="Microsoft.AspNet.WebApi.Core" version="$AspNetPackageDependency$" />
	<dependency id="Microsoft.Extensions.DependencyInjection.Abstractions" version="$DependencyInjection1PackageDependency$" />
	<dependency id="Microsoft.Extensions.DependencyInjection" version="$DependencyInjection1PackageDependency$" />
	<dependency id="Microsoft.OData.Core" version="$ODataLibPackageDependency$" />
	</dependencies>

This ancient version of Newtonsoft.Json is brought in by Microsoft.AspNet.WebApi.Client

Workaround

A newer version of Microsoft.AspNet.WebApi.Client exists which does not have this old dependency.

    <PackageReference Include="Microsoft.AspNet.WebApi.Client" Version="6.0.0" />

Proposed fix

I think you should update your reference to use this new version. You should also consider adding a direct reference to avoid this mismatch in the future.

WebApi/tools/WebStack.versions.settings.targets

Line 14 in 1b8f45e

<AspNetPackageDependency>5.2.2</AspNetPackageDependency>

A better fix would be to also stop using your hand-authored nuspec, and instead run pack on your csproj.

cc @danroth27