when is the Newtonsoft v10.0.2 going to be updated in Microsoft.Azure.Cosmos v3.42. this version of newtonsoft has security vulnerablities

Question

when is the Newtonsoft v10.0.2 going to be updated in Microsoft.Azure.Cosmos v3.42. this version of newtonsoft has security vulnerablities

Scott F 15

it's simple:

when is the Newtonsoft v10.0.2 going to be updated in Microsoft.Azure.Cosmos v3.42. this version of newtonsoft has security vulnerablities and i cannot find any information on when this Newtonsoft vulnerability will be addressed?

https://www.nuget.org/packages/Microsoft.Azure.Cosmos#dependencies-body-tab
https://www.nuget.org/packages/Newtonsoft.Json/10.0.2

Oury Ba-MSFT 21,156 Reputation points Microsoft Employee Moderator

2024-08-27T16:25:54.7766667+00:00

@Scott F Thank you for reaching out.

Customers are welcome to add a direct dependency to a newer version of Newtonsoft to lift it, and then test to ensure that you are not affected by the breaking changes.
Scott F 15 Reputation points

2024-08-27T17:51:43.19+00:00

we aren't using Newtonsoft at all in our implementation, we are using system.text.json. but the vulnerable package version is an implicit reference and it shows up in static code scans as a vulnerability. i don't want newtonsoft in the application at all, but if i'm forced to include it because i need the cosmos package, it can't be a vulnerable version. none of the suggestions here help me out. unless i can update the implicit reference (i don't think that is possible), my application is carrying a vulnerable package that my company does not want deployed.

any alternative suggestions?
Oury Ba-MSFT 21,156 Reputation points Microsoft Employee Moderator

2024-08-28T20:00:10.8533333+00:00

@Scott F Thank you for getting back to me.

We would suggest forcing your application to deploy a newer version by adding a direct PackageReference to the newer version in your csproj file. The way that NuGet package version resolution happens prefers references “closer” to the project to transitive references, so the version will be lifted.
Oury Ba-MSFT 21,156 Reputation points Microsoft Employee Moderator

2024-08-29T16:58:16.44+00:00

@Scott F

Please let us know if the above was helpful.

Regards,

Oury
Navaneethan Balakrishnan 0 Reputation points

2025-08-04T14:43:17.66+00:00

Hi @Oury Ba-MSFT , I tried adding the packagereference directly in csproj for newtonsoft version 13.0.3. But it still refers older version 10.0.2 and throws error. I tried everything. Clearing the nuget cache, restoring the packages, verifying that the other packages are not using this failed version. Any idea how to resolve this issue?

3 answers

Your answer

Oury Ba-MSFT 21,156 Reputation points Microsoft Employee Moderator

2024-08-27T16:25:54.7766667+00:00

@Scott F Thank you for reaching out.

Customers are welcome to add a direct dependency to a newer version of Newtonsoft to lift it, and then test to ensure that you are not affected by the breaking changes.
Scott F 15 Reputation points

2024-08-27T17:51:43.19+00:00

we aren't using Newtonsoft at all in our implementation, we are using system.text.json. but the vulnerable package version is an implicit reference and it shows up in static code scans as a vulnerability. i don't want newtonsoft in the application at all, but if i'm forced to include it because i need the cosmos package, it can't be a vulnerable version. none of the suggestions here help me out. unless i can update the implicit reference (i don't think that is possible), my application is carrying a vulnerable package that my company does not want deployed.

any alternative suggestions?
Oury Ba-MSFT 21,156 Reputation points Microsoft Employee Moderator

2024-08-28T20:00:10.8533333+00:00

@Scott F Thank you for getting back to me.

We would suggest forcing your application to deploy a newer version by adding a direct PackageReference to the newer version in your csproj file. The way that NuGet package version resolution happens prefers references “closer” to the project to transitive references, so the version will be lifted.
Oury Ba-MSFT 21,156 Reputation points Microsoft Employee Moderator

2024-08-29T16:58:16.44+00:00

@Scott F

Please let us know if the above was helpful.

Regards,

Oury
Navaneethan Balakrishnan 0 Reputation points

2025-08-04T14:43:17.66+00:00

Hi @Oury Ba-MSFT , I tried adding the packagereference directly in csproj for newtonsoft version 13.0.3. But it still refers older version 10.0.2 and throws error. I tried everything. Clearing the nuget cache, restoring the packages, verifying that the other packages are not using this failed version. Any idea how to resolve this issue?

Answer 1

This is a question for that team. You can get to their support section here.

In the interim you can take an explicit dependency on Newtonsoft and update it to a non-vulnerable version. This is how you work around these kinds of issues until package developers update their code. In Visual Studio you can do this easily by going to the project that is impacted, select the installed packages and then the option to show vulnerabilities. Transient dependencies are listed as well so you can select the vulnerable dependency and update it to a newer version. This resolves the issue but does add an explicit dependency that you'll need to remove at some point in the future.

Answer 2

the cosmos nuget package only specifies the minimum required version of newtonsoft. in you actual application that uses the cosmos db package, can explicitly use a later version of newtonsoft. if the newtonsoft is an implicit dependency, then just add a package reference to newtonsoft which is the version you want.

note: this is true of most nuget packages. they just specify a min version. in your build you specify the actual version. you might be interested in this approach to handling implicit dependencies.

https://learn.microsoft.com/en-us/nuget/consume-packages/central-package-management

Answer 3

Steve W 0

Posting this update in case anyone is confused by the above.

If you are using System.Text.Json serialization with CosmosDB via CosmosClientBuilder.WithSystemTextJsonSerializerOptions, then you can (must?) safely add a reference to the latest Newtonsoft.Json (v13.0.03 at the time of writing) and everything works fine. Note that you also need the following in your .csproj:

  <PropertyGroup>
    <AzureCosmosDisableNewtonsoftJsonCheck>true</AzureCosmosDisableNewtonsoftJsonCheck>
  </PropertyGroup>

0 comments

Share via

when is the Newtonsoft v10.0.2 going to be updated in Microsoft.Azure.Cosmos v3.42. this version of newtonsoft has security vulnerablities

3 answers

Your answer