After moving to NET9, I am seeing the problem defined in this StackOverflow posting: Vulnerability in System.Text.Json and System.Text.RegularExpressions after update to .NET 9.
In my case, I see build warnings because of transitive dependencies in ServiceStack.Server and ServiceStack.OrmLite.SqlServer (version 8.5 and 8.4) for System.Text.RegularExpressions.
Are there any plans to fix this?
The latest v8.5 of ServiceStack is referencing v8.0.5 of System.Text.Json which does not have any vulnerability against it.
We only maintain LTS builds inside ServiceStack packages so we only ever reference the highest LTS version available.
If you want to use a different version than LTS you’d need to explicitly reference it yourself.
My issue is not Json but the RegEx dependency.
ServiceStack packages doesn’t reference System.Text.RegularExpressions directly.
True, it is being referenced via System.Xml.XmlDocument.
Which we’re already referencing its latest 4.3.0 of System.Xml.XmlDocument:
<PackageReference Include="System.Xml.XmlDocument" Version="4.3.0" />
Not unless they’re going to publish a new version with updated dependencies.
You could try explicitly referencing the newest version of RegularExpressions in your project.
Actually doesn’t look like we need to reference System.Xml.XmlDocument, so removing the references and will publish some pre-release packages.
That would be great and very much appreciated.Thank you.
