remove unnecessary System.Text.Json dependency on modern .NET

[mus65]

Partial revert of #2921 . System.Text.Json is part of the framework on modern .NET, so this dependency is unnecessary and wil just cause false positives in NuGet audit.

[mus65]

@dotnet-policy-service agree

[David-Engel]

/azp run

[azure-pipelines]

Azure Pipelines successfully started running 2 pipeline(s).

[cheenamalhotra]

I don't agree with the changes, as this is added purposely. What false positives are you concerned about?

[mus65]

I don't agree with the changes, as this is added purposely. What false positives are you concerned about?

This dependency is simply not necessary since the .NET runtime itself already contains System.Text.Json . This causes false positives in NuGet Audit because if a library like Microsoft.Data.SqlClient e.g. depends on the vulnerable System.Text.Json 8.0.4, but I'm actually using the latest .NET runtime which contains the fixed 8.0.5, the SDK will use the latest version. Meaning I'm not actually affected by the vulnerability, but NuGet Audit will still claim that I am.

NuGet is actually working on fixing this, so it considers the runtime dependencies (see Supplied by Platform ). But even when they fix this, not having this unnecessary dependency in the first place is imho the better option.

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 75.94%. Comparing base (39c4604) to head (1569786).
Report is 4 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #2930      +/-   ##
==========================================
+ Coverage   71.92%   75.94%   +4.02%     
==========================================
  Files         294      246      -48     
  Lines       60342    40260   -20082     
==========================================
- Hits        43398    30577   -12821     
+ Misses      16944     9683    -7261     

Flag	Coverage Δ
addons	92.90% <ø> (ø)
netcore	75.81% <ø> (-0.02%)	⬇️
netfx	?

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[cheenamalhotra]

Based on comment NuGet/Home#7344 (comment), I believe Supplied by Platform is not yet available in .NET 8 or 9. Can you confirm my understanding?

[ErikEJ]

@cheenamalhotra that is correct, but only affects potential nuget audit warnings. Adding this as an explicit reference with .NET 8 is wrong.

[mungojam]

I hope this can be backported unless v6 is coming very soon and in ef SQL by default. Every time a system.text.json vuln comes up we're having to update it explicitly just because of SQL client lib, other Ms libs don't show the same explicit dependency

[ErikEJ]

@mungojam Why backported? This was introduced in 6.x

[mungojam]

Partial revert of #2921 . System.Text.Json is part of the framework on modern .NET, so this dependency is unnecessary and wil just cause false positives in NuGet audit.

It will still be needed for .net framework consumers so you might need a conditional package reference instead

[mus65]

@mungojam

It will still be needed for .net framework consumers so you might need a conditional package reference instead

The .NET Framework reference is still there, it was already conditional because .NET Framework/.NET have different csproj files.

[mungojam]

@mungojam Why backported? This was introduced in 6.x

@ErikEJ my mistake, it comes in with sub-dependencies in v5. Hopefully these don't bring it in in v6:

Thanks to dotnet nuget why ./ System.Text.Json, what a great addition :)