fix: Update Newtonsoft.Json to fix CVE error

[gjtorikian]

Description

After cloning the project, I was unable to build it due to this CVE.

As the package with the fix is only a patch update, this should be safe to update!

Documentation

Does this require changes to the WorkOS Docs? E.g. the API Reference or code snippets need updates.

[ ] Yes

If yes, link a related docs PR and add a docs maintainer as a reviewer. Their approval is required.

[gjtorikian]

I just noticed the CVE in the description identifies versions < 13.0.2—that wasn't the case when I opened the project up!

That links out to https://www.mend.io/vulnerability-database/CVE-2024-21907?utm_source=JetBrains.

[greptile-apps]

Greptile Overview

Greptile Summary

This PR updates the Newtonsoft.Json dependency from version 13.0.2 to 13.0.5-beta1 to address CVE-GHSA-5crp-9r3c-p9vr, a security vulnerability in the JSON parsing library. The update applies to both target frameworks (netstandard2.0 and net461).

Key findings:

• The CVE fix is valid and addresses a real security issue
• However, the PR uses a beta version (13.0.5-beta1) when a stable version (13.0.3) that includes the same CVE fix is available
• Per the README's Beta Release policy: "there can be breaking changes between Beta versions" and pinning is recommended
• Using a beta version in a production SDK may introduce instability for downstream consumers
• The PR description states "only a patch update" but beta versions don't follow typical semver guarantees

Recommendation: Consider updating to stable version 13.0.3 instead of 13.0.5-beta1 to maintain stability while still addressing the CVE.

Confidence Score: 3/5

• This PR addresses a valid CVE but introduces risk by using a beta version instead of a stable release
• The security fix is legitimate and important, but using 13.0.5-beta1 instead of the stable 13.0.3 (which also fixes the CVE) introduces potential instability. Beta versions can have breaking changes and unexpected behavior. For a library SDK that's distributed to many consumers, stability should be prioritized. Score would be 5/5 if updated to use the stable version 13.0.3.
• Review src/WorkOS.net/WorkOS.net.csproj to verify the Newtonsoft.Json version choice - consider using stable 13.0.3 instead of 13.0.5-beta1

Important Files Changed

File Analysis

Filename	Score	Overview
src/WorkOS.net/WorkOS.net.csproj	3/5	Updated Newtonsoft.Json from 13.0.2 to 13.0.5-beta1 to address CVE-GHSA-5crp-9r3c-p9vr, but using a beta version raises stability concerns

Sequence Diagram

sequenceDiagram
    participant Dev as Developer
    participant Build as Build System
    participant NuGet as NuGet Package Manager
    participant App as WorkOS.net Library

    Dev->>Build: Update Newtonsoft.Json version in .csproj
    Note over Dev,Build: Change from 13.0.2 to 13.0.5-beta1
    
    Build->>NuGet: Restore packages (dotnet restore)
    NuGet->>NuGet: Resolve Newtonsoft.Json 13.0.5-beta1
    NuGet-->>Build: Download and cache package
    
    Build->>Build: Compile netstandard2.0 target
    Build->>Build: Compile net461 target
    
    Build->>App: Build WorkOS.net with updated dependency
    
    Note over Build,App: CVE-GHSA-5crp-9r3c-p9vr mitigated
    
    App->>NuGet: Package WorkOS.net for distribution
    NuGet-->>Dev: WorkOS.net package with Newtonsoft.Json 13.0.5-beta1 dependency

Loading

[greptile-apps]

using beta version 13.0.5-beta1 instead of stable release. the CVE fix (GHSA-5crp-9r3c-p9vr) is available in stable version 13.0.3, which would be safer for production use

verify if 13.0.3 (stable) addresses the same CVE without beta risk

[greptile-apps]

same beta version issue for net461 target framework - consider using stable 13.0.3 instead

_{Note: If this suggestion doesn't match your team's coding style, reply to this and let me know. I'll remember it for next time!}