Upgrade Newtonsoft.Json to v13.0.2. | Continue Development for JsonApiSerializer

[wavedeck]

I've recently stumbled upon this project and incorporated it into my new pet project. Imho, this project is superior to the more active / larger "JsonApiDotnetCore" in the sense that it doesn't add a bunch of magic to the app, but simply focuses on de- / serializing.

I've forked this project and upgraded Newtonsoft.Json as well as the Test-Project's dependencies to the latest version, fixing a bunch of security vulnerabilities and modernizing / fixing deprecation notices in the process.

Running the tests succeeds after the upgrade / refactor, so i'd say it's safe to update.

Additionally, I've refactored the csproj and set target frameworks to netstandard2.0, which is the latest version of the standard still supporting .NET Framework 4.6.1+ in addition to .NET (Core)

Regardless if this PR reaches the maintainers and (hopefully) gets approved, i'm still planning to continue development of my fork over on my Github profile, with plans of starting a v2.0, that complies to JSON:API v1.1 spec, targets newer .NET versions and deprecates support for .NET Framework 4.x while keeping security updates for the v1

[alex-davies]

On the surface, this looks really good.

Ill have a closer look at this PR in the weekend to try and get this merged. Ill also need to do some work to update the build and refresh the credentials so I can generate a new release

[wavedeck]

This sounds great! And again massive credits for creating this library in the first place 😎

Had some good time implementing the upgraded PR-version in my pet project and already consider it for some pre-production services as well. This implies however, that arising security issues are dealt with in a timely matter and known CVE's (such as the ones in JSON.NET v10) are patched.

For that reason, i'll keep my fork around and plan to back-contribute to JsonApiSerializer to let the public benefit from the updates, especially since the last commit is currently about 5 years in the past and .NET heavily advanced since the release of .NET 6. (Out of my own curiosity, was there a specific reason for this long break?)

My next goal keep this library alive will be refactoring it with improvements for JSON:API v1.1 and deprecating .NET 4.6.x in favour of modern cross-platform .NET 6+ whilst releasing security updates for .NET 4.6 in v1 for at least the next 3-5 years (or as long as Microsoft keeps supporting it within this timespan).

[wavedeck]

Btw.. the bump in versions within the .csproj was mainly due to me using a private package repository other than nuget and can be reverted or reconsidered.

v1.8.0 was just upgrading dependencies / targets while
v1.9.0 patched deprecation notices and cleaned up some code

[alex-davies]

Happy to merge. Made a few minor changes to the unit test. Bumped the major version number as this is technically a breaking change for anyone not supporting the later framework - which admittedly wouldn't be too many

I'm going to move the build/release pipeline over to github actions in a day or two and make the release that way. Will probably change the way versioning works at the same time to base it on tags rather than version in the csproj

Out of my own curiosity, was there a specific reason for this long break

When I developed the library I was using json:api heavily for work. I have since moved companies and haven't had any interaction with json:api since then so the library got less focus than it deserved