Potential breaking change: Upgrade to exclusively use Newtonsoft.Json >= 13.0.1

[ankitC]

In the wake of a new vulnerability discovered in the Newtonsoft.Json library, it is recommended that consumers use version greater than or equal to 13.0.1. (JamesNK/Newtonsoft.Json#2457)

In order to comply with the recommendation, I propose the community to consider upgrading the dependency on Netwonsoft.Json to the recommended version. It will help all the consumers of the Bond library to make their applications and services inherently more secure.

The Bond library states it's dependency as >= 9.0.1, and consumers are free to use any version that suits their needs. While this recommendation is not incorrect, it's not in the best interests of the consumers as we have the knowledge of the Newtonsoft issue. As a best practice, the latest version of the library should be using the most secure dependencies.

If there are enough community members that agree to this proposal, I'd be happy to work with the community and contribute to the proposed change.

[chwarr]

My initial disposition is not to take such a change. Bond is not preventing any app from using a newer version of Newtonsoft.JSON.

Both Bond and Newtonsoft.JSON are low level dependencies used across thousands and thousands of projects. Dependency resolution can be painful to deal with, and Bond strives to make this easy for consumers by having a wide range of Newtonsoft.JSON versions it can work with.

Any dependency version change in Bond will have huge ripple effects. The project's policy thus far has been to be conservative about making breaking changes like this. I don't think Bond should use its dependency on Newtonsoft.JSON to "help" apps consumer newer versions of Newtonsoft.JSON, however laudable that goal may be.

I'd love to get more feedback from the Bond community and see if there's a consensus one way or the other here.

• Apps can already use newer versions of Newtonsoft.JSON if they want. The Bond.Runtime.CSharp NuGet package's version bound for Newtonsoft.JSON is greater than or equal to Newtonsoft.JSON 9.0.1, not an exact match for 9.0.1:

  <dependency id="Newtonsoft.Json" version="9.0.1" />
  

  NB: In NuGet bounds, "x.y.z" is implicitly >= x.y.z. "[x.y.z]" is how an exact match is specified.

• Bond is a library and is not responsible for the final set of packages that deployed and used at runtime: apps are responsible for that. Bond needs to give apps the flexibility to use whatever version of Newtonsoft.JSON that they need to use, within the bounds that Bond supports.

  • If you are using NuGet 6.2+/.NET 6+ SDK, you can use central package management and transitive pinning to specify a single version of all packages across you entire repo tree.
  • To force a different version, add an explicit PackageReference to the consuming application. This is standard practice in the NuGet world for how to use a different version of a library than a dependency references. It’s called the "nearest wins".
  • You can also adjust what you consume from your dependencies to control what is consumed directly and transitively.

• Bond does not need anything newer than Newtonsoft.JSON 9.0.1 but it works with everything through 13.0.1.

  • NuGet will silently upgrade a package reference to a newer version. However, downgrading will emit a warning.

• If you don't need support for Bond's JSON protocol, do not reference the Bond.Runtime.CSharp package. This will potentially remove a reference to Newtonsoft.JSON entirely.

• Changing the bound would be a breaking change for consumers of Bond.

[chwarr]

I don't see a compelling reason to take this breaking change in Bond, so I'm going to leave Bond at the minimum version of Newtonsoft.Json that is requires.