This is compiled using an old version of Newtonsoft.Json

[User8943242]

Describe the bug

This is compiled using an old version of Newtonsoft.Json. When I download the Nuget package it says it needs version 9.0.0.0. I need to use this in a project which has a new version.

To Reproduce

Install via nuget
compile

Expected behavior

I expected it to use the latest or near latest version of netwonsoft.json.

Code snippets

No response

OS

iis

.NET version

.NET framework 4.6.1

Library version

current

API version

current

Additional context

No response

[anniel-stripe]

Hello @User8943242 ! Can you check your configuration file and confirm you have bindingRedirect entry to Newtonsoft.json? See this Stack Overflow answer for an example.

If this doesn't resolve this issue, can you provide the version of Newtonsoft.Json you are using and the exception details you are seeing?

[User8943242]

Thanks. I'll check it out. Would it not be better for Stripe to use the latest version anyway for security?

[anniel-stripe]

Hi @User8943242 , this is something we are considering. As this would be a breaking change, we'll upgrade this dependency in the next major version.

[User8943242]

Hi @User8943242 , this is something we are considering. As this would be a breaking change, we'll upgrade this dependency in the next major version.

Thanks.

[equinoxe3d]

FYI, in the meantime if anyone needs to downgrade their Newtonsoft.Json version to 9.0.1 for Stripe.net to work, there's a high severity vulnerability that can be mitigated by adding the following under the Application_Start of your Global.asax, as described here:

C#: JsonConvert.DefaultSettings = () => new JsonSerializerSettings { MaxDepth = 128 };

VB: JsonConvert.DefaultSettings = Function() New JsonSerializerSettings With {.MaxDepth = 128}

[ismkdc]

We definitely need system.text.json version of stripe.net

[iamcarbon]

NOTE: The current 'Newtonsoft.Json' 12.0.3 release also has a known high severity vulnerability, GHSA-5crp-9r3c-p9vr

This prevents building the project in the latest Visual Studio preview (which treats transient dependency vulnerabilities as errors).

CC: @anniel-stripe

[ramya-stripe]

Thanks for reporting this @iamcarbon
We will be picking this up next month for sure

Meanwhile, does the bindingRedirect solution @anniel-stripe mentioned above help in your case?

[jar-stripe]

Quick update here: we are planning to upgrade Json.NET to 13.0.3 as part of our next release.

Regarding the vulnerability we actually mitigated this in our default serializer settings v40.2.0 of the SDK (https://github.com/stripe/stripe-dotnet/releases/tag/v40.2.0). If you are unable to upgrade to the next release of the SDK (when it is available), as long as you are using v40.2.0 or later of the SDK, you should be protected from this vulnerability.

[jar-stripe]

The PR for this issue #2930 has been merged and will be included in our 9/30 release.

[jar-stripe]

This has shipped in Stripe.net v46, available today! This release also includes #2980. Because of the the extent of some of the changes, we've also prepared a migration guide for the release https://github.com/stripe/stripe-dotnet/wiki/Migration-guide-for-v46.