[Resources.Azure] NugetAudit - fix dependencies with known vulnerabilities (open-telemetry#2056)

Kielek · web-flow · commit 413e943adef8 · 2024-09-11T21:22:32.000+02:00
diff --git a/src/OpenTelemetry.Resources.Azure/CHANGELOG.md b/src/OpenTelemetry.Resources.Azure/CHANGELOG.md
@@ -2,6 +2,10 @@
 
 ## Unreleased
 
+* Added direct reference to `System.Text.Encodings.Web` with minimum version of
+  `4.7.2` in response to [CVE-2021-26701](https://github.com/dotnet/runtime/issues/49377).
+  ([#2056](https://github.com/open-telemetry/opentelemetry-dotnet-contrib/pull/2056))
+
 ## 1.0.0-beta.8
 
 Released 2024-Jun-18
diff --git a/src/OpenTelemetry.Resources.Azure/OpenTelemetry.Resources.Azure.csproj b/src/OpenTelemetry.Resources.Azure/OpenTelemetry.Resources.Azure.csproj
@@ -15,6 +15,8 @@
   <ItemGroup>
     <PackageReference Include="OpenTelemetry" Version="$(OpenTelemetryCoreLatestVersion)" />
     <PackageReference Include="System.Text.Json" Version="4.7.2" />
+    <!-- System.Text.Encodings.Web is indirect reference. It is needed to upgrade it directly to avoid https://github.com/advisories/GHSA-ghhp-997w-qr28 -->
+    <PackageReference Include="System.Text.Encodings.Web" Version="4.7.2" />
   </ItemGroup>
 
   <ItemGroup>
