chore: Update CloudNative.CloudEvents.Avro dependencies

jskeet · jskeet · commit 0897d8134bc1 · 2022-11-09T18:46:19.000Z
- Updated to Apache.Avro 1.11.1 on general principle - Added explicit dependency on Newtonsoft.Json 13.0.1 to avoid taking a transitive dependency on a vulnerable version Addresses short-term concerns of #245. Signed-off-by: Jon Skeet <jonskeet@google.com>
diff --git a/src/CloudNative.CloudEvents.Avro/CloudNative.CloudEvents.Avro.csproj b/src/CloudNative.CloudEvents.Avro/CloudNative.CloudEvents.Avro.csproj
@@ -9,7 +9,13 @@
   </PropertyGroup>
 
   <ItemGroup>
-    <PackageReference Include="Apache.Avro" Version="1.11.0" />
+    <PackageReference Include="Apache.Avro" Version="1.11.1" />
+    <!-- 
+      - Explicit dependency just to avoid a vulnerable version being exposed via Apache.Avro.
+      - If Apache.Avro publishes a new version that updates the dependency (to 13.0.1 or higher)
+      - we can remove our explicit dependency.
+      -->
+    <PackageReference Include="Newtonsoft.Json" Version="13.0.1" />
     <ProjectReference Include="..\CloudNative.CloudEvents\CloudNative.CloudEvents.csproj" />
   </ItemGroup>
 
