Bump the nuget group with 7 updates

[dependabot]

Pinned Microsoft.IdentityModel.JsonWebTokens at 7.1.2.

Updated Newtonsoft.Json from 12.0.3 to 13.0.1.

Release notes

Sourced from Newtonsoft.Json's releases.

13.0.1

• New feature - Add JsonSelectSettings with configuration for a regex timeout
• Change - Remove portable assemblies from NuGet package
• Change - JsonReader and JsonSerializer MaxDepth defaults to 64
• Change - Change InvalidCastException to JsonSerializationException on mismatched JToken
• Fix - Fixed throwing missing member error on ignored fields
• Fix - Fixed various nullable annotations
• Fix - Fixed annotations not being copied when tokens are cloned
• Fix - Fixed naming strategy not being used when deserializing dictionary enum keys
• Fix - Fixed serializing nullable struct dictionaries
• Fix - Fixed JsonWriter.WriteToken to allow null with string token
• Fix - Fixed missing error when deserializing JToken with a contract type mismatch
• Fix - Fixed JTokenWriter when writing comment to an object

Commits viewable in compare view.

Updated SharpZipLib from 1.3.1 to 1.3.3.

Release notes

Sourced from SharpZipLib's releases.

1.3.3

Another minor release, containing security fixes and smaller bugfixes.

Fixes:

• 🐛 specialized tar extract traversal by nils måsén
• 🐛 [#​635] bzip2 use explicit feature defs for vectorized memory move by Jackson Wood
• 🐛 [#​645] tar create translated files in temp by nils måsén

Smaller changes:

• 🔨 [#​604] Move the Password property from DeflaterOutputStream into ZipOutputStream by Richard Webb
• 🔨 [#​625] Make BZip2Constants static instead of sealed by Richard Webb
• 🔨 [#​626] make a couple of private functions static by Richard Webb

Other changes (not related to library code):

• 📚 [#​648] zip fix ZipStrings typo by Friedrich von Never
• 🚨 add tests for tar path traversal by nils måsén
• ⚙️ add codeql analysis by nils måsén
• 🚨 [#​636] Fix unstable tests and switch to dotcover by nils måsén
• 🚨 [#​634] add an async version of the WriteZipOutputStream benchmark by Richard Webb
• ⚙️ [#​628] Limit code coverage to windows CI by nils måsén
• 🚨 [#​627] fix the expected/actual value ordering in unit tests by Richard Webb

1.3.2

Another minor release, containing security fixes and smaller bugfixes.
Additionally, this version will have an additional target framework, .NET Standard 2.1, which will see some speed improvements when
used in newer versions of .NET (Core), mainly in Bzip2.

Features

• [#​611] Bzip input stream simple vectorization by Konrad Kruczyński
• [#​351] Add support for Filename field in GZip by nils måsén

Smaller fixes and optimizations

• [#​579] Implement very simple ReadAsync in ZipAESStream by Richard Webb
• [#​587] Remove supported method checks from ZipEntry.CompressionMethod setter by Richard Webb
• [#​593] Simplify DropPathRoot and fix out of bounds issue by nils måsén
• [#​575] Replace uses of new T[0] with Array.Empty<T> by Richard Webb
• [#​583] Restore entry times on FastZip extract by nils måsén
• [#​517] Throw exception on Store+Descriptor entries by nils måsén
• [#​578] Fix typos in the StreamDecodingException doc comments by Richard Webb
• [#​577] Throw ZipException in ZipAESStream instead of generic Exception by Richard Webb
• [#​510] Build the test bootstrapper app as netcoreapp3.1 instead of netcoreapp2.0 by Richard Webb
• [#​546] Make pure private functions static by Richard Webb
• [#​554] Skip CRC calculation for AES zip entries by nils måsén
• [#​605] Suppress CA1707 warnings in the Constants classes by Richard Webb
• [#​549] Add .NET Standard 2.1 target framework by Cédric Luthi

Other changes (not related to library code)

• [#​586] Convert VB sample projects to PackageReference format by Richard Webb
• [#​533] Convert the C# sample projects to PackageReference format by Richard Webb
• [#​457] add basic async unit tests for the inflator/deflator streams by Richard Webb
• [#​588] Add a simple async read test for ZipFile by Richard Webb
• [#​621] unify PR/push CI build actions by nils måsén
• [#​616] Change the build status badge to reference github actions by Richard Webb
• [#​603] pass CreateZip tests that are within time tolerance by nils måsén
• [#​602] Update test/coverage packages and push to codecov by nils måsén
• [#​601] pass tests that are within time tolerance by nils måsén
• [#​599] Use net46 as CI target framework for windows tests by nils måsén
• [#​594] Remove the local nuget.config files from the test projects by Richard Webb
• [#​553] Remove broken codacy integration by nils måsén
• [#​542] Build and publish documentation on release by nils måsén

Commits viewable in compare view.

Pinned Swashbuckle.AspNetCore.SwaggerUI at 6.3.0.

Pinned System.IdentityModel.Tokens.Jwt at 7.1.2.

Updated System.Net.Http from 4.3.0 to 4.3.4.

Updated System.Text.RegularExpressions from 4.3.0 to 4.3.1.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[github-actions]

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

OpenSSF Scorecard

Scorecard details

Package	Version	Score	Details
nuget/Microsoft.IdentityModel.Abstractions	7.1.2	🟢 7.2	Details Check Score Reason Maintained 🟢 10 17 commit(s) and 14 issue activity found in the last 90 days -- score normalized to 10 Packaging ⚠️ -1 packaging workflow not detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Security-Policy 🟢 10 security policy file detected Code-Review 🟢 10 all changesets reviewed Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Fuzzing ⚠️ 0 project is not fuzzed Binary-Artifacts 🟢 10 no binaries found in the repo Vulnerabilities 🟢 10 0 existing vulnerabilities detected Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during GetBranch(dev7x): error during branchesHandler.query: internal error: githubv4.Query: Resource not accessible by integration SAST 🟢 10 SAST tool is run on all commits
nuget/Microsoft.IdentityModel.JsonWebTokens	7.1.2	🟢 7.2	Details Check Score Reason Maintained 🟢 10 17 commit(s) and 14 issue activity found in the last 90 days -- score normalized to 10 Packaging ⚠️ -1 packaging workflow not detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Security-Policy 🟢 10 security policy file detected Code-Review 🟢 10 all changesets reviewed Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Fuzzing ⚠️ 0 project is not fuzzed Binary-Artifacts 🟢 10 no binaries found in the repo Vulnerabilities 🟢 10 0 existing vulnerabilities detected Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during GetBranch(dev7x): error during branchesHandler.query: internal error: githubv4.Query: Resource not accessible by integration SAST 🟢 10 SAST tool is run on all commits
nuget/Microsoft.IdentityModel.Logging	7.1.2	🟢 7.2	Details Check Score Reason Maintained 🟢 10 17 commit(s) and 14 issue activity found in the last 90 days -- score normalized to 10 Packaging ⚠️ -1 packaging workflow not detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Security-Policy 🟢 10 security policy file detected Code-Review 🟢 10 all changesets reviewed Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Fuzzing ⚠️ 0 project is not fuzzed Binary-Artifacts 🟢 10 no binaries found in the repo Vulnerabilities 🟢 10 0 existing vulnerabilities detected Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during GetBranch(dev7x): error during branchesHandler.query: internal error: githubv4.Query: Resource not accessible by integration SAST 🟢 10 SAST tool is run on all commits
nuget/Microsoft.IdentityModel.Tokens	7.1.2	🟢 7.2	Details Check Score Reason Maintained 🟢 10 17 commit(s) and 14 issue activity found in the last 90 days -- score normalized to 10 Packaging ⚠️ -1 packaging workflow not detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Security-Policy 🟢 10 security policy file detected Code-Review 🟢 10 all changesets reviewed Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Fuzzing ⚠️ 0 project is not fuzzed Binary-Artifacts 🟢 10 no binaries found in the repo Vulnerabilities 🟢 10 0 existing vulnerabilities detected Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during GetBranch(dev7x): error during branchesHandler.query: internal error: githubv4.Query: Resource not accessible by integration SAST 🟢 10 SAST tool is run on all commits
nuget/Microsoft.NETCore.Platforms	1.1.1	🟢 5.3	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed Maintained 🟢 10 30 commit(s) and 29 issue activity found in the last 90 days -- score normalized to 10 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Packaging ⚠️ -1 packaging workflow not detected License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Branch-Protection 🟢 5 branch protection is not maximal on development and all release branches Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Security-Policy 🟢 10 security policy file detected Fuzzing ⚠️ 0 project is not fuzzed SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0 Vulnerabilities 🟢 7 3 existing vulnerabilities detected Binary-Artifacts ⚠️ 0 binaries present in source code Pinned-Dependencies ⚠️ 2 dependency not pinned by hash detected -- score normalized to 2
nuget/Newtonsoft.Json	13.0.1	🟢 6.1	Details Check Score Reason Maintained 🟢 10 14 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 10 Packaging ⚠️ -1 packaging workflow not detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Code-Review 🟢 5 Found 16/30 approved changesets -- score normalized to 5 Token-Permissions 🟢 9 detected GitHub workflow tokens with excessive permissions CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Fuzzing ⚠️ 0 project is not fuzzed Security-Policy ⚠️ 0 security policy file not detected License 🟢 10 license file detected Binary-Artifacts 🟢 10 no binaries found in the repo Vulnerabilities 🟢 10 0 existing vulnerabilities detected Signed-Releases ⚠️ 0 Project has not signed or included provenance with any releases. Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 SAST 🟢 7 SAST tool detected but not run on all commits
nuget/Swashbuckle.AspNetCore.SwaggerUI	6.3.0	🟢 7.9	Details Check Score Reason Code-Review ⚠️ 1 Found 1/10 approved changesets -- score normalized to 1 Dependency-Update-Tool 🟢 10 update tool detected Security-Policy 🟢 10 security policy file detected Maintained 🟢 10 30 commit(s) and 20 issue activity found in the last 90 days -- score normalized to 10 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Pinned-Dependencies 🟢 10 all dependencies are pinned Binary-Artifacts 🟢 10 no binaries found in the repo Fuzzing ⚠️ 0 project is not fuzzed CII-Best-Practices 🟢 5 badge detected: Passing Signed-Releases ⚠️ 0 Project has not signed or included provenance with any releases. Vulnerabilities 🟢 10 0 existing vulnerabilities detected Packaging 🟢 10 packaging workflow detected License 🟢 10 license file detected SAST 🟢 10 SAST tool is run on all commits Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration CI-Tests 🟢 10 30 out of 30 merged PRs checked by a CI test -- score normalized to 10 Contributors 🟢 10 project has 54 contributing companies or organizations
nuget/System.IdentityModel.Tokens.Jwt	7.1.2	🟢 7.2	Details Check Score Reason Maintained 🟢 10 17 commit(s) and 14 issue activity found in the last 90 days -- score normalized to 10 Packaging ⚠️ -1 packaging workflow not detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Security-Policy 🟢 10 security policy file detected Code-Review 🟢 10 all changesets reviewed Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Fuzzing ⚠️ 0 project is not fuzzed Binary-Artifacts 🟢 10 no binaries found in the repo Vulnerabilities 🟢 10 0 existing vulnerabilities detected Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during GetBranch(dev7x): error during branchesHandler.query: internal error: githubv4.Query: Resource not accessible by integration SAST 🟢 10 SAST tool is run on all commits
nuget/System.Net.Http	4.3.4	🟢 3.8	Details Check Score Reason Packaging ⚠️ -1 packaging workflow not detected Binary-Artifacts 🟢 10 no binaries found in the repo Maintained ⚠️ 0 project is archived Dangerous-Workflow ⚠️ -1 no workflows found Code-Review 🟢 5 Found 2/4 approved changesets -- score normalized to 5 Pinned-Dependencies ⚠️ -1 no dependencies found Token-Permissions ⚠️ -1 No tokens found CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Vulnerabilities 🟢 10 0 existing vulnerabilities detected License ⚠️ 0 license file not detected Fuzzing ⚠️ 0 project is not fuzzed Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration Security-Policy ⚠️ 0 security policy file not detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
nuget/Newtonsoft.Json	13.0.1	🟢 6.1	Details Check Score Reason Maintained 🟢 10 14 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 10 Packaging ⚠️ -1 packaging workflow not detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Code-Review 🟢 5 Found 16/30 approved changesets -- score normalized to 5 Token-Permissions 🟢 9 detected GitHub workflow tokens with excessive permissions CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Fuzzing ⚠️ 0 project is not fuzzed Security-Policy ⚠️ 0 security policy file not detected License 🟢 10 license file detected Binary-Artifacts 🟢 10 no binaries found in the repo Vulnerabilities 🟢 10 0 existing vulnerabilities detected Signed-Releases ⚠️ 0 Project has not signed or included provenance with any releases. Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 SAST 🟢 7 SAST tool detected but not run on all commits
nuget/Newtonsoft.Json	13.0.1	🟢 6.1	Details Check Score Reason Maintained 🟢 10 14 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 10 Packaging ⚠️ -1 packaging workflow not detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Code-Review 🟢 5 Found 16/30 approved changesets -- score normalized to 5 Token-Permissions 🟢 9 detected GitHub workflow tokens with excessive permissions CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Fuzzing ⚠️ 0 project is not fuzzed Security-Policy ⚠️ 0 security policy file not detected License 🟢 10 license file detected Binary-Artifacts 🟢 10 no binaries found in the repo Vulnerabilities 🟢 10 0 existing vulnerabilities detected Signed-Releases ⚠️ 0 Project has not signed or included provenance with any releases. Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 SAST 🟢 7 SAST tool detected but not run on all commits
nuget/SharpZipLib	1.3.3	🟢 4.3	Details Check Score Reason Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Security-Policy 🟢 10 security policy file detected Code-Review ⚠️ 2 Found 6/30 approved changesets -- score normalized to 2 Maintained ⚠️ 0 0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Packaging ⚠️ -1 packaging workflow not detected Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Vulnerabilities 🟢 10 0 existing vulnerabilities detected Binary-Artifacts 🟢 10 no binaries found in the repo Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches Signed-Releases ⚠️ 0 Project has not signed or included provenance with any releases. Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 SAST 🟢 7 SAST tool detected but not run on all commits
nuget/System.Text.RegularExpressions	4.3.1	🟢 5.3	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed Maintained 🟢 10 30 commit(s) and 29 issue activity found in the last 90 days -- score normalized to 10 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Packaging ⚠️ -1 packaging workflow not detected License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Branch-Protection 🟢 5 branch protection is not maximal on development and all release branches Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Security-Policy 🟢 10 security policy file detected Fuzzing ⚠️ 0 project is not fuzzed SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0 Vulnerabilities 🟢 7 3 existing vulnerabilities detected Binary-Artifacts ⚠️ 0 binaries present in source code Pinned-Dependencies ⚠️ 2 dependency not pinned by hash detected -- score normalized to 2

Scanned Files

• VulnerableApi/VulnerableApi.csproj
• VulnerableConsole/VulnerableConsole.csproj
• VulnerableLibrary/VulnerableLibrary.csproj

[felickz]

Hmm .. unclear why this is not checking snapshot submission (not expecting vulns here)

Maybe related: actions/dependency-review-action#967