Merge pull request #1806 from microsoft/security/transitive-deps

fix: directly adds non-vulnerable versions of transitive deps to resolve alerts

Author: baywet

src/Microsoft.OpenApi.Hidi/Microsoft.OpenApi.Hidi.csproj

@@ -39,6 +39,10 @@
     <PackageReference Include="Microsoft.OpenApi.OData" Version="2.0.0-preview.2" />
     <PackageReference Include="Microsoft.OpenApi.ApiManifest" Version="0.5.0-preview" />
     <PackageReference Include="System.CommandLine.Hosting" Version="0.4.0-alpha.22272.1" />
+    <!--STJ
+    required until Microsoft.Extensions.Logging.Console and Microsoft.Extensions.Configuration.Json
+    update their dependencies -->
+    <PackageReference Include="System.Text.Json" Version="8.0.4" />
   </ItemGroup>
 
   <ItemGroup>

src/Microsoft.OpenApi.Workbench/Microsoft.OpenApi.Workbench.csproj

@@ -10,6 +10,8 @@
   <ItemGroup>
     <PackageReference Include="Microsoft.VisualStudio.Threading" Version="17.11.20" />
     <PackageReference Include="Microsoft.Windows.Compatibility" Version="8.0.8" />
+    <!-- Microsoft.Windows.Compatibility 8.0.8 depends on 8.0.0 this dependency can be removed once they update theirs -->
+    <PackageReference Include="System.Formats.Asn1" Version="8.0.1" />
   </ItemGroup>
   <ItemGroup>
     <Resource Include="Themes\Metro\HowToApplyTheme.txt" />

test/Microsoft.OpenApi.Readers.Tests/Microsoft.OpenApi.Readers.Tests.csproj

@@ -23,6 +23,8 @@
         <PackageReference Include="SharpYaml" Version="2.1.1" />
         <PackageReference Include="xunit" Version="2.9.0" />
         <PackageReference Include="xunit.runner.visualstudio" Version="2.8.2" PrivateAssets="all" />
+        <!--STJ required until Microsoft.Extensions.Logging.Console and Microsoft.Extensions.Configuration.Json update their dependencies -->
+        <PackageReference Include="System.Text.Json" Version="8.0.4" />
     </ItemGroup>
 
     <ItemGroup>