[BUG] Update Azure.Core in Azure.Messaging.ServiceBus

[kipusoep]

Library name and version

Azure.Messaging.ServiceBus 7.18.2

Describe the bug

I was wondering why Azure.Core still isn't updated in Azure.Messaging.ServiceBus? It requires >= 1.44.0 while 1.44.1 is referencing a newer version of System.Text.Json without the vulerability.

Expected behavior

Use a version of System.Text.Json that isn't vulnerable by updating Azure.Core

Actual behavior

The referenced version is not high enough

Reproduction Steps

Install Azure.Messaging.ServiceBus 7.18.2

Environment

No response

[github-actions]

Thank you for your feedback. Tagging and routing to the team member best able to assist.

[jsquire]

Hi @kipusoep. Thanks for reaching out and we regret that you're experiencing difficulties. Azure Service Bus does not use System.Text.Json and is not vulnerable due to the reference. If you are using functionality of System.Text.Json in your application, then bumping the version referenced by your application will hoist the version available in the environment. Likewise, if you're using another Azure library which depends on a newer version of Azure.Core or take a direct dependency within your application, the version of Core available to Service Bus will be hoisted as well.

Azure Service Bus automatically moves to the latest Azure Core version with each release. As a result, the next release will reference a newer Azure.Core.

[github-actions]

Hi @kipusoep. Thank you for opening this issue and giving us the opportunity to assist. We believe that this has been addressed. If you feel that further discussion is needed, please add a comment with the text "/unresolve" to remove the "issue-addressed" label and continue the conversation.