Bump System.Text.Json version due to [CVE-2024-30105](dotnet/runtime#104619)

rajkumar-rangaraj · rajkumar-rangaraj · commit ebd15f6fb1a1 · 2024-07-09T16:30:47.000-07:00
diff --git a/Directory.Packages.props b/Directory.Packages.props
@@ -55,10 +55,10 @@
     <PackageVersion Include="System.Diagnostics.DiagnosticSource" Version="8.0.0" />
 
     <!-- A conservative version of System.Text.Encodings.Web must be used here since there is no backward compatibility guarantee during major version bumps. -->
-    <PackageVersion Include="System.Text.Encodings.Web" Version="4.7.2" />
+    <PackageVersion Include="System.Text.Encodings.Web" Version="8.0.0" />
 
     <!-- A conservative version of System.Text.Json must be used here since there is no backward compatibility guarantee during major version bumps. -->
-    <PackageVersion Include="System.Text.Json" Version="4.7.2" />
+    <PackageVersion Include="System.Text.Json" Version="8.0.4" />
 
     <!-- A conservative version of System.Threading.Tasks.Extensions must be used here since there is no backward compatibility guarantee during major version bumps. -->
     <PackageVersion Include="System.Threading.Tasks.Extensions" Version="4.5.4" />
diff --git a/examples/Directory.Packages.props b/examples/Directory.Packages.props
@@ -1,6 +1,6 @@
 <Project>
   <Import Project="$([MSBuild]::GetPathOfFileAbove(Directory.Packages.props, $(MSBuildThisFileDirectory)..))" />
   <ItemGroup>
-    <PackageVersion Update="System.Text.Json" Version="6.0.5" />
+    <PackageVersion Update="System.Text.Json" Version="8.0.4" />
   </ItemGroup>
 </Project>
diff --git a/src/OpenTelemetry.Exporter.Console/CHANGELOG.md b/src/OpenTelemetry.Exporter.Console/CHANGELOG.md
@@ -2,6 +2,11 @@
 
 ## Unreleased
 
+* Bumped the minimum required version of `System.Text.Json` to 8.0.4  and its
+indirect dependency on `System.Text.Encodings.Web` to 8.0.0 in response to
+[CVE-2024-30105](https://github.com/dotnet/runtime/issues/104619).
+([#](https://github.com/open-telemetry/opentelemetry-dotnet/pull/))
+
 ## 1.9.0
 
 Released 2024-Jun-14
diff --git a/src/OpenTelemetry.Exporter.Zipkin/CHANGELOG.md b/src/OpenTelemetry.Exporter.Zipkin/CHANGELOG.md
@@ -6,6 +6,10 @@
   `Convert.ToString` will now format using `CultureInfo.InvariantCulture`.
   ([#5700](https://github.com/open-telemetry/opentelemetry-dotnet/pull/5700))
 
+* Bumped the minimum required version of `System.Text.Json` to 8.0.4 in response
+to [CVE-2024-30105](https://github.com/dotnet/runtime/issues/104619).
+([#](https://github.com/open-telemetry/opentelemetry-dotnet/pull/))
+
 ## 1.9.0
 
 Released 2024-Jun-14
diff --git a/test/Directory.Packages.props b/test/Directory.Packages.props
@@ -1,7 +1,7 @@
 <Project>
   <Import Project="$([MSBuild]::GetPathOfFileAbove(Directory.Packages.props, $(MSBuildThisFileDirectory)..))" />
   <ItemGroup>
-    <PackageVersion Update="System.Text.Json" Version="7.0.1" />
+    <PackageVersion Update="System.Text.Json" Version="8.0.4" />
     <PackageVersion Include="System.Runtime.InteropServices.RuntimeInformation" Version="4.3.0" />
     <PackageVersion Include="Microsoft.Coyote" Version="1.7.10" />
   </ItemGroup>
