Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Version 7.0.4 (patch) has major breaking changes due to update of System.IdentityModel.Tokens.Jwt dependency, breaking semantic versioning #692

Closed
NoahStolk opened this issue Feb 5, 2024 · 2 comments · Fixed by #694
Closed

Version 7.0.4 (patch) has major breaking changes due to update of System.IdentityModel.Tokens.Jwt dependency, breaking semantic versioning #692

NoahStolk opened this issue Feb 5, 2024 · 2 comments · Fixed by #694
Labels
bug

Comments

@NoahStolk
Copy link

NoahStolk commented Feb 5, 2024
edited
Loading

Describe the bug?

In Okta.Sdk version 7.0.4, dependencies Microsoft.IdentityModel.Tokens and System.IdentityModel.Tokens.Jwt were updated from 6.22.0 to 7.2.0 to fix a security vulnerability: c915413#diff-697ea5e447b22623a833c3c071533ce619c00014b2d0362b1496ffa2df3787f1R29

This is a major release with breaking changes and releasing this as a patch version on Okta's end seems like a mistake. We cannot use this version because we depend on System.IdentityModel.Tokens.Jwt version 6 for different reasons and are currently running into runtime errors (and I suspect other people will run into similar problems).

I expect such major dependency updates to be included only in major releases of Okta.Sdk itself. Besides, System.IdentityModel.Tokens.Jwt version 6 is still getting security patches; the latest release being 6.35.0, which has no known security vulnerabilities according to NuGet: 6.35.0

In fact, both versions 7.1.2 and 6.34.0 fix the same vulnerability:

I strongly believe that version 6.34.0 or 6.35.0 should've been used instead.

Is there a chance Microsoft.IdentityModel.Tokens and System.IdentityModel.Tokens.Jwt could be downgraded to 6.35.0 and released as Okta.Sdk 7.0.5? Okta.Sdk claims it uses semantic versioning in its README file. Currently, version 7.0.4 no longer follows semantic versioning and also breaks Okta's own library versioning policy.

What is expected to happen?

N/A

What is the actual behavior?

N/A

Reproduction Steps?

N/A

Additional Information?

No response

.NET Version

.NET 8.0

SDK Version

  • .NET SDK 8
  • Okta.Sdk 7.0.4

OS version

No response
@NoahStolk NoahStolk added the bug label Feb 5, 2024
@NoahStolk NoahStolk mentioned this issue Feb 5, 2024
Merged
@laura-rodriguez
Copy link
Collaborator

Hi @NoahStolk,

We apologize for the inconvenience. Thank you so much for let us know!

We'll release 7.0.5 with the latest System.IdentityModel.Tokens 6.x version that fixes the vuln soon.

@laura-rodriguez laura-rodriguez mentioned this issue Feb 5, 2024
Merged
@NoahStolk
Copy link
Author

NoahStolk commented Feb 5, 2024
edited
Loading

Thanks so much for the quick fix @laura-rodriguez! 🚀

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
2 participants
@laura-rodriguez @NoahStolk