[repo] Mitigate vulnerabilities in System.Text.Json 8.0.4 package

[CodeBlanch]

Changes

• Mitigate vulnerabilities in System.Text.Json v8.0.4

Details

We just bumped STJ to 8.0.4 for net8.0 targets but a new vulnerability was published today.

This PR bumps STJ to 8.0.5 for net8.0 targets.

Unlike the previous CVE, net6.0 is also impacted and a new version 6.0.10 was published for net6.0. No action is being taken for net6.0. Because we have already removed net6.0 targets for 1.10.0 (net6.0 is going out of support). Users upgrading to 1.10.0 and running on net6.0 will fallback to the netstandard2.0 target which uses 4.7.2 with no known vulnerabilities. We could hot-patch older versions, but this vulnerability deals with de-serialization of untrusted user input which we don't do in the components using STJ. Treating this as a low severity issue where a hot-patch is not needed. If this changes or new information comes to light we can do a patch, just not planning to do one at this time.

Today:

1.9.0 stable:

Target	Direct reference(s)	Framework reference	Version	Vulnerable	Notes
net462	System.Text.Encodings.Web & System.Text.Json		v4.7.2	No
netstandard2.0	System.Text.Encodings.Web & System.Text.Json		v4.7.2	No
net6.0		System.Text.Json	Runtime version (6.0.0 - 6.0.10)	When <= 6.0.9	Version depends on patch level of runtime
net8.0		System.Text.Json	Runtime version (8.0.0 - 8.0.5)	When <= 8.0.4	Version depends on patch level of runtime

1.10.0-beta.1:

Target	Direct reference(s)	Framework reference	Version	Vulnerable	Notes
net462	System.Text.Encodings.Web & System.Text.Json		v4.7.2	No
netstandard2.0	System.Text.Encodings.Web & System.Text.Json		v4.7.2	No
net8.0		System.Text.Json	Runtime version (8.0.0 - 8.0.5)	When <= 8.0.4	Version depends on patch level of runtime
net9.0		System.Text.Json	Runtime version (9.0.0)	No	No patches yet for .NET 9

Going forward:

1.9.0 stable:

No hot patch currently planned. The vulnerability is about deserialization of untrusted input which neither ConsoleExporter nor ZipkinExporter is susceptible to. I'm approaching this as a low severity issue. If we determine there is a higher severity we will do a hot patch for 1.9.0, possibly other releases.

Next release of 1.10.0:

Target	Direct reference(s)	Framework reference	Version	Vulnerable	Notes
net462	System.Text.Encodings.Web & System.Text.Json		v4.7.2	No
netstandard2.0	System.Text.Encodings.Web & System.Text.Json		v4.7.2	No
net8.0	System.Text.Json		v8.0.5	No
net9.0		System.Text.Json	Runtime version (9.0.0)	No	No patches yet for .NET 9

Merge requirement checklist

• CONTRIBUTING guidelines followed (license requirements, nullable enabled, static analysis, etc.)

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 86.41%. Comparing base (6250307) to head (d8ba817).
Report is 342 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #5891      +/-   ##
==========================================
+ Coverage   83.38%   86.41%   +3.03%     
==========================================
  Files         297      257      -40     
  Lines       12531    11219    -1312     
==========================================
- Hits        10449     9695     -754     
+ Misses       2082     1524     -558     

Flag	Coverage Δ
unittests	?
unittests-Project-Experimental	86.23% <ø> (?)
unittests-Project-Stable	86.27% <ø> (?)
unittests-Solution	86.27% <ø> (?)
unittests-UnstableCoreLibraries-Experimental	85.96% <ø> (?)

Flags with carried forward coverage won't be shown. Click here to find out more.

see 234 files with indirect coverage changes