The M-Files Community will be updated on Tuesday, April 2, 2024 at 10:00 AM EST / 2:00 PM GMT and the update is expected to last for several hours. The site will be unavailable during this time.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How to upgrade Newtonsoft.JSON dependency in your VAF projects

Hi community, 

You have probably noticed that the version of Newtonsoft.JSON which M-Files uses in its VAF implementation (even the latest one 2.3.x) has certain vulnerabilities (version 10.0.3).

I found a way to update it and would like to share it with you in case you need to address vulnerabilities quickly (as in my case):

  1. Update your project from package.config to package references. M-Files is based on .NET framework and this can be done easily with latest VS 2022 (here some info). This will remove package.config and assign dependencies directly to project. You can unload project and check project file. Sometimes old package references stay in project so delete those.
  2. Now you can use Nuget Package Manager and update Newtonsoft.JSON to the latest version. Package references deal better with transient dependencies (what Newtonsoft.JSON actually is in this case) so you can update those dependencies without coming into clash with MFiles.VAF. 
  3. To be able to use new dependency on runtime, you would need to update your project to use AutoGenerateBindingRedirects. Just unload your project and place in the first <PropertyGroup> following: <AutoGenerateBindingRedirects>true</AutoGenerateBindingRedirects>
  4. The last step is additional app.config file in your project which provides info about assembly binding, VAF will search for older Newtonsoft.JSON so you need to navigate it to the latest version you will have in your package, be sure to copy this config to release/debug folders:

        <?xml version="1.0" encoding="utf-8" ?>
        <runtime>
             <assemblyBinding>
                 <dependentAssembly>
                   <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral"/>
                   <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0"/>
                 </dependentAssembly>
            </assemblyBinding>
        </runtime>

Now when you build your VAF project, you can check that you have the latest Newtonsoft.JSON.

I've tested this approach with some of our VAF applications and it works very good. However, do this in separate branch, dev environment and do regression tests on your VAF to be completely sure that there are not side effects.

Hope it helps further.

Best,

Dejan

  • any input on this?

    I have tested it myself, and apps seems to install ok.

  • I have not tested it myself (I am travelling).

    I do recall that there is a (nuget, not us) issue when moving between packages.config and package reference whereby the nuget version restrictions are not adhered to, which is what is happening here (nuget should not allow step 2 as it goes against the package constraints). I seem to recall that using a native package reference project (e.g. the new VS templates that I'll release next month) does not have this issue, so it is possible that this will not be possible with the upcoming releases. That said: I do not have my laptop at this moment to test.

    One thing I would do is check whether the task processors work with this approach, specifically using the job.update method. I seem to recall this was one way in which previous efforts failed, as the typing in the method signature didn't then match. 

  • Hi Craig,

    I have 2 task processor projects (recurring interval tasks) using MFiles.Extension that works well. They however both use job.commited method. Everything is upgraded to 2.3 version.

    Best,

    Dejan