Update dependecies getting flagged for vulnerabilities. (#115)

Author: StephenMolloy

src/CosmosDBSessionStateProviderAsync/Microsoft.AspNet.SessionState.CosmosDBSessionStateProviderAsync.csproj

@@ -90,10 +90,28 @@
   </ItemGroup>
   <ItemGroup>
     <PackageReference Include="Microsoft.Azure.Cosmos">
-      <Version>3.23.0</Version>
+      <Version>3.46.1</Version>
+    </PackageReference>
+    <!--
+         We do NOT depend directly on JSON.Net - MS.Azure.Cosmos does.
+         Current versions still have not moved fully to Sys.Text.Json. :/
+         This direct reference forces a currently not-vulnerable JSON.Net,
+           since MS.Azure.Cosmos isn't doing this for us. :/
+         Also NOTE: We do not currently include JSON.Net as a dependency
+           in our own nuspec, since we don't directly depend on it. This
+           is the same confusing approach MS.Azure.Cosmos has taken. It
+           is left up to consumers to take a similar approach as we have
+           here - or to force an updated reference to a newwer MS.Azure.Cosmos
+           when a version of that package is released with no JSON.Net
+           dependency. (They currently have an msbuild error included in
+           their package to check for JSON.Net and make noise if missing.
+           https://github.com/Azure/azure-cosmos-dotnet-v3/issues/4900#issuecomment-2616909747)
+    -->
+    <PackageReference Include="Newtonsoft.Json">
+      <Version>13.0.1</Version>
     </PackageReference>
     <PackageReference Include="System.Text.Json">
-      <Version>7.0.0</Version>
+      <Version>8.0.5</Version>
     </PackageReference>
   </ItemGroup>
   <Import Project="$(MSBuildToolsPath)\Microsoft.CSharp.targets" />

src/SqlSessionStateProviderAsync/Microsoft.AspNet.SessionState.SqlSessionStateProviderAsync.csproj

@@ -93,7 +93,7 @@
   </ItemGroup>
   <ItemGroup>
     <PackageReference Include="Microsoft.Data.SqlClient">
-      <Version>5.0.0</Version>
+      <Version>5.1.6</Version>
     </PackageReference>
   </ItemGroup>
   <Import Project="$(MSBuildToolsPath)\Microsoft.CSharp.targets" />

test/Microsoft.AspNet.SessionState.CosmosDBSessionStateProviderAsync.Test/Microsoft.AspNet.SessionState.CosmosDBSessionStateProviderAsync.Test.csproj

@@ -97,7 +97,7 @@
       <Version>4.7.137</Version>
     </PackageReference>
     <PackageReference Include="System.Text.Json">
-      <Version>7.0.0</Version>
+      <Version>8.0.5</Version>
     </PackageReference>
     <PackageReference Include="xunit">
       <Version>2.4.2</Version>

tools/CosmosDBSessionStateProviderAsync.settings.targets

@@ -9,8 +9,8 @@
 
   <PropertyGroup Label="NuGet package dependencies">
     <SessionStateModuleNuGetPackageVersion>2.0.0</SessionStateModuleNuGetPackageVersion>
-    <CosmosNuGetPackageVersion>3.23.0</CosmosNuGetPackageVersion>
-    <SystemTextJsonPackageVersion>7.0.0</SystemTextJsonPackageVersion>
+    <CosmosNuGetPackageVersion>3.46.1</CosmosNuGetPackageVersion>
+    <SystemTextJsonPackageVersion>8.0.5</SystemTextJsonPackageVersion>
   </PropertyGroup>
 
   <Import Project="MicrosoftAspNetSessionState.settings.targets" />

tools/SqlSessionStateProviderAsync.settings.targets

@@ -9,7 +9,7 @@
 
   <PropertyGroup Label="NuGet package dependencies">
     <SessionStateModuleNuGetPackageVersion>2.0.0</SessionStateModuleNuGetPackageVersion>
-    <MicrosoftDataSqlClientPackageVersion>5.0.0</MicrosoftDataSqlClientPackageVersion>
+    <MicrosoftDataSqlClientPackageVersion>5.1.6</MicrosoftDataSqlClientPackageVersion>
   </PropertyGroup>
 
   <Import Project="MicrosoftAspNetSessionState.settings.targets" />