[Feature Request] Remove Newtonsoft.Json from MSAL and use System.Text.Json #5056

bgavrilMS · 2025-01-06T21:08:38Z

MSAL client type

Public, Confidential, Managed identity

Problem statement

With MSAL 4.66.0 and below, only the .NET version of MSAL uses System.Text.Json. The rest of the tfms use an internal copy of Newtonsoft.Json

This poses several problems:

Need to keep Newtonsoft.Json up to date, particularly when it has CVEs
If CVE occurs, MSAL is not notified because Newtonsoft is referenced by code not by project.
MSAL needs to dual-stack Newtonsoft and System.Text.Json, which complicates JSON operations and MSAL code
System.Text.Json + source generation is faster

Proposed solution

Reference System.Text.Json version 6.0.11 (this is what other Identity SDKs use).

Alternatives

No response

bgavrilMS added untriaged Do not delete. Needed for Automation needs attention Delete label after triage Feature Request confidential-client and removed untriaged Do not delete. Needed for Automation needs attention Delete label after triage labels Jan 6, 2025

bgavrilMS linked a pull request Jan 6, 2025 that will close this issue

Replace Newtonsoft.Json with System.Text.Json on all TFMs #5057

Draft

4 tasks

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[Feature Request] Remove Newtonsoft.Json from MSAL and use System.Text.Json #5056

[Feature Request] Remove Newtonsoft.Json from MSAL and use System.Text.Json #5056

bgavrilMS commented Jan 6, 2025

[Feature Request] Remove Newtonsoft.Json from MSAL and use System.Text.Json #5056

[Feature Request] Remove Newtonsoft.Json from MSAL and use System.Text.Json #5056

Comments

bgavrilMS commented Jan 6, 2025

MSAL client type

Problem statement

Proposed solution

Alternatives