Update Hangfire.Core to 1.8.20 to fix CVE-2024-21907

[DanielMcAssey]

Package

Sentry.Hangfire

.NET Flavor

.NET

.NET Version

9.0.7

OS

Any (not platform specific)

OS Version

No response

Development Environment

Visual Studio v17.x

SDK Version

5.16.0

Self-Hosted Sentry Version

No response

Workload Versions

Hangfire.Core is affected by CVE-2024-21907 through their Newtonsoft.Json dependency, it has been fixed in later Hangfire.Core versions, such as 1.18.20

UseSentry or SentrySdk.Init call

N/A

Steps to Reproduce

N/A

Expected Result

Non-vulnerable version

Actual Result

Vulnerable version

[linear]

NET-489

[bruno-garcia]

@DanielMcAssey packages that take other packages as dependency are incentivize to depend on 'older' versions so that they are more compatible with different apps. For example, by not introducing diamond dependencies.

The final app can add specific versions of what is transient dependency by pinning that version.

So for example in this case, we don't expect that you take Hangfire as a dependency into your app through Sentry. You probably already had Hangfire directly as a dependency before adding Sentry. And in that case, you can pin that to the latest version of hangfire, and Sentry will(should) work fine with that.

That said, @jamescrosswell since we're working on a major version, it's a good time to bump the lowest supported version

[Flash0ver]

Not sure if I get that right, but even the latest Hangfire.Core 1.8.22 depends on vulnerable versions of Newtonsoft.Json.

[Flash0ver]

Oh ... I see ...
GHSA-5crp-9r3c-p9vr was fixed via HangfireIO/Hangfire@bc48bae in v1.8.16, while still depending on the (technically) vulnerable version.