Wrong System.Text.Json dependency in dotnet-watch

[fmulero]

Description

The dotnet-watch module available in the latest SDK releases published for version 6 and 8 the download page seems to use an old System.Text.Json version.

How to reproduce it

$ wget -q https://dotnetcli.azureedge.net/dotnet/Sdk/6.0.427/dotnet-sdk-6.0.427-linux-x64.tar.gz
$ mkdir dotnet-sdk
$ tar -xzf dotnet-sdk-6.0.427-linux-x64.tar.gz -C dotnet-sdk
$ grep -r "System.Text.Json/6.0.0" dotnet-sdk
dotnet-sdk/sdk/6.0.427/DotnetTools/dotnet-watch/6.0.427-servicing.24468.28/tools/net6.0/any/dotnet-watch.deps.json:      "System.Text.Json/6.0.0": {
dotnet-sdk/sdk/6.0.427/DotnetTools/dotnet-watch/6.0.427-servicing.24468.28/tools/net6.0/any/dotnet-watch.deps.json:    "System.Text.Json/6.0.0": {
dotnet-sdk/sdk/6.0.427/dotnet-watch.deps.json:      "System.Text.Json/6.0.0": {
dotnet-sdk/sdk/6.0.427/dotnet-watch.deps.json:    "System.Text.Json/6.0.0": {

Additional info

MSBuild and other modules are using version 6.0.10. This is probably related with CVE-2024-43485

[marcpopMSFT]

Thanks for reporting this. Unfortunately, this came too late for the November release and .NET 6 is now out of support. Note that the 6.0.0 version only shows up in the deps.json but is not installed. Instead, watch will use the version from the shared framework when it runs so this is a known class of false positives.