when is the Newtonsoft v10.0.2 going to be updated in Microsoft.Azure.Cosmos v3.42. this version of newtonsoft has security vulnerablities

the cosmos nuget package only specifies the minimum required version of newtonsoft. in you actual application that uses the cosmos db package, can explicitly use a later version of newtonsoft. if the newtonsoft is an implicit dependency, then just add a package reference to newtonsoft which is the version you want.

note: this is true of most nuget packages. they just specify a min version. in your build you specify the actual version. you might be interested in this approach to handling implicit dependencies.

https://video2.skills-academy.com/en-us/nuget/consume-packages/central-package-management

This is a question for that team. You can get to their support section here.

In the interim you can take an explicit dependency on Newtonsoft and update it to a non-vulnerable version. This is how you work around these kinds of issues until package developers update their code. In Visual Studio you can do this easily by going to the project that is impacted, select the installed packages and then the option to show vulnerabilities. Transient dependencies are listed as well so you can select the vulnerable dependency and update it to a newer version. This resolves the issue but does add an explicit dependency that you'll need to remove at some point in the future.