Skip to content

.NET 10 P6 - Libraries #9947

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 6 commits into from
Jul 9, 2025
Merged

.NET 10 P6 - Libraries #9947

Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
c57aa5c
Add period to last sentence in libraries preview6 release notes.
jamesmontemagno Jun 23, 2025
7319168
Merge branch 'dotnet10-p6' into dotnet10-p6-libraries
jamesmontemagno Jul 3, 2025
f06b08d
Update libraries.md
PranavSenthilnathan Jul 3, 2025
efbcd3e
Merge branch 'dotnet10-p6' into dotnet10-p6-libraries
jamesmontemagno Jul 7, 2025
46f24a6
Update libraries.md
PranavSenthilnathan Jul 8, 2025
504b850
Update libraries.md
PranavSenthilnathan Jul 9, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
58 changes: 55 additions & 3 deletions release-notes/10.0/preview/preview6/libraries.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,12 +2,64 @@

Here's a summary of what's new in .NET Libraries in this preview release:

- [Feature](#feature)
- [Option to disallow duplicate JSON properties](#option-to-disallow-duplicate-json-properties)
- [Strict JSON serialization options](#strict-json-serialization-options)
- [Post-Quantum Cryptography (PQC)](#post-quantum-cryptography-pqc)

.NET Libraries updates in .NET 10:

- [What's new in .NET 10](https://learn.microsoft.com/dotnet/core/whats-new/dotnet-10/overview) documentation

## Feature
## Option to disallow duplicate JSON properties

Something about the feature
The JSON specification does not specify how to handle duplicate properties when deserializing a JSON payload. This can lead to unexpected results and security vulnerabilities. For example, see https://bishopfox.com/blog/json-interoperability-vulnerabilities and https://nvd.nist.gov/vuln/detail/CVE-2017-12635. This release introduces the `AllowDuplicateProperties` option to disallow duplicate JSON properties:

```csharp
string json = """{ "Value": 1, "Value": -1 }""";
Console.WriteLine(JsonSerializer.Deserialize<MyRecord>(json).Value); // -1

JsonSerializerOptions options = new() { AllowDuplicateProperties = false };
JsonSerializer.Deserialize<MyRecord>(json, options); // throws JsonException
JsonSerializer.Deserialize<JsonObject>(json, options); // throws JsonException
JsonSerializer.Deserialize<Dictionary<string, int>>(json, options); // throws JsonException

JsonDocumentOptions docOptions = new() { AllowDuplicateProperties = false };
JsonDocument.Parse(json, docOptions); // throws JsonException

record MyRecord(int Value);
```

Duplicate detection works by checking if a value is assigned multiple times during deserialization, so it will work with as expected with other options like case-sensitivity and naming policy.

## Strict JSON serialization options

The JSON serializer accepts many options to customize serialization and deserialization, but the defaults may be too relaxed for some applications. This release adds a new `JsonSerializationOptions.Strict` preset which follows best practices by including the following options:

- Applies the `JsonUnmappedMemberHandling.Disallow` policy
- Disables `AllowDuplicateProperties`
- Preserves case sensitive property binding
- Enables both `RespectNullableAnnotations` and `RespectRequiredConstructorParameters` settings

These options are read-compatible with `JsonSerializationOptions.Default` - an object serialized with `JsonSerializationOptions.Default` can be deserialized with `JsonSerializationOptions.Strict`.

## Post-Quantum Cryptography (PQC)

Windows announced Post-Quantum Cryptography support recently in a [blog post](https://techcommunity.microsoft.com/blog/microsoft-security-blog/post-quantum-cryptography-comes-to-windows-insiders-and-linux/4413803) and in this release we have started adding Windows CNG support to .NET. The following code from the previous release notes now also works on Windows versions with PQC:

```csharp
using System;
using System.IO;
using System.Security.Cryptography;

private static bool ValidateMLDsaSignature(ReadOnlySpan<byte> data, ReadOnlySpan<byte> signature, string publicKeyPath)
{
string publicKeyPem = File.ReadAllText(publicKeyPath);

using (MLDsa key = MLDsa.ImportFromPem(publicKeyPem))
{
return key.VerifyData(data, signature);
}
}
```

We are also working on adding downlevel support in Microsoft.Bcl.Cryptography to allow use in .NET Framework. Try out the feature now by installing a Windows Insider build (only available in the Canary Channel at this time).