Newtonsoft Serializer Upgrade Version 2 to 3

NewtonsoftSerializer obsolete

The NewtonsoftSerializer is obsolete in NServiceBus version 8. It uses TypeNameHandling.Auto as its default value which can be a security risk as it allows the message payload to control the deserialization target type. See CA2326: Do not use TypeNameHandling values other than None for further details on this vulnerability.

A new serializer NewtonsoftJsonSerializer has been introduced which uses TypeNameHandling.None as its default value.

Instead of:

var serialization = endpointConfiguration.UseSerialization<NewtonsoftSerializer>();


var serialization = endpointConfiguration.UseSerialization<NewtonsoftJsonSerializer>();

If TypeNameHandling.Auto is required, customize the instance of JsonSerializerSettings used for serialization. See the Json.Net Serializer documentation for more information.

Related Articles

  • Serialization
    Information about how messages are serialized and deserialized on a transport.
  • Upgrade Version 7 to 8
    Instructions on how to upgrade NServiceBus from version 7 to version 8.

Last modified