From 541300e58dded5fc4e49666922166dfd7b5ed453 Mon Sep 17 00:00:00 2001
From: Paul Medynski <31868385+paulmedynski@users.noreply.github.com>
Date: Mon, 9 Jun 2025 06:29:01 -0300
Subject: [PATCH 1/3] User Story 37675: Fix Wave Analysis issues

- Updated .NET to explicitly use System.Text.Json 8.0.5 or 9.0.5 to avoid transitive vulnerabilities.
- Sorted PackageReference entries alphabetically by package name.
- Updated test tools to use Microsoft.SqlServer.SqlManagementObjects 172.76.0 to avoid transitive vulnerabilities.
- Updated .NET Framework project to build on Linux.
---
 .../ref/Microsoft.Data.SqlClient.csproj       | 11 ++++---
 .../src/Microsoft.Data.SqlClient.csproj       | 18 +++++-----
 .../netfx/ref/Microsoft.Data.SqlClient.csproj | 12 +++----
 .../netfx/src/Microsoft.Data.SqlClient.csproj | 33 +++++++------------
 ...tadataFactory.cs => SqlMetaDataFactory.cs} |  0
 ...crosoft.Data.SqlClient.ExtUtilities.csproj |  1 +
 tools/specs/Microsoft.Data.SqlClient.nuspec   |  3 ++
 7 files changed, 38 insertions(+), 40 deletions(-)
 rename src/Microsoft.Data.SqlClient/src/Microsoft/Data/SqlClient/{SqlMetadataFactory.cs => SqlMetaDataFactory.cs} (100%)

diff --git a/src/Microsoft.Data.SqlClient/netcore/ref/Microsoft.Data.SqlClient.csproj b/src/Microsoft.Data.SqlClient/netcore/ref/Microsoft.Data.SqlClient.csproj
index 8da5503146..60eff24c1c 100644
--- a/src/Microsoft.Data.SqlClient/netcore/ref/Microsoft.Data.SqlClient.csproj
+++ b/src/Microsoft.Data.SqlClient/netcore/ref/Microsoft.Data.SqlClient.csproj
@@ -32,15 +32,18 @@
     <Compile Include="..\..\ref\Microsoft.Data.SqlClient.Batch.NetCoreApp.cs" />
   </ItemGroup>
   <ItemGroup>
+    <PackageReference Include="Azure.Identity" />
+    <PackageReference Include="Microsoft.Bcl.Cryptography" />
     <PackageReference Include="Microsoft.Data.SqlClient.SNI.runtime" />
     <PackageReference Include="Microsoft.Extensions.Caching.Memory" />
-    <PackageReference Include="Microsoft.SqlServer.Server" />
-    <PackageReference Include="Azure.Identity" />
-    <PackageReference Include="Microsoft.IdentityModel.Protocols.OpenIdConnect" />
     <PackageReference Include="Microsoft.IdentityModel.JsonWebTokens" />
+    <PackageReference Include="Microsoft.IdentityModel.Protocols.OpenIdConnect" />
+    <PackageReference Include="Microsoft.SqlServer.Server" />
     <PackageReference Include="System.Configuration.ConfigurationManager" />
     <PackageReference Include="System.Security.Cryptography.Pkcs" />
-    <PackageReference Include="Microsoft.Bcl.Cryptography" />
+
+    <!-- Transitive dependencies that would otherwise bring in older, vulnerable versions. -->
+    <PackageReference Include="System.Text.Json" />
   </ItemGroup>
    
   <Import Project="$(ToolsDir)targets\ResolveContract.targets" Condition="'$(OSGroup)' == 'AnyOS' AND '$(TargetGroup)' != 'netcoreapp'" />
diff --git a/src/Microsoft.Data.SqlClient/netcore/src/Microsoft.Data.SqlClient.csproj b/src/Microsoft.Data.SqlClient/netcore/src/Microsoft.Data.SqlClient.csproj
index e05ea74f8b..00fee9bef7 100644
--- a/src/Microsoft.Data.SqlClient/netcore/src/Microsoft.Data.SqlClient.csproj
+++ b/src/Microsoft.Data.SqlClient/netcore/src/Microsoft.Data.SqlClient.csproj
@@ -663,8 +663,8 @@
     <Compile Include="$(CommonSourceRoot)Microsoft\Data\SqlClient\SqlInternalTransaction.cs">
       <Link>Microsoft\Data\SqlClient\SqlInternalTransaction.cs</Link>
     </Compile>
-    <Compile Include="$(CommonSourceRoot)Microsoft\Data\SqlClient\SqlMetadataFactory.cs">
-      <Link>Microsoft\Data\SqlClient\SqlMetadataFactory.cs</Link>
+    <Compile Include="$(CommonSourceRoot)Microsoft\Data\SqlClient\SqlMetaDataFactory.cs">
+      <Link>Microsoft\Data\SqlClient\SqlMetaDataFactory.cs</Link>
     </Compile>
     <Compile Include="$(CommonSourceRoot)Microsoft\Data\SqlClient\SqlNotificationEventArgs.cs">
       <Link>Microsoft\Data\SqlClient\SqlNotificationEventArgs.cs</Link>
@@ -1036,18 +1036,20 @@
   </ItemGroup>
   <!-- Package References Etc -->
   <ItemGroup>
+    <PackageReference Include="Azure.Identity" />
+    <PackageReference Include="Microsoft.Bcl.Cryptography" />
     <PackageReference Include="Microsoft.Data.SqlClient.SNI.runtime" />
     <PackageReference Include="Microsoft.Extensions.Caching.Memory" />
-    <!-- Enable the project reference for debugging purposes. -->
-    <!-- <ProjectReference Include="$(SqlServerSourceCode)\Microsoft.SqlServer.Server.csproj" /> -->
-    <PackageReference Include="Microsoft.SqlServer.Server" />
-    <PackageReference Include="Azure.Identity" />
-    <PackageReference Include="Microsoft.IdentityModel.Protocols.OpenIdConnect" />
     <PackageReference Include="Microsoft.IdentityModel.JsonWebTokens" />
+    <PackageReference Include="Microsoft.IdentityModel.Protocols.OpenIdConnect" />
+    <PackageReference Include="Microsoft.SqlServer.Server" />
     <PackageReference Include="System.Configuration.ConfigurationManager" />
     <PackageReference Include="System.Security.Cryptography.Pkcs" />
-    <PackageReference Include="Microsoft.Bcl.Cryptography" />
+
+    <!-- Transitive dependencies that would otherwise bring in older, vulnerable versions. -->
+    <PackageReference Include="System.Text.Json" Version="$(SystemTextJsonVersion)" />
   </ItemGroup>
+
   <Import Project="$(ToolsDir)targets\GenerateThisAssemblyCs.targets" />
   <Import Project="$(ToolsDir)targets\ResolveContract.targets" Condition="'$(OSGroup)' == 'AnyOS'" />
   <Import Project="$(ToolsDir)targets\NotSupported.targets" Condition="'$(OSGroup)' == 'AnyOS'" />
diff --git a/src/Microsoft.Data.SqlClient/netfx/ref/Microsoft.Data.SqlClient.csproj b/src/Microsoft.Data.SqlClient/netfx/ref/Microsoft.Data.SqlClient.csproj
index 8a52093f11..6b507b5a0a 100644
--- a/src/Microsoft.Data.SqlClient/netfx/ref/Microsoft.Data.SqlClient.csproj
+++ b/src/Microsoft.Data.SqlClient/netfx/ref/Microsoft.Data.SqlClient.csproj
@@ -32,20 +32,20 @@
     <Reference Include="System.Transactions" />
   </ItemGroup>
   <ItemGroup>
-    <PackageReference Include="Microsoft.Extensions.Caching.Memory" />
-    <PackageReference Include="System.Text.Encodings.Web" />
+    <PackageReference Include="Azure.Identity" />
+    <PackageReference Include="Microsoft.Bcl.Cryptography" />
     <PackageReference Include="Microsoft.Data.SqlClient.SNI">
       <PrivateAssets>All</PrivateAssets>
       <IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
     </PackageReference>
-    <PackageReference Include="Azure.Identity" />
-    <PackageReference Include="Microsoft.IdentityModel.Protocols.OpenIdConnect" />
+    <PackageReference Include="Microsoft.Extensions.Caching.Memory" />
     <PackageReference Include="Microsoft.IdentityModel.JsonWebTokens" />
+    <PackageReference Include="Microsoft.IdentityModel.Protocols.OpenIdConnect" />
     <PackageReference Include="System.Buffers" />
-    <PackageReference Include="System.Text.Json" />
     <PackageReference Include="System.Data.Common" />
     <PackageReference Include="System.Security.Cryptography.Pkcs" />
-    <PackageReference Include="Microsoft.Bcl.Cryptography" />
+    <PackageReference Include="System.Text.Encodings.Web" />
+    <PackageReference Include="System.Text.Json" />
   </ItemGroup>
   <Import Project="$(ToolsDir)targets\TrimDocsForIntelliSense.targets" />
 </Project>
diff --git a/src/Microsoft.Data.SqlClient/netfx/src/Microsoft.Data.SqlClient.csproj b/src/Microsoft.Data.SqlClient/netfx/src/Microsoft.Data.SqlClient.csproj
index ba5bd6b3d3..d439386b1f 100644
--- a/src/Microsoft.Data.SqlClient/netfx/src/Microsoft.Data.SqlClient.csproj
+++ b/src/Microsoft.Data.SqlClient/netfx/src/Microsoft.Data.SqlClient.csproj
@@ -1,4 +1,4 @@
-<Project Sdk="Microsoft.Net.Sdk">
+<Project Sdk="Microsoft.NET.Sdk">
   <PropertyGroup>
     <ProjectGuid>{407890AC-9876-4FEF-A6F1-F36A876BAADE}</ProjectGuid>
     <RootNamespace></RootNamespace>
@@ -12,9 +12,6 @@
     <DocumentationFile>$(OutputPath)\Microsoft.Data.SqlClient.xml</DocumentationFile>
     <IntermediateOutputPath>$(ObjPath)$(AssemblyName)\netfx\</IntermediateOutputPath>
     <Product>Framework $(BaseProduct)</Product>
-    <!-- ResolveComReferenceSilent suppresses warnings thrown due to the inclusion of mscoree.
-     We should remove ResolveComReferenceSilent as soon as we can remove the dependency on mscoree. -->
-    <ResolveComReferenceSilent>True</ResolveComReferenceSilent>
     <EnableDefaultCompileItems>false</EnableDefaultCompileItems>
     <ProduceReferenceAssembly>false</ProduceReferenceAssembly>
   </PropertyGroup>
@@ -61,7 +58,10 @@
     <TreatWarningsAsErrors>True</TreatWarningsAsErrors>
     <Utf8Output>True</Utf8Output>
     <ErrorReport>None</ErrorReport>
-    <CodeAnalysisRuleSet>MinimumRecommendedRules.ruleset</CodeAnalysisRuleSet>
+
+    <!-- This code analysis ruleset only exists with the .NET Framework toolset. -->
+    <CodeAnalysisRuleSet Condition="$(MSBuildRuntimeType) == 'Full'">MinimumRecommendedRules.ruleset</CodeAnalysisRuleSet>
+
     <BuildProjectReferences>True</BuildProjectReferences>
     <GenerateAssemblyRefs>True</GenerateAssemblyRefs>
     <DefineConstants>$(DefineConstants);USEOFFSET;CODE_ANALYSIS_BASELINE;FEATURE_LEGACYSURFACEAREA;FEATURE_UTF32;FEATURE_UTF7;TRACE;</DefineConstants>
@@ -951,7 +951,7 @@
   </ItemGroup>
   <ItemGroup>
     <Compile Include="Microsoft\Data\Common\ConnectionString\DbConnectionOptions.netfx.cs" />
-    <Compile Include="Microsoft\Data\Common\DbConnectionString.cs" />
+    <Compile Include="Microsoft\Data\Common\DBConnectionString.cs" />
     <Compile Include="Microsoft\Data\SqlClient\SqlBulkCopy.cs" />
     <Compile Include="Microsoft\Data\SqlClient\SqlClientWrapperSmiStream.cs" />
     <Compile Include="Microsoft\Data\SqlClient\SqlClientWrapperSmiStreamChars.cs" />
@@ -1000,29 +1000,18 @@
     </EmbeddedResource>
   </ItemGroup>
   <ItemGroup>
-    <COMReference Include="mscoree">
-      <Guid>{5477469E-83B1-11D2-8B49-00A0C9B7C9C4}</Guid>
-      <VersionMajor>2</VersionMajor>
-      <VersionMinor>4</VersionMinor>
-      <Lcid>0</Lcid>
-      <WrapperTool>tlbimp</WrapperTool>
-      <Isolated>False</Isolated>
-      <EmbedInteropTypes>True</EmbedInteropTypes>
-    </COMReference>
-  </ItemGroup>
-  <ItemGroup>
-    <PackageReference Include="Microsoft.Extensions.Caching.Memory" />
-    <PackageReference Include="System.Text.Encodings.Web" />
+    <PackageReference Include="Azure.Identity" Version="$(AzureIdentityVersion)" />
+    <PackageReference Include="Microsoft.Bcl.Cryptography" Version="$(MicrosoftBclCryptographyVersion)" />
     <PackageReference Include="Microsoft.Data.SqlClient.SNI">
       <PrivateAssets>All</PrivateAssets>
       <IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
     </PackageReference>
-    <PackageReference Include="Azure.Identity" />
-    <PackageReference Include="Microsoft.Bcl.Cryptography" />
-    <PackageReference Include="Microsoft.IdentityModel.Protocols.OpenIdConnect" />
+    <PackageReference Include="Microsoft.Extensions.Caching.Memory" />
     <PackageReference Include="Microsoft.IdentityModel.JsonWebTokens" />
+    <PackageReference Include="Microsoft.IdentityModel.Protocols.OpenIdConnect" />
     <PackageReference Include="System.Buffers" />
     <PackageReference Include="System.Security.Cryptography.Pkcs" />
+    <PackageReference Include="System.Text.Encodings.Web" />
     <PackageReference Include="System.Text.Json" />
   </ItemGroup>
   <Import Project="$(CommonSourceRoot)tools\targets\GenerateResourceStringsSource.targets" />
diff --git a/src/Microsoft.Data.SqlClient/src/Microsoft/Data/SqlClient/SqlMetadataFactory.cs b/src/Microsoft.Data.SqlClient/src/Microsoft/Data/SqlClient/SqlMetaDataFactory.cs
similarity index 100%
rename from src/Microsoft.Data.SqlClient/src/Microsoft/Data/SqlClient/SqlMetadataFactory.cs
rename to src/Microsoft.Data.SqlClient/src/Microsoft/Data/SqlClient/SqlMetaDataFactory.cs
diff --git a/src/Microsoft.Data.SqlClient/tests/tools/Microsoft.Data.SqlClient.ExtUtilities/Microsoft.Data.SqlClient.ExtUtilities.csproj b/src/Microsoft.Data.SqlClient/tests/tools/Microsoft.Data.SqlClient.ExtUtilities/Microsoft.Data.SqlClient.ExtUtilities.csproj
index a49eef85b1..dd31f7531e 100644
--- a/src/Microsoft.Data.SqlClient/tests/tools/Microsoft.Data.SqlClient.ExtUtilities/Microsoft.Data.SqlClient.ExtUtilities.csproj
+++ b/src/Microsoft.Data.SqlClient/tests/tools/Microsoft.Data.SqlClient.ExtUtilities/Microsoft.Data.SqlClient.ExtUtilities.csproj
@@ -6,6 +6,7 @@
   </PropertyGroup>
   <ItemGroup>
     <PackageReference Include="Microsoft.SqlServer.SqlManagementObjects" />
+
     <ProjectReference Include="../Microsoft.Data.SqlClient.TestUtilities/Microsoft.Data.SqlClient.TestUtilities.csproj" />
   </ItemGroup>
 </Project>
diff --git a/tools/specs/Microsoft.Data.SqlClient.nuspec b/tools/specs/Microsoft.Data.SqlClient.nuspec
index 803d13bc91..0f029b4c19 100644
--- a/tools/specs/Microsoft.Data.SqlClient.nuspec
+++ b/tools/specs/Microsoft.Data.SqlClient.nuspec
@@ -51,6 +51,7 @@
         <dependency id="Microsoft.SqlServer.Server" version="1.0.0" />
         <dependency id="System.Configuration.ConfigurationManager" version="8.0.1" exclude="Compile" />
         <dependency id="System.Security.Cryptography.Pkcs" version="8.0.1" />
+        <dependency id="System.Text.Json" version="8.0.5" />
       </group>
       <group targetFramework="net9.0">
         <dependency id="Azure.Identity" version="1.13.2" />
@@ -62,6 +63,7 @@
         <dependency id="Microsoft.SqlServer.Server" version="1.0.0" />
         <dependency id="System.Configuration.ConfigurationManager" version="9.0.4" exclude="Compile" />
         <dependency id="System.Security.Cryptography.Pkcs" version="9.0.4" />
+        <dependency id="System.Text.Json" version="9.0.5" />
       </group>
       <group targetFramework="netstandard2.0">
         <dependency id="Azure.Identity" version="1.13.2" />
@@ -73,6 +75,7 @@
         <dependency id="Microsoft.SqlServer.Server" version="1.0.0" />
         <dependency id="System.Configuration.ConfigurationManager" version="9.0.4" exclude="Compile" />
         <dependency id="System.Security.Cryptography.Pkcs" version="9.0.4" />
+        <dependency id="System.Text.Json" version="9.0.5" />
       </group>
     </dependencies>
     <frameworkAssemblies>

From df89296b1fb4c1c4c45092509005373f6d44e232 Mon Sep 17 00:00:00 2001
From: Paul Medynski <31868385+paulmedynski@users.noreply.github.com>
Date: Tue, 10 Jun 2025 11:54:52 -0300
Subject: [PATCH 2/3] User Story 37675: Fix Wave Analysis issues

- Added System.Text.Json 9.0.5 to .NET 9.0.
- Fixed System.Formats.Asn1 transitive vulnerability.
---
 src/Directory.Packages.props                       | 13 +++++++------
 .../tests/Directory.Packages.props                 | 14 +++++++++++++-
 .../Microsoft.Data.SqlClient.ExtUtilities.csproj   |  7 +++++++
 3 files changed, 27 insertions(+), 7 deletions(-)

diff --git a/src/Directory.Packages.props b/src/Directory.Packages.props
index 4fff27edae..7d94425123 100644
--- a/src/Directory.Packages.props
+++ b/src/Directory.Packages.props
@@ -8,9 +8,8 @@
         <PackageVersion Include="Microsoft.Data.SqlClient.SNI" Version="6.0.2" />
         <PackageVersion Include="System.Buffers" Version="4.5.1" />
         <PackageVersion Include="System.Memory" Version="4.5.5" />
-        <PackageVersion Include="System.Text.Encodings.Web" Version="8.0.0" />
-        <PackageVersion Include="System.Text.Json" Version="8.0.5" />
         <PackageVersion Include="System.Data.Common" Version="4.3.0" />
+        <PackageVersion Include="System.Text.Encodings.Web" Version="8.0.0" />
     </ItemGroup>
     <!-- NetFx and NetCore project dependencies -->
     <ItemGroup>
@@ -54,15 +53,17 @@
     <ItemGroup Condition="'$(TargetFramework)' == 'net9.0'">
         <PackageVersion Include="Microsoft.Bcl.Cryptography" Version="9.0.5" />
         <PackageVersion Include="Microsoft.Extensions.Caching.Memory" Version="9.0.5" />
-        <PackageVersion Include="System.Security.Cryptography.Pkcs" Version="9.0.5" />
-        <PackageVersion Include="System.Configuration.ConfigurationManager" Version="9.0.5" />
         <PackageVersion Include="Microsoft.Extensions.Hosting" Version="9.0.5" />
+        <PackageVersion Include="System.Configuration.ConfigurationManager" Version="9.0.5" />
+        <PackageVersion Include="System.Security.Cryptography.Pkcs" Version="9.0.5" />
+        <PackageVersion Include="System.Text.Json" Version="9.0.5" />
     </ItemGroup>
     <ItemGroup Condition="'$(TargetFramework)' != 'net9.0'">
         <PackageVersion Include="Microsoft.Bcl.Cryptography" Version="8.0.0" />
         <PackageVersion Include="Microsoft.Extensions.Caching.Memory" Version="8.0.1" />
-        <PackageVersion Include="System.Security.Cryptography.Pkcs" Version="8.0.1" />
-        <PackageVersion Include="System.Configuration.ConfigurationManager" Version="8.0.1" />
         <PackageVersion Include="Microsoft.Extensions.Hosting" Version="8.0.1" />
+        <PackageVersion Include="System.Configuration.ConfigurationManager" Version="8.0.1" />
+        <PackageVersion Include="System.Security.Cryptography.Pkcs" Version="8.0.1" />
+        <PackageVersion Include="System.Text.Json" Version="8.0.5" />
     </ItemGroup>
 </Project>
diff --git a/src/Microsoft.Data.SqlClient/tests/Directory.Packages.props b/src/Microsoft.Data.SqlClient/tests/Directory.Packages.props
index e470bb6dee..db17cb1e48 100644
--- a/src/Microsoft.Data.SqlClient/tests/Directory.Packages.props
+++ b/src/Microsoft.Data.SqlClient/tests/Directory.Packages.props
@@ -1,9 +1,21 @@
 <Project>
   <Import Project="..\..\Directory.Packages.props" />
-  <!-- Test Project Dependencies for NetFx only -->
+
+  <!-- Test Project Dependencies for all targets. -->
+  <ItemGroup>
+    <!--
+      Transitive dependencies with vulnerabilities, so we explicitly ask for
+      non-vulnerable versions.
+    -->
+    <PackageVersion Include="System.Formats.Asn1" Version="6.0.1" />
+  </ItemGroup>
+
+  <!-- Test Project Dependencies for NetFx only. -->
   <ItemGroup Condition="$(TargetFramework.StartsWith('net4'))">
     <PackageVersion Include="Microsoft.NETFramework.ReferenceAssemblies" Version="1.0.3" />
   </ItemGroup>
+
+  <!-- MDS Package Dependency -->
   <ItemGroup Condition="$(ReferenceType) == 'Package'">
     <PackageVersion Include="Microsoft.Data.SqlClient" Version="$(TestMicrosoftDataSqlClientVersion)" />
   </ItemGroup>
diff --git a/src/Microsoft.Data.SqlClient/tests/tools/Microsoft.Data.SqlClient.ExtUtilities/Microsoft.Data.SqlClient.ExtUtilities.csproj b/src/Microsoft.Data.SqlClient/tests/tools/Microsoft.Data.SqlClient.ExtUtilities/Microsoft.Data.SqlClient.ExtUtilities.csproj
index dd31f7531e..cd3ffeb61f 100644
--- a/src/Microsoft.Data.SqlClient/tests/tools/Microsoft.Data.SqlClient.ExtUtilities/Microsoft.Data.SqlClient.ExtUtilities.csproj
+++ b/src/Microsoft.Data.SqlClient/tests/tools/Microsoft.Data.SqlClient.ExtUtilities/Microsoft.Data.SqlClient.ExtUtilities.csproj
@@ -7,6 +7,13 @@
   <ItemGroup>
     <PackageReference Include="Microsoft.SqlServer.SqlManagementObjects" />
 
+    <!--
+      Transitive dependencies with vulnerabilities, so we explicitly ask for
+      non-vulnerable versions.
+    -->
+    <PackageReference Include="System.Formats.Asn1" />
+  </ItemGroup>
+  <ItemGroup>
     <ProjectReference Include="../Microsoft.Data.SqlClient.TestUtilities/Microsoft.Data.SqlClient.TestUtilities.csproj" />
   </ItemGroup>
 </Project>

From e82dd8bf2a5b96abd2cfcd98403092dea5d954c9 Mon Sep 17 00:00:00 2001
From: Paul Medynski <31868385+paulmedynski@users.noreply.github.com>
Date: Tue, 10 Jun 2025 11:59:04 -0300
Subject: [PATCH 3/3] User Story 37675: Fix Wave Analysis issues

- Removed unnecessary PackageReference Version attributes.
---
 .../netcore/src/Microsoft.Data.SqlClient.csproj               | 2 +-
 .../netfx/src/Microsoft.Data.SqlClient.csproj                 | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/src/Microsoft.Data.SqlClient/netcore/src/Microsoft.Data.SqlClient.csproj b/src/Microsoft.Data.SqlClient/netcore/src/Microsoft.Data.SqlClient.csproj
index 00fee9bef7..71fde92ffc 100644
--- a/src/Microsoft.Data.SqlClient/netcore/src/Microsoft.Data.SqlClient.csproj
+++ b/src/Microsoft.Data.SqlClient/netcore/src/Microsoft.Data.SqlClient.csproj
@@ -1047,7 +1047,7 @@
     <PackageReference Include="System.Security.Cryptography.Pkcs" />
 
     <!-- Transitive dependencies that would otherwise bring in older, vulnerable versions. -->
-    <PackageReference Include="System.Text.Json" Version="$(SystemTextJsonVersion)" />
+    <PackageReference Include="System.Text.Json" />
   </ItemGroup>
 
   <Import Project="$(ToolsDir)targets\GenerateThisAssemblyCs.targets" />
diff --git a/src/Microsoft.Data.SqlClient/netfx/src/Microsoft.Data.SqlClient.csproj b/src/Microsoft.Data.SqlClient/netfx/src/Microsoft.Data.SqlClient.csproj
index d439386b1f..b301449186 100644
--- a/src/Microsoft.Data.SqlClient/netfx/src/Microsoft.Data.SqlClient.csproj
+++ b/src/Microsoft.Data.SqlClient/netfx/src/Microsoft.Data.SqlClient.csproj
@@ -1000,8 +1000,8 @@
     </EmbeddedResource>
   </ItemGroup>
   <ItemGroup>
-    <PackageReference Include="Azure.Identity" Version="$(AzureIdentityVersion)" />
-    <PackageReference Include="Microsoft.Bcl.Cryptography" Version="$(MicrosoftBclCryptographyVersion)" />
+    <PackageReference Include="Azure.Identity" />
+    <PackageReference Include="Microsoft.Bcl.Cryptography" />
     <PackageReference Include="Microsoft.Data.SqlClient.SNI">
       <PrivateAssets>All</PrivateAssets>
       <IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>