Hi there,
I’m working on a Rhino 8 plugin and ran into an issue related to IdentityModel dependencies.
It appears that Rhino 8 ships with bundled System.IdentityModel.Tokens.Jwt / Microsoft.IdentityModel.* assemblies. When a plugin is built against newer NuGet versions of these packages, Rhino seems to load its bundled versions first, which can result in runtime failures (e.g. TypeLoadException) if the versions don’t match.
I wanted to ask:
Can you confirm whether Rhino 8 loads and effectively locks its bundled IdentityModel assemblies at runtime?
If so, is there a recommended pattern for plugin developers who need to use newer, patched versions of these libraries?
Is there any plan to update these bundled dependencies or make assembly loading more flexible in a future Rhino release?
The reason this matters is that older IdentityModel versions are associated with a known moderate vulnerability (CVE-2024-21319) Microsoft Security Advisory CVE-2024-21319: .NET Denial of Service Vulnerability · Advisory · dotnet/aspnetcore · GitHub , and currently the only way to maintain compatibility seems to be pinning to the same older versions Rhino ships with.
Any clarification or guidance would be greatly appreciated. 
Best,
Ash