Update JsonWebTokens and OpenIdConnect vulnerable package references

[micah686]

SqlClient 5.14 currently relies on transient packages that have vulnerabilities.
Microsoft.IdentityModel.JsonWebTokens is being referenced at version 6.24.0, which currently is vulnerable.
Microsoft.IdentityModel.Protocols.OpenIdConnect is being referenced at version 6.24.0, which has a dependency of System.IdentityModel.Tokens.Jwt , which is vulnerable.

Could these packages please be updated to non-vulnerable versions?

[AdaskoTheBeAsT]

in corporate software for checking vulnerabilities in dependencies Mend (previously Whitesource) - in every lib in which I use Microsoft.Data.SqlClient I need to also manually install Azure.Core and now also System.IdentityModel.Tokens.Jwt

will it be possible to introduce in M$ such process that whenever some vulnerability will be found in some package all M$ packages dependant on vulnerable package will be released with new dependency? any ideas how to be safe by design instead of pushing that on shoulders of developers? can M$ libraries use semantic versioning like in nodejs? similar to ^ or ~ prefix? instead of hardcoded strict numbers in dependencies?

[kf-gonzalez]

This issue will be addressed in preview5. Addressed by #2290