I'm looking into a solution, which is using the latest .Net 7.0 framework, has an old nuget package (let's call it package X) with a dependency to Microsoft.NetCore.App
version 1.1.1 with security vulnerabilities as shown in the screenshots below. In this case, the Microsoft library is only implicitly referenced.
I've searched for documentations or articles that could potentially explain the build behaviour of implicitly referenced library/package but no luck so far. Two things I'd like to know.
- Does restoring package X would download the
Microsoft.NetCore.App
library during build? - Is this is a concern with the security vulnerabilities that could compromise the whole solution.Any confirmation would be highly appreciated. Thanks.