I published a .NET Standard 2.0.3 library. The library has a dependency on Microsoft.AspNetCore.SignalR.Common (7.0.5), and that package uses Microsoft.Extensions.Options (7.0.1).
Another developer used this library in a .NET Framework 4.7.2 project. That project contained the following reference defined in packages.config:
<package id="Microsoft.Extensions.Options" version="6.0.0" targetFramework="net472" />
They installed the nuget package with Lowest for dependency behavior and Prompt for File Conflict action.
They encountered a runtime error when they reached code that made use Microsoft.Extensions.Options. They resolved this exception by updating the package in the solution to match the version in the nuget package.
I was surprised by this because I expected npm to look after the dependencies. Why did it happen?