I have a project that requires the System.ServiceModel.Http NuGet package.
That particular package references 6 other packages transitively.
One of the transitive packages has an identified vulnerability (System.Security.Cryptography.Pkcs).
I know I can promote the package to Top-level and then control the version. But my question is, is there any way to update the version of the transitive package without promoting it?