Quantcast
Channel: Active questions tagged nuget-package - Stack Overflow
Viewing all articles
Browse latest Browse all 3067

Set NuGet package versions of runtime components, to prevent vulnerable dependencies?

$
0
0

In order to prevent vulnerable, transitive dependencies, I added guard versions to the Directory.Packages.props file, used for Central Package Management (CPM) in Visual Studio 2022. Transitive pinning is enabled, of course:

<ItemGroup><!-- Minimum versions everywhere, preventing vulnerable dependencies --><!-- CVE-2024-32655 in <=6.0.10/8.0.2; can be removed when >=6.0.11/8.0.3 in all dependencies. --><PackageVersion Include="Npgsql" Version="8.0.3" /><!-- now also vulnerable, => 8.0.1, but not actual part of the .NET runtime. --><!-- Name is misleading! --><PackageVersion Include="System.Runtime.Caching" Version="8.0.0" /><!--CVE-2024-30105 --><!-- Part of .NET runtime since NET 8, 8.0.4 now also vulnerable. --><PackageVersion Include="System.Text.Json" Version="8.0.4" /></ItemGroup>

Now, the System.Text.Json package version 8.0.4 has got another vulnerability and should be updated to 8.0.5.

I also noticed that System.Text.Json is now part of the .NET runtime (I think since .NET 8 Edit: No, already NET Core 3.x).

  1. Specifying a PackageVersion no longer makes the build deliver a System.Text.Json.dll, so is the version now ignored?

  2. I get a warning, both in Visual Studio and in later vulnerability scans, when I specify the package with version 8.0.4. But as I see, under .NET 8, it solely depends on the runtime version, so I suppose the warning is just in case that older .NET versions are used (which aren't). Correct?

  3. After removing the PackageVersion, the vulnerable version 8.0.4 still appears as a dependency of a 3rd party component, but without warning. Is this due to an outdated runtime on my DEV machine, and no issue if the application runs under an up-to-date runtime?

  4. And a last question: If it's best to not set PackageVersion for runtime components, how can I quickly find out which components have moved to the runtime, which weren't there in NET 5 and 6?


Viewing all articles
Browse latest Browse all 3067

Trending Articles



<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>