I am looking for some clarification on why a "no dependencies" NuGet package upgrade in 1 project in a solution is triggering multiple .config file changes across the entire solution.
Due to a vulnerability scan, I have been asked to upgrade ICSharpCode.SharpZipLib version 0.86. I chose version 1.3.3 because it is the latest version that states there are no dependencies. However, after the upgrade, all of the app.config and web.config files are showing changes to several Microsoft.Extensions bindings, including .DependencyInjection.Abstractions, .Options, .Logging.Abstractions, .Logging, and .Configuration. In what appears to be all cases, the binding redirects jumped from 2.0.0 to 2.1.1 (Configuration was added in some cases).
This is a solution from 2007, encompassing 150~ projects including websites, Windows services, and WCF, all using a variety of .NET Framework from 3.5, mostly in 4.7.2, a few in .NET 8.1, and .NET Standard 2. As far as I can tell, only 1 website uses this ICSharpCode.SharpZipLib library (at least according to the 'Manage NuGet Packages for this solution' feature), but the binding redirect was already existing in all the .config files.
I have tried package 1.0.0 (explicitly supports .NET Standard 2) as well as 1.3.3 (explicitly supports .NET Standard 2 and 2.1), and both want to version bump the config files to 2.1.1.
Any ideas what's going on here? Is it safe to undo all the config files except for the one website that uses it? Is this some kind of "special" DLL that needs to be included as a binding redirect, even in projects that don't use it?
