[DCR]: nuget downloading transitive dependencies already in the .net SDK

[ChadBH]

NuGet Product(s) Affected

dotnet.exe

Current Behavior

Problem: Nuget downloads transitive dependencies that are part of the .net SDK. No need to download them.

If I create a new .net 6 Azure Function in Visual Studio 2022, and say dotnet restore -v n, I see that NuGet downloads packages that are baked into the .net SDK--they won't ever be used. Examples:

Installed Microsoft.AspNetCore.Http 2.1.0 from https://api.nuget.org/v3/index.json with content hash eAPryjDRH41EYY2sOMHCu+tHXLI6PUN1AsOPKst6GbiIoMi8wJCiPcE4h9418tKje1oUzmMc2Iz8fFPPVamfaw==.
Installed System.Net.Http 4.3.0 from https://api.nuget.org/v3/index.json with content hash sYg+FtILtRQuYWSIAuNOELwVuVsxVyJGWQyOnlAzhV4xvhyFnON1bAzYYC+jjRW8JREM45R0R5Dgi8MTC5sEwA==.
Installed System.Net.Sockets 4.3.0 from https://api.nuget.org/v3/index.json with content hash m6icV6TqQOAdgt5N/9I5KNpjom/5NFtkmGseEH+AK/hny8XrytLH3+b5M8zL/Ycg3fhIocFpUMyl/wpFnVRvdw==.

From nuget.org this is not too much of a problem, but when we have a self-hosted repository that disallows certain versions--like System.Net.Sockets 4.3.0 due to a vulnerability--dotnet restore gives a 404 and errors out. Our app won't ever use that package though. No need to error on failing to download it.

Desired Behavior

Desired behavior is that it doesn't download these transitive dependencies that won't ever be used. Or, if taking the runtime into context is out-of-scope for nuget, a configuration or option to say 'if you can't download a package, just keep going' would be excellent.

Additional Context

No response

[martinrrm]

Hi! Can you please update the title of the issue?

About transitive dependencies, as far as I know, a transitive dependency is an indirect dependency; you depend on something which itself has another dependency that you don’t depend on. Transitive dependencies will be introduced to VS PM UI in a future release so you will be able to manage vulnerable transitive dependencies.

[ChadBH]

Title updated, thanks.

Indeed they are indirect dependencies, but also they do not need to be downloaded as they are built into .net 6. There should be a way to say 'no need to download this, we're going to be using the built in 6.0.0 version.' The downloading of these packages is at least superfluous when nuget.org is the source--in the end the app uses the later versions--but it makes it impossible to use a repository that doesn't host those packages over vulnerability concerns. dotnet restore will error out that these unnecessary packages are NotFound.

Microsoft.NETCore.x, Microsoft.AspNetCore.x, System.Net.x, are examples of transitive dependencies that don't need to be downloaded by nuget.

The only way to get around it is to make PackageReferences to older versions that are available, even though you have no intention of using them. That tricks nuget restore into passing. In some cases you have to add <NoWarn>NU1605</NoWarn> to force a downgrade if the only available version is older than what's being asked for by the parent dependency. This is all a mere formality though, because none of these packages will actually get used in the end. It just gets you around the net restore errors to a working app.

[nkolev92]

Hi @ChadBH,

This is an unfortunate side-effect of the evolution of .NET Core.

Originally the framework was shipped as packages, but that caused a lot of conflicts and servicing issues, so as such in .NET Core 3.x, we completely went away from the approach of distributing the framework as packages.

We have strategically chosen not to allow NuGet to know about platform specific packages, integrate something that's only really useful as a transitional thing and something that wouldn't be a concern a few years later.

The packages themselves are deduped by the SDK when they are used, so there aren't any problems on the usage side.

There is an ask for that in #7344 that you can follow.