Warnings about transitive dependency vulnerabilities when using .NET 9 SDK #44929
Comments
dotnet-issue-labeler
bot
added
Area-NetSDK
untriaged
|
Check out the announcement blog post on the dotnet blog for more details, but the move to checking your transitive dependencies is an intended change for .NET 9. |
I understand that, but only for dependencies I actually use! Just because a package I use still has an old TFM shouldn't give me warnings if I don't use this TFM. (In my case, it looks like the issue actually comes from AutoFixture. If I upgrade xunit to the latest version and remove AutoFixture, the error disappears. AutoFixture has a netstandard1.5 TFM, and depends on Fare, which has a netstandard1.1 TFM.) |
|
@baronfel please reopen. I suspect you only read the title, which indeed makes it look like it's the intended behavior, but it's not the whole story. I don't think dependencies of TFM I don't use should be reported as warnings. |
|
Thanks @baronfel So, is what I'm seeing actually the intended behavior? I can easily reproduce with a small project like this: <Project Sdk="Microsoft.NET.Sdk">
<PropertyGroup>
<TargetFramework>net9.0</TargetFramework>
</PropertyGroup>
<ItemGroup>
<PackageReference Include="AutoFixture" Version="4.18.1" />
</ItemGroup>
</Project> |
|
The packages still end up being referenced so NuGet audit will see them and warn about them. NuGet is planning a feature to improve this in NuGet/Home#7344. That will help remove these unused packages from restore completely. To address this you can upgrade the version of You should also let the package owner who brought in this old reference that you'd prefer they target (or multi-target) newer frameworks so that the old unused dependencies are not brought in. You can use |
|
@ericstj Thanks for the explanation.
That's what I was afraid of. But if it's being addressed, I'll live with it until it's fixed. The package owner is aware of the issue and working on a fix Thanks! I'll close this for now. |
|
Please note that referencing the updated NETStandard.Library is much better since it avoids downloading 100+ packages. |
|
Yep. Did that. Thanks again! |
After installing the .NET 9 SDK, I started seeing warnings about vulnerabilities in some dependencies:
I don't reference these packages explicitly. Using dotnet depends, I figured out the dependency was coming from NETStandard.Library 1.6.1, which I also don't reference (all projects in the solution are currently targeting .NET 8). The packages that depend on NETStandard.Library are xunit packages (xunit.assert, xunit.extensibility.core, xunit.extensibility.execution), and they all have a netstandard1.1 TFM and a netstandard2.0 TFM (and net6.0 for xunit.assert).
Given that all my projects are targeting .NET 8.0, I'm not actually using the netstandard1.1 TFM. So why am I seeing those warnings? Does it mean that ALL projects using xunit are seeing this warning with the new SDK? Or is it just me?
How do I silence those warnings? I don't want to completely silence NU1903, because it could catch vulnerabilities in packages that I actually use.
The text was updated successfully, but these errors were encountered: