Reputation: 877
How to resolve NuGet Transitive Packages with vulnerabilities
I have a project that requires the System.ServiceModel.Http NuGet package.
That particular package references 6 other packages transitively.
One of the transitive packages has an identified vulnerability (System.Security.Cryptography.Pkcs).
I know I can promote the package to Top-level and then control the version. But my question is, is there any way to update the version of the transitive package without promoting it?
The scenario I am trying to avoid is:
- MyProject references PackageA v1
- PackageA v1 references PackageB (which I then promote)
- PackageA v2 is released and it no longer depends on PackageB
- Now MyProject has an unnecessary reference to PackageB (which I have to remember to remove)
Upvotes: 12
Views: 3353
Answers (1)
Reputation: 19
Directly Update Transitive Dependency:
Since you've identified that the vulnerability lies in the transitive package System.Security.Cryptography.Pkcs, you can directly update its version to a fixed version that doesn't have the vulnerability.
Upvotes: -1
Related Questions
- How can I clear the NuGet package cache using the command line?
- Download old version of package with NuGet
- How do I install a NuGet package .nupkg file locally to Visual Studio?
- How do I get NuGet to install/update all the packages in the packages.config?
- NuGet Packages are missing
- NuGet transitive dependencies and floating notation
- Is it possible to change the location of packages for NuGet?
- How can I install an older version of a package via NuGet?
- Nuget dependencies between prerelease packages
- Setting up a common nuget packages folder for all solutions when some projects are included in multiple solutions