-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
build error with nuget audit #42073
Comments
I'm also running into a similar issue. The issue for the CVE states that the fix should be to update the SDK and runtime. However despite updating the SDK this hasn't resolved the issue for myself. Im building my solution using SDK 8.0.7, and my vulnerability scanning is still flagging the following:
I can see in the deps.json file the following:
|
Thanks for creating this issue! We believe this issue is related to NuGet tooling, which is maintained by the NuGet team. Thus, we closed this one and encourage you to raise this issue in the NuGet repository instead. Don’t forget to check out NuGet’s contributing guide before submitting an issue! If you believe this issue was closed out of error, please comment to let us know. Happy Coding! |
Could we transfer the issue to nuget instead of just closing |
not easily, no - the NuGet repos are on a different GitHub organization, and GitHub only allows transfers across organizations. |
On
I've confirmed dependencies with following command.
And gets following results.
It seems transitive package reference is coming from |
I've found document about behavior changes on |
Not sure if it's a bug or by design
Got an error when updating to .NET 9 Preview 6, I use
<TreatWarningsAsErrors>true</TreatWarningsAsErrors>
for my projectWhile I do not have a direct dependency on this package reference
my project is here:
https://github.com/WeihanLi/dotnet-exec/blob/61089e6cba8faa823c57654e321dedc6870a6ba1/src/ReferenceResolver/ReferenceResolver.csproj
Is this new behavior for transitive dependency? Is there a feature switch to disable?
Should I add the package dependency to override the version with vulnerability to fix this?
While I do not want to have this dependency maintained in my project, it may cause conflict when upgrading dependencies and may be confusing for the downstream users.
The text was updated successfully, but these errors were encountered: