crotondo-dap
commented
1 year ago Hi again,
I can now confirm that a release will have an unresolved issue, if two dependencies with different versions are listed. Which does make sense from ProGet's perspective. We have a release which is using Newtonsoft.Json 13.0.2. Through transitive dependencies also Newtonsoft.Json 11.0.1 is listed via pgscan, which has security vulnerabilities. Therefore, our release has an unresolved issue. But our product will be shipped with Newtonsoft.Json 13.0.2, since it is the only assembly in our build output.
Have you been able to think about this issue yet?
rhessinger
Hi,
due to different transitive dependencies we may end up with two versions of the same package (you can see an example in the attached image). So lets assume dependency "x" of my project has a dependency to "Microsoft.Web.Infrastructure 1.0.0" and dependency "y" of my project has a dependency to "Microsoft.Web.Infrasructure 2.0.0". Both versions of this library are written into the project.assets.json during nuget restore. But after building the project only the newer version is effectively used by my project. Therefore, there is a dependency listed we do not depend on.
What if an issue will be detected in "Microsoft.Web.Infrastructure 1.0.0"? Will there be an issue shown for my whole project? Even if my project isn't even using this dependency in the end?
Maybe pgscan could check for the newest version available while reading the project.assets.json?