Solution Explorer info bar that warns of vulnerabilities persists after vulnerable package is uninstalled

NuGet / Home

Repo for NuGet Client issues

Other

1.49k stars 250 forks source link

Solution Explorer info bar that warns of vulnerabilities persists after vulnerable package is uninstalled #12862

Open jebriede opened 10 months ago

jebriede commented 10 months ago

NuGet Product Used

Visual Studio Package Management UI

Product Version

latest in dev

Worked before?

N/A

Impact

It bothers me. A fix would be nice

Repro Steps & Context

Repro:

Create or open a project or solution, such as a .NET 7.0 Console App.
Right click project and click Manage NuGet Packages
On Browse tab, search for vulnerable package such as NewtsonSoft.Json version 6.0.x
Click Install
Note: Warning shows in Solution Explorer saying there's a package vulnerability.
Now uninstall the vulnerable package.

Expected: Info bar warning goes away in Solution Explorer

Actual:

Warning message on Solution Explorer persists even after vulnerable package has been uninstalled.

Verbose Logs

No response

jebriede commented 10 months ago

@martinrrm is this related to the SolutionRestoreJob Info Bar warning invocation?

nkolev92 commented 10 months ago

When a package is installed, the first restore for SDK based projects will likely no-op. Possible related to that.

For legacy PR projects, a restore is not going to happen after package installation, so the info bar, might need to listen to certain package installation events.

You might need to listen to IRestoreProgressReporter for changes to packages.

martinrrm commented 10 months ago

@jebriede Thanks for finding this, I'll investigate this since is a scenario being tested in the Daily Manual Test Case Vendors do. So, I'm wondering what could cause a different behavior.

Also, another question that I think it has been answered before. Why is the csproj file not being saved? Could that affect to the restore not being triggered?

@nkolev92 What is considered a legacy PR project?

nkolev92 commented 10 months ago

https://github.com/NuGet/NuGet.Client/blob/dev/docs/nuget-project-types.md has some descriptions.

I like using my custom repo https://github.com/nkolev92/AllNuGetProjectTypes when I'm playing with the different behavior for different project types :)

CiciLi1 commented 4 months ago

@martinrrm, this issue doesn't repro on package.reference project now.

But it's repro on package.config projects with VS Main\34706.81 + NuGet Client Dev\6.10.0.75 and the warning "NU1903"doesn't disappear in Error List after vulnerable package is uninstalled as below:

nkolev92 commented 4 months ago

@martinrrm, this issue doesn't repro on package.reference project now.

I'm guessing the experience is different for SDK vs non-SDK PackageReference here.