Open leotsarev opened 4 days ago
jimmylewis
commented
3 days ago I'm not reproducing this with a new web project:
dotnet new webapp
dotnet add package Microsoft.Web.LibraryManager.Build
dotnet buildand both libman packages (.Build and .Cli) should not bring transitive references to that package.
Can you include the output of dotnet nuget why x.csproj System.Private.Uri for your project?
leotsarev
commented
3 days ago dotnet nuget why won't show System.Private.Uri due to https://github.com/NuGet/Home/issues/13718
I confirm that it won't reproduce on typical web project, but it will reproduce on Blazor if you are using
<Project Sdk="Microsoft.NET.Sdk.BlazorWebAssembly">.
There is minimal reproduction https://github.com/leotsarev/ReproduceLibManTest
Describe the bug
Microsoft.Web.LibraryManager.Build starting to show security warnings
To Reproduce
<PackageReference Include="Microsoft.Web.LibraryManager.Build" Version="2.1.175" PrivateAssets="All" />into the projectExpected behavior
No security warnings
Additional context
NOTE: This is not a actual vulnerability This is known problem in Nuget when using netstandart2 projects. https://github.com/dotnet/sdk/issues/42651 It could be worked around by moving to CPM and pin System.Private.Uri version, but users are discouraged to reference System.Private.Uri directly, and it's frustrating for users to get this warning from official Microsoft package
It's recommended than:
Microsoft.Web.LibraryManager.Cliprovided that target modern .net (net9 or net8)Microsoft.Web.LibraryManager.Clito a non-vulnerable version