Vunerability prevents deployment, but vunerable package is not used

[Soundman32]

Describe the bug This project was last deployed on 5th August 2024 without problems

Deploying a .NET API project is erroring on the "Deploying AWS CDK project" part with errors:

C:\Users\neils\.aws-dotnet-deploy\Projects\zo05g2sk\MyProject.Web.Api.csproj : error NU1903: Warning As Error: Package 'System.Text.Json' 8.0.0 has a known high severity vulnerability, https://github.com/advisories/GHSA-hh2w-p6rv-4g7w

The build failed. Fix the build errors and run again.

Subprocess exited with error 1

MyProject could not be published as ASP.NET Core App to AWS Elastic Beanstalk on Linux: We had an issue deploying your application to AWS. Check the deployment output for more details. Deployment took 3.08s.
MyProject.Web.Api failed to publish to AWS.

The project has all references to System.Text.Json upgraded to 8.0.4, which is currently the latest version (and does not have the vunerability).

Warning as errors is turned off.

If I build from the command line or the IDE, in debug or release mode, I do not get this issue. It only happens with aws deploy (UI or command line).

Development System (please complete the following information):

• Windows Version: Windows 11 Pro 23H2
• Visual Studio Version: 17.11.1
• AWS Toolkit for Visual Studio Version: 1.57.0.0

[normj]

@Soundman32 Thanks for bring this to our attention. I have reproduced the problem and I'm working on getting a fix out.

[normj]

I think the issue is only happening if you have .NET 9 preview installed. That .NET 9 SDK is adding the new NuGet warnings that are causing the failure.

You can work around this by either uninstalling .NET 9 preview or adding global.json file. To add the global.json file you can do the following.

• Navigate to the directory C:\Users\<user-id>\.aws-dotnet-deploy
• Create a file called global.json
• Add the following content to the file except replace the version field with your .NET SDK version you happen to have installed. You can find that out by running the dotnet --list-sdks command. For me this is version 8.0.400.

{
  "sdk": {
    "version": "sdk-version"
  }
}

We'll try and get the PR out as soon as possible so you don't have to do this workaround.

[Soundman32]

Perfect, that has fixed if for me. Thankyou.

[shruti0085]

A fix for this issue was released in v1.58.0.0 of the toolkit.