Latest 6.* and 7.* versions of Microsoft.VisualStudio.Web.CodeGeneration.Design result in vulnerable version of NuGet.Packaging being installed CVE-2024-0057. #2711
Consumers of the Microsoft.VisualStudio.Web.CodeGeneration.Design package that have not upgraded their projects to .net 8 yet will inadvertently end up with NuGet.Packaging 6.6.1 being installed which has a critical vulnerability CVE-2024-0057
Here is an example of the dependency tree that is resolved:
And for .net 7
Microsoft.VisualStudio.Web.CodeGeneration.Design@7.0.12
=> Microsoft.DotNet.Scaffolding.Shared@7.0.12
=> NuGet.ProjectModel@6.6.1
=> NuGet.DependencyResolver.Core@6.6.1
=> NuGet.Protocol@6.6.1
=> NuGet.Packaging@6.6.1
Given that .net 6 and 7 are still supported both of those major versions should receive a new patch version without vulnerabilities in the transient dependencies.
The easiest solution I see:
Microsoft.DotNet.Scaffolding.Shared needs to have the reference to NuGet.ProjectModel updated to 6.6.2, 6.7.1, 6.8.1 or 6.9.1 and then that new patch version of Microsoft.DotNet.Scaffolding.Shared should be installed as the updated dependency in Microsoft.VisualStudio.Web.CodeGeneration.Design
Consumers of the Microsoft.VisualStudio.Web.CodeGeneration.Design package that have not upgraded their projects to .net 8 yet will inadvertently end up with NuGet.Packaging 6.6.1 being installed which has a critical vulnerability CVE-2024-0057
Here is an example of the dependency tree that is resolved:
Microsoft.VisualStudio.Web.CodeGeneration.Design@6.0.16 => Microsoft.DotNet.Scaffolding.Shared@6.0.16 => NuGet.ProjectModel@6.6.1 => NuGet.DependencyResolver.Core@6.6.1 => NuGet.Protocol@6.6.1 => NuGet.Packaging@6.6.1
And for .net 7 Microsoft.VisualStudio.Web.CodeGeneration.Design@7.0.12 => Microsoft.DotNet.Scaffolding.Shared@7.0.12 => NuGet.ProjectModel@6.6.1 => NuGet.DependencyResolver.Core@6.6.1 => NuGet.Protocol@6.6.1 => NuGet.Packaging@6.6.1
Given that .net 6 and 7 are still supported both of those major versions should receive a new patch version without vulnerabilities in the transient dependencies.
The easiest solution I see: Microsoft.DotNet.Scaffolding.Shared needs to have the reference to NuGet.ProjectModel updated to 6.6.2, 6.7.1, 6.8.1 or 6.9.1 and then that new patch version of Microsoft.DotNet.Scaffolding.Shared should be installed as the updated dependency in Microsoft.VisualStudio.Web.CodeGeneration.Design