dotnet / sdk

Core functionality needed to create .NET Core projects, that is shared between Visual Studio and CLI
https://dot.net/core
MIT License
2.75k stars 1.07k forks source link

[WebToolsE2E] When "azd up" deploys an Aspire application with SqlClient, a security warning appears for the package "System.Private.Uri". #45220

Open ymmendoza opened 5 days ago

ymmendoza commented 5 days ago

INSTALL STEPS

  1. Install VS 17.13 P2 PR (contains 9.0.200-preview)
  2. Install azd [1.11.0]

REPRO STEPS

  1. Create Aspire Starter App > .NET 9.0 > Create
  2. Click xxx.ApiService and insert the code <PackageReference Include="Aspire.Microsoft.Data.SqlClient" Version="9.0.0" />
  3. Go to program.cs and paste the code: builder.AddSqlServerClient("sqldata");
  4. Right Click solution> Open Folder in File Explorer >Open CMD
  5. Publish the project using the following commands:
    azd init
    azd up

    ACTUAL RESULT There are some warning message in the VS after publishing the project in CLI Image

EXPECTED RESULT Can publish the project successfully without warnings in VS

v-elenafeng commented 2 days ago

This is reproduced in SDK 9.0.100 and then fixed in the 9.0.101 SDK in Revert changes to NuGetAuditMode defaults · Issue #13945 · NuGet/Home, but we may also need to fix it in 9.0.200-preview and .NET 10 SDK. @richaverma1 @marcpopMSFT Do we need to include this fix to VS 17.13 Preview 2?

marcpopMSFT commented 2 days ago

The audit change will flow to 9.0.2xx eventually and ship in 17.13 by preview 3. We are not planning on pushing the change faster. Note that there is an actual fix for the System.Private.Uri reference and someone should look into that.