Open flo-so opened 9 months ago
similar issue is in System.ServiceModel.Primitives 6.2.0
It's especially odd that the 8.0.0 version, which only targets net8.0, would depend on .NET 6 packages instead of .NET 8 ones.
What would have to be changed to use the current dependency? Is it necessary at all to explicitly state the version? The package should be contained in the runtime directly
Why does the .NET 8 dependency list include .NET 6 package? There are older packages with dependency specifications for the older stuff. This feels like a lifecycle violation.
@HongGit Friendly ping since there is still no documented workaround (to either use System.Security.Cryptography.Xml@8.x
or System.Security.Cryptography.Pkcs@6.0.3+
). So an official fix or at least note would be appreaciated.
System.ServiceModel.Primitives 8.0.0 has dependency System.Security.Cryptography.Xml >= 6.0.1 System.Security.Cryptography.Xml 6.0.1 has depency System.Security.Cryptography.Pkcs 6.0.1 which is marked vulnerable Visual Studio 2022 transitive package installation installs minimum required package version, which is the vulnerable version Please update package dependecies of System.ServiceModel.Primitives 8.0.0