Open Tarmil opened 8 months ago
This is becoming even more useful now that .NET 8 gives warnings (which I had as errors on a project I just tried to restore) when a package version has a security advisory against it.
This is really becoming a rather big maintenance problem. On the same project I've needed to do the workaround about four to five times this year and there are multiple projects to be maintained.
Security wise it would add a lot of value if paket update
could support updates of transient deps out of the box.
Description
It is currently not possible to update a transitive dependency on the command line without updating the direct dependency that requires it. I sometimes need to retrieve a bugfix on the transitive dependency and would rather not update more than needed just to test the bugfix.
Repro steps
In a solution where
P
is a transitive dependency, run:Expected behavior
Package
P
is updated. The direct dependency that requires it as a transitive dependency is not updated, unless the latest version ofP
is out of range for the currently installed version of the direct dependency.(this is the behavior observed when using the workaround described below)
Actual behavior
Paket returns an error:
Known workarounds
Manually add the package to
paket.dependencies
, runpaket update P
, then manually remove it frompaket.dependencies
.