Closed Numpsy closed 8 months ago
There are two parts to this IMO:
@Numpsy are you interested in sending a PR to bump to netstandard2.0?
I can have a look at that.
- Consumers of the package should add it with PrivateAssets="all" set on the PackageReference to ensure that the dependencies of this package do not leak to the actual users code, since this is a build time only package
Actually, I'd been having a go at referencing the analyzer packages with GlobalPackageReference
in Directory.Packages.props
rather than with PackageReference
, which I thought should handle that on its own.
That should also work, yeah
This looks to be resolved in the 0.3.0 release, so I'll close it now :-)
Describe the bug The FSharp.Analyzers.Build 0.2.0 nuget package has a dependency on NETStandard.Library version 1.6.1:
If I include that in a project which has the new .NET 8 NuGet vulnerability auditing functionality enabled, I get a number of warnings like
Because the old version of NETStandard.Library itself references a number of old libraries which have known security issues.
I've worked around these sorts of issues before by updating the transitive references in my own projects, but given the contents of the package I wonder if the reference needs to be there at all?