Closed Numpsy closed 8 months ago
baronfel
commented
8 months ago There are two parts to this IMO:
nojaf
commented
8 months ago @Numpsy are you interested in sending a PR to bump to netstandard2.0?
Numpsy
commented
8 months ago I can have a look at that.
Numpsy
commented
8 months ago
- Consumers of the package should add it with PrivateAssets="all" set on the PackageReference to ensure that the dependencies of this package do not leak to the actual users code, since this is a build time only package
Actually, I'd been having a go at referencing the analyzer packages with GlobalPackageReference in Directory.Packages.props rather than with PackageReference, which I thought should handle that on its own.
baronfel
commented
8 months ago That should also work, yeah
Numpsy
commented
8 months ago This looks to be resolved in the 0.3.0 release, so I'll close it now :-)
Describe the bug The FSharp.Analyzers.Build 0.2.0 nuget package has a dependency on NETStandard.Library version 1.6.1:
If I include that in a project which has the new .NET 8 NuGet vulnerability auditing functionality enabled, I get a number of warnings like
Because the old version of NETStandard.Library itself references a number of old libraries which have known security issues.
I've worked around these sorts of issues before by updating the transitive references in my own projects, but given the contents of the package I wonder if the reference needs to be there at all?