Closed mattsmac closed 11 months ago
Hey @mattsmac,
In my opinion if you have newer version of the NuGet package in your app this version will be used instead the one referred by our NuGet package.
Hi @enchev, I get that as a temporary workaround. However after a while, if you have to manually keep supporting nuget packages up to date, it makes it a bit of a mess to know what packages you are actually using and what packages are just transitive. It also means that anyone that uses Radzen on .net 7 or below will be unknowingly installing a vulnerable nuget package. I only discovered this because I specifically scan for it, but otherwise would not have known that I was using a vulnerable package.
Upgrading to the latest version of the framework guarantees that you are using latest versions of the packages referenced by third party assemblies like Radzen.Blazor - there will be no mess since there will be only one loaded assembly, the latest.
Hi @enchev, Unfortunately, that is not how Nuget appears to work. It always picks the lowest applicable version of transitive packages when a >= version requirement is set, unless a direct reference exists. So if Radzen requires Microsoft.AspNetCore.Components >= 7.0.0, Nuget will always choose 7.0.0, not 7.0.14 which is the patched version.
For this particular scenario, if you upgrade your whole project to .net 8, it would solve it because Microsoft.AspNetCore.Components version 8.0.0 does not have this vulnerability, but if another vulnerability is identified in Microsoft.AspNetCore.Components version 8.0.0, it would still not choose the patched version.
This could be corrected by using the * dependency notation rather than the >= notation, at least for this particular dependency. See the following article for details.
https://learn.microsoft.com/en-us/nuget/concepts/dependency-resolution#lowest-applicable-version
Is your feature request related to a problem? Please describe. When reviewing security vulnerabilities via the dotnet list command, Microsoft.AspNetCore.Components 7.0.0 is listed as a vulnerability. See issue link.
Describe the solution you'd like Update the minimum version of Microsoft.AspNetCore.Components to a non-vulnerable version.
Describe alternatives you've considered I can mitigate this temporarily by manually including a non-vulnerable version of Microsoft.AspNetCore.Components, however that makes the nuget packages harder to maintain without knowing that this is installed specifically for Radzen
Additional context Add any other context or screenshots about the feature request here.