AndyButland
commented
4 months ago For each minor version of an Umbraco product we generally don't bump the dependent version of Umbraco until the next major. So when UI Builder 13 was released, it references 13.0 of Umbraco, and will stay that way until Umbraco 14 is out, when it'll move onto that version.
The reason is that we don't want to force someone to upgrade their CMS in order to get the latest version of a product. They still can do of course, but there could be reasons why they only want to get the latest patch of a product without the potential further effort/risk of a full update of Umbraco.
So I think what you are seeing is expected, and not an issue if you are running Umbraco 13.3.
I can see 13.1 and below of the Umbraco component dependency is marked with a moderate security vulnterability so that's why it's flagged here, but if you are running on the latest Umbraco 13 I don't believe you have any issue.
I'll close this, but please feel free to re-open if you have further concerns or think I've missed something.
Nuget package manager shows vulnerable transitive package Umbraco.Cms.Web.BackOffice 13.0.0 after upgrading Umbraco to 13.3.0 and UI Builder to 13.1.1