admin管理员组文章数量:1290959
There's a lot of older posts about the way that NuGet defaults to the lowest compatible version for transitive packages, and thus creates vulnerabilities in your code. It looks like until recently, the only "solution" was to promote them to top-level packages, which is not ideal.
I'm trying to deal with this problem in my solution at the moment and, nosing around for more recent solutions I chanced on this blog post about central package management. It claims:
You can automatically override a transitive package version even without an explicit top-level by opting into a feature known as transitive pinning. This promotes a transitive dependency to a top-level dependency implicitly on your behalf when necessary.
You can enable this feature by setting the MSBuild property CentralPackageTransitivePinningEnabled to true in a project or in a Directory.Packages.props or Directory.Build.props import file
But when I add this to a project file:
<PropertyGroup>
<CentralPackageTransitivePinningEnabled>true</CentralPackageTransitivePinningEnabled>
</PropertyGroup>
Nothing happens. The transitive packages stay at their minimal, vulnerable versions.
I've only tried adding this as text to the project file itself, not through any of the other suggested routes. Are there additional steps I need to take to get this working, or is it still not possible to get my transitive packages to upgrade?
There's a lot of older posts about the way that NuGet defaults to the lowest compatible version for transitive packages, and thus creates vulnerabilities in your code. It looks like until recently, the only "solution" was to promote them to top-level packages, which is not ideal.
I'm trying to deal with this problem in my solution at the moment and, nosing around for more recent solutions I chanced on this blog post about central package management. It claims:
You can automatically override a transitive package version even without an explicit top-level by opting into a feature known as transitive pinning. This promotes a transitive dependency to a top-level dependency implicitly on your behalf when necessary.
You can enable this feature by setting the MSBuild property CentralPackageTransitivePinningEnabled to true in a project or in a Directory.Packages.props or Directory.Build.props import file
But when I add this to a project file:
<PropertyGroup>
<CentralPackageTransitivePinningEnabled>true</CentralPackageTransitivePinningEnabled>
</PropertyGroup>
Nothing happens. The transitive packages stay at their minimal, vulnerable versions.
I've only tried adding this as text to the project file itself, not through any of the other suggested routes. Are there additional steps I need to take to get this working, or is it still not possible to get my transitive packages to upgrade?
Share Improve this question asked Feb 13 at 16:24 Bob TwayBob Tway 9,61317 gold badges89 silver badges176 bronze badges 1- You need to use Central Package Versioning in order to use transitive pinning. – zivkan Commented Feb 14 at 5:05
1 Answer
Reset to default 1Are there additional steps I need to take to get this working, or is it still not possible to get my transitive packages to upgrade?
It's possible to get your transitive packages to upgrade. You should specify/override/update transitive package version by using PackageVersion in Directory.Build.props file. Please check the following steps:
Note: Take this package System.Drawing.Common as an example.
Directory.Build.propsfile:
<Project>
<PropertyGroup>
<ManagePackageVersionsCentrally>true</ManagePackageVersionsCentrally>
<CentralPackageTransitivePinningEnabled>true</CentralPackageTransitivePinningEnabled>
</PropertyGroup>
<ItemGroup>
<PackageVersion Include="System.Drawing.Common" Version="8.0.8" />
<PackageVersion Include="Microsoft.Win32.SystemEvents" Version="8.0.2" />
</ItemGroup>
</Project>
.csprojfile:
<ItemGroup>
<PackageReference Include="System.Drawing.Common"/>
</ItemGroup>
After configuring the two steps, you can see your project uses the version 8.0.8 for the top level package System.Drawing.Common and the version 8.0.0 for the transitive package Microsoft.Win32.SystemEvents.
3.If you want to update the version of transitive packages, you can add those packages to your Directory.Packages.props to pin the version to a specific/newer one, without having to reference it directly in a project.
<PackageVersion Include="Microsoft.Win32.SystemEvents" Version="9.0.2" />
版权声明:本文标题:c# - Can you now force nuget to update versions of transitive packages with transitive pinning? - Stack Overflow 内容由网友自发贡献,该文观点仅代表作者本人, 转载请联系作者并注明出处:http://www.betaflare.com/web/1741517660a2382990.html, 本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌抄袭侵权/违法违规的内容,一经查实,本站将立刻删除。
发表评论