Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Warn when using deprecated Nuget packages #12244

Open
kevinoid opened this issue Nov 14, 2022 · 3 comments
Open

Warn when using deprecated Nuget packages #12244

kevinoid opened this issue Nov 14, 2022 · 3 comments
Labels
Functionality:Restore Priority:2 Issues for the current backlog. Product:dotnet.exe Type:Feature

Comments

@kevinoid
Copy link

NuGet Product(s) Involved

dotnet.exe

The Elevator Pitch

NuGet could warn .NET SDK users when they use (e.g. install or restore) a deprecated package, as Visual Studio does, so that they can consider taking appropriate action

Additional Context and Details

@zijchen reported this issue a year ago in dotnet/sdk#22635 and was instructed to report it here. I was unable to find a corresponding issue, and am also interested in this feature, so I'm opening this issue to suggest it.

A concrete example, from the original issue, using the deprecated WindowsAzure.Storage package does not produce any warnings or indications to the user that the package is deprecated:

dotnet new console
dotnet add package WindowsAzure.Storage
dotnet restore
dotnet build

It would be nice if a numbered NuGet Warning were produced to inform users and allow monitoring (e.g. failing CI with warn-as-error builds).

Thanks for considering,
Kevin
@erdembayar
Copy link
Contributor

@kevinoid
Thank you for reporting this issue. I believe this is something already on our radar, please upvote if you want us to prioritize this issue. Meantime you can use dotnet list package --deprecated command to detect deprecated/vulnerable/outdated packages. Soon you can get json format output too.

> dotnet list package --deprecated --include-transitive

The following sources were used:
   https://api.nuget.org/v3/index.json
   https://apidev.nugettest.org/v3-index/index.json
   https://pkgs.dev.azure.com/azure-public/vside/_packaging/vs-impl/nuget/v3/index.json
   C:\IssueRepro\11711\

Project `12244` has the following deprecated packages
   [net7.0]:
   Top-level Package           Requested   Resolved   Reason(s)   Alternative
   > WindowsAzure.Storage      9.3.3       9.3.3      Other       Azure.Storage.Blobs >= 0.0.0

@nkolev92
Do we have any restore security issue we can dedup?

@nkolev92
Copy link
Member

There's no dups. This is the first ask I'm aware of. Removing the irrelevant labels as this is not a security thing.

@nkolev92 nkolev92 added Priority:3 Issues under consideration. With enough upvotes, will be reconsidered to be added to the backlog. Pipeline:Icebox labels Nov 17, 2022
@cremor
Copy link

cremor commented Jun 8, 2023

I think this should also warn when using an unlisted package version. Use case: #11883 (comment)

@nkolev92 nkolev92 mentioned this issue Aug 21, 2024
Closed
@nkolev92 nkolev92 added Priority:2 Issues for the current backlog. and removed Priority:3 Issues under consideration. With enough upvotes, will be reconsidered to be added to the backlog. labels Aug 21, 2024
@nkolev92 nkolev92 mentioned this issue Oct 15, 2024
Closed
@nkolev92 nkolev92 mentioned this issue Oct 23, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Functionality:Restore Priority:2 Issues for the current backlog. Product:dotnet.exe Type:Feature
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@cremor @kevinoid @nkolev92 @erdembayar @jeffkl