Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Change default dependency resolution to avoid vulnerable nuget packages #12341

Closed
mcm-ham opened this issue Jan 3, 2023 · 2 comments
Closed

Change default dependency resolution to avoid vulnerable nuget packages #12341

mcm-ham opened this issue Jan 3, 2023 · 2 comments
Labels
Functionality:Restore Product:dotnet.exe Resolution:NotABug This issue appears to not be a bug Style:PackageReference Type:DCR Design Change Request

Comments

@mcm-ham
Copy link

mcm-ham commented Jan 3, 2023

NuGet Product(s) Affected

dotnet.exe

Current Behavior

If you install the latest version of some Microsoft nuget package, due to lowest dependency version strategy you can end up with nuget packages with known security vulnerabilities.

Desired Behavior

Either change strategy to HighestPatch or exclude vulnerable packages when executing lowest strategy or add a command similar to "npm audit fix" to allow users to easily fix known security vulnerabilities.

Additional Context

No response
@mcm-ham mcm-ham added Triage:Untriaged Type:DCR Design Change Request labels Jan 3, 2023
@mcm-ham mcm-ham mentioned this issue Jan 3, 2023
Open
@mcm-ham mcm-ham changed the title Change default dependency resolution Change default dependency resolution to avoid vulnerable nuget packages Jan 3, 2023
@kartheekp-ms
Copy link
Contributor

kartheekp-ms commented Jan 4, 2023
edited
Loading

add a command similar to "npm audit fix" to allow users to easily fix known security vulnerabilities.

There is work going on in this area already #11549.

Either change strategy to HighestPatch or exclude vulnerable packages when executing lowest strategy

I think it is by design that NuGet resolves lowest dependency version by default. However, if you can onboard your repository into Central Package Management (CPM) which has Transitive pinning feature that allows to override the transitive package version without explicitly specifying the transitive dependency as a top-level dependency.

@aortiz-msft aortiz-msft added the Resolution:NotABug This issue appears to not be a bug label Jan 9, 2023
@aortiz-msft
Copy link
Contributor

Thanks for the suggestion. Any changes to the dependency resolution algorithm can be super impactful, so we try to minimize those. In some cases, moving off vulnerable packages requires people to replace a package altogether.

@danm-de danm-de mentioned this issue Nov 15, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Functionality:Restore Product:dotnet.exe Resolution:NotABug This issue appears to not be a bug Style:PackageReference Type:DCR Design Change Request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@mcm-ham @kartheekp-ms @aortiz-msft