NuGet Restore restoring old versions of transitive dependencies when direct dependency does not have guidelines for user's targeted .NET Framework #13934
Description
NuGet Product Used
NuGet.exe, Visual Studio Package Management UI, Visual Studio Package Manager Console
Product Version
Visual Studio 17.12. NuGet.exe 16.12.1
Worked before?
Visual Studio 17.11.6. NuGet.exe 16.11.1
Impact
I'm unable to use this version
Repro Steps & Context
This issue occurs when building code/restoring packages within Visual Studio version 17.12 (Using the version of NuGet Package Manager that was packaged with Visual Studio 17.12).
The issue has also been reported when not using Visual Studio to restore packages, i.e. Using the NuGet command line tool (NuGet.exe), at version 6.12.1.
Use Case
User downloads a direct dependency from NuGet noksa.webdriver.screenshotextensions 0.1.5.4. This direct dependency’s .nuspec file shows a transitive dependency of newtonsoft.json 11.0.1, as seen in the screenshot below:
So, if you download noksa.webdriver.screenshotextensions 0.1.5.4 to your PC, it will also download it’s transitive dependency newtonsoft.json 11.0.1
newtonsoft.json 11.0.1 has a security vulnerability, but noksa.webdriver.screenshotextensions 0.1.5.4 does not have any security vulnerabilities.
If a user wants to download noksa.webdriver.screenshotextensions 0.1.5.4 without introducing a security vulnerability, they should be able to do so, because the transitive dependency requirement is that newtonsoft.json has to be greater-than-or-equal-to 11.0.1, as seen in the screenshot below.
Visual Studio Version Below 17.12
To download noksa.webdriver.screenshotextensions 0.1.5.4 with a non-vulnerable version of newtonsoft.json, the user can add the following text to the xml of the .csproj file.
<PackageReference Include="Newtonsoft.Json" Version="13.0.3" />
Adding the above xml within a Visual Studio version that is below 17.12 will result in NuGet downloading version 13.0.3 of Newtonsoft.Json. It will not download the vulnerable version 11.0.1. This results in noksa.webdriver.screenshotextensions 0.1.5.4 using Newtonsoft.Json 13.0.3 as it’s transitive dependency.
Visual Studio Version 17.12
Including the above xml will result in NuGet downloading version 13.0.3, but it will ALSO result in NuGet downloading the vulnerable version 11.0.1.
.NET Framework Discrepancies
As you can see in the screenshot below showing the NuGet window, the .NET framework versions that are mentioned/referenced for noksa.webdriver.screenshotextensions 0.1.5.4 are . NETFramework 4.5.2 . NETFramework4.6 and . NETStandard2.0. In the use case above, the user’s project is targeting . NET8.0. This may or may not be a reason why VS version 17.12 is respecting/not respecting the xml that was added into the .csproj file, because noksa.webdriver.screenshotextensions 0.1.5.4 does not define which transitive dependency should be downloaded for . NET8.0
Workarounds
- If the user is using Visual Studio to build code and restore packages, the user can either: 1) Add
<RestoreUseLegacyDependencyResolver>true</RestoreUseLegacyDependencyResolver>to the affected project 2) Downgrade to Visual Studio 17.11.6. - If the user is using Azure DevOps to build his code and restore packages (via the NuGetToolInstaller task), the user can target an older version of NuGet.exe, such as version 6.11.1:
task: NuGetToolInstaller@1 inputs: versionSpec: 6.11.1
Verbose Logs
No response