.NET 10 RC1 SDK produces erroneous NU1902 and NU1903 warnings when restoring multi-targeted packages #51060
Description
Describe the bug
.NET 10 RC1 SDK produces erroneous NU1902 and NU1903 warnings when restoring multi-targeted packages
To Reproduce
Create a simple console app with the following project configuration:
<Project Sdk="Microsoft.NET.Sdk">
<PropertyGroup>
<OutputType>Exe</OutputType>
<TargetFrameworks>net10.0;net472</TargetFrameworks>
</PropertyGroup>
<ItemGroup>
<PackageReference Include="System.Net.Http" Version="4.3.4" />
</ItemGroup>
</Project>And then run dotnet restore using .NET SDK version 10.0.100-rc.1.25451.107, which produces the following warnings:
Restore succeeded with 3 warning(s) in 0.6s
C:\Users\eitsarpa\source\repos\ConsoleApp1\ConsoleApp1\ConsoleApp1.csproj : warning NU1903: Package 'System.Private.Uri' 4.3.0 has a known high severity vulnerability, https://github.com/advisories/GHSA-5f2m-466j-3848
C:\Users\eitsarpa\source\repos\ConsoleApp1\ConsoleApp1\ConsoleApp1.csproj : warning NU1902: Package 'System.Private.Uri' 4.3.0 has a known moderate severity vulnerability, https://github.com/advisories/GHSA-x5qj-9vmx-7g6g
C:\Users\eitsarpa\source\repos\ConsoleApp1\ConsoleApp1\ConsoleApp1.csproj : warning NU1903: Package 'System.Private.Uri' 4.3.0 has a known high severity vulnerability, https://github.com/advisories/GHSA-xhfc-gr8f-ffwc
The issue fails to reproduce if I target either net10.0 alone or net472 also. It also fails to reproduce if I multi-target to net9.0 and net472, or if I use older versions of the SDK.
Further technical details
details of dotnet --info
.NET SDK: Version: 10.0.100-rc.1.25451.107 Commit: 2db1f5ee2b Workload version: 10.0.100-manifests.a6e8bec0 MSBuild version: 17.15.0-preview-25451-107+2db1f5ee2
Runtime Environment:
OS Name: Windows
OS Version: 10.0.26200
OS Platform: Windows
RID: win-arm64
Base Path: C:\Program Files\dotnet\sdk\10.0.100-rc.1.25451.107\
.NET workloads installed:
There are no installed workloads to display.
Configured to use workload sets when installing new manifests.
No workload sets are installed. Run "dotnet workload restore" to install a workload set.
Host:
Version: 10.0.0-rc.1.25451.107
Architecture: arm64
Commit: 2db1f5ee2b
.NET SDKs installed:
8.0.414 [C:\Program Files\dotnet\sdk]
9.0.205 [C:\Program Files\dotnet\sdk]
9.0.305 [C:\Program Files\dotnet\sdk]
10.0.100-rc.1.25451.107 [C:\Program Files\dotnet\sdk]
.NET runtimes installed:
Microsoft.AspNetCore.App 8.0.20 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
Microsoft.AspNetCore.App 9.0.6 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
Microsoft.AspNetCore.App 9.0.9 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
Microsoft.AspNetCore.App 10.0.0-rc.1.25451.107 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
Microsoft.NETCore.App 6.0.36 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
Microsoft.NETCore.App 8.0.20 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
Microsoft.NETCore.App 9.0.6 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
Microsoft.NETCore.App 9.0.9 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
Microsoft.NETCore.App 10.0.0-rc.1.25451.107 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
Microsoft.WindowsDesktop.App 6.0.36 [C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App]
Microsoft.WindowsDesktop.App 8.0.20 [C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App]
Microsoft.WindowsDesktop.App 9.0.6 [C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App]
Microsoft.WindowsDesktop.App 9.0.9 [C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App]
Microsoft.WindowsDesktop.App 10.0.0-rc.1.25451.107 [C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App]
Other architectures found:
x64 [C:\Program Files\dotnet\x64]
registered at [HKLM\SOFTWARE\dotnet\Setup\InstalledVersions\x64\InstallLocation]
x86 [C:\Program Files (x86)\dotnet]
registered at [HKLM\SOFTWARE\dotnet\Setup\InstalledVersions\x86\InstallLocation]
Environment variables:
DOTNET_NEW_PREFERRED_LANG [F#]