Create accountLogin

Recent searches

No recent searches

Search options

Only available when logged in.
universeodon.com is part of the decentralized social network powered by Mastodon.
Be one with the #fediverse. Join millions of humans building, creating, and collaborating on Mastodon Social Network. Supports 1000 character posts.

Administered by:

Server stats:

3.2K
active users
Learn more

universeodon.com: AboutStatusProfiles directoryPrivacy policy

Mastodon: AboutGet the appKeyboard shortcutsView source codev4.2.17

Allen Newton

This is getting in the way. So much noise now with transitive package dependencies that could be vulnerable. NuGet package manager in Visual Studio is trying to implement features from 3rd parties like Snyk. Good goal, poorly implemented.

devblogs.microsoft.com/nuget/i

The NuGet Blog · Introducing Transitive Dependencies in Visual Studio - The NuGet BlogWe heard from you that direct dependencies are easy to track, but that you struggle with tracking transitive dependencies. We want to make that easier for the day-to-day management of your NuGet packages in Visual Studio. To help you track transitive dependencies and remediate vulnerabilities quickly with SDK-style projects, we are introducing an experimental feature […]
Nov 21, 2024, 18:46 · · Web · 2 · 1
*
Arlo Godfrey

@allennewton I agree it's difficult to manage, but I note that the transitive packages were always there and weren't shown in UI.

To help manage this, I plan to try using Central Package Management with Transitive Pinning enabled. This way, I only need to declare a package upgrade once for all package references and transitive references in the repo.

See learn.microsoft.com/en-us/nuge

learn.microsoft.comCentral Package ManagementManage your dependencies in a central location and how you can get started with central package management.
Allen Newton

@Arlodottxt Will investigate that idea. Sounds good. System.Private.Uri (in my specific case) is one that is going to need fixing. No help on how to mitigate that one from the NuGet package manager. Will have to work through each reported vulnerability to see if they can be fixed/patched, or not.

tomap

@allennewton .Net 9 could have been a simple upgrade but turns out to be a hell ... #dotnet

Allen Newton

@tomap Upgraded my solution, as an experiment, to .net9 from .net8 LTS. Most of the transitive vulnerabilities went away. Except one. This hints to me, being on LTS is less stable than being on latest version for dotnet.

ExploreLive feeds
About