Add transitive guidance #3336
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -125,6 +125,15 @@ If security vulnerabilities are found and updates are available for the package, | |
| - Use the NuGet package manager user interface in Visual Studio to update the individual package. | ||
| - Run the `dotnet add package` command with the respective package ID to update to the latest version. | ||
|
|
||
| #### Transitive Packages | ||
|
|
||
| If a known vulnerability exists in a top-level package's transitive dependencies, you have these options: | ||
|
|
||
| - Add the fixed package version as a direct package reference. **Note:** Be sure to remove this reference when a new package version update becomes available and be sure to maintain the defined attributes for the expected behavior. | ||
| - Use [Central Package Management with the transitive pinning functionality](https://learn.microsoft.com/nuget/consume-packages/Central-Package-Management#transitive-pinning). | ||
|
Member
There was a problem hiding this comment. I think we should explicitly warn people that if they pack the project into a package, the pinned package will become a package dependency. The linked doc mentions that it promotes a package to a top level dependency, but the very first two customers who tested the first CPM prototype didn't understand this, complained, and stopped using CPM.
Contributor
There was a problem hiding this comment. That probably belongs in the CPM docs. Remind folks that rolling up dependencies doesn't actually add any new dependencies than what you already have. Maybe NuGet gallery could even help here by showing authored dependencies visually different than transitive ones?
Member
There was a problem hiding this comment. nuget.org (NuGetGallery) only show dependencies listed in the nuspec, so only direct dependencies, not transitive dependencies. Any package that CPM promotes via transitive pinning becomes a direct dependency (the page on CPM explicitly states this), and therefore it will be listed in the nuspec as a dependency. NuGet Gallery has no way to know that "this was a transitive package that was pinned by the project that it was packed from". The very first 2 customers who tried CPM (both package authors) when it was in preview and transitive pinning was default with no option to disable, immediately said they hated it and stopped using CPM. So, I think it's valuable to set expectations. I still see transitive pinning (or direct references) as a valid way for library authors to remove transitive packages with known vulnerabilities. But if a single repo is building both packages and apps, the developer might not want to cause a transitive package like System.Text.Json to become a direct dependency of their package, when they upgrade the package for the web/gui/console apps.
Member
There was a problem hiding this comment. There's another challenge here that the CPM docs aren't really complete in this scenario.
Member
There was a problem hiding this comment. I don't know what I was thinking with my last reply. Let me try again to make it more clear: Even if it's documented elsewhere, the first set of customers who tried transitive pinning hated it because it caused additional package dependencies, and told us they immediately stopped using it. I'm sure those two people were not unique and other customers will feel similarly. Therefore, if we're going to advise people to use the feature, I think we should set expectations so they're not surprised.
Member
There was a problem hiding this comment. Oh yeah fair, I was just pointing out that we have another gap to close, which is document it for CPM in the first place. |
||
| - [Suppress the advisory](https://learn.microsoft.com/nuget/concepts/auditing-packages#excluding-advisories) until it can be addressed. | ||
| - File an issue in the top-level package's tracker to request an update. | ||
|
Contributor
There was a problem hiding this comment. Maybe we could add a link to the
Contributor
Author
There was a problem hiding this comment. @jebriede solution explorer ships what release again?
Contributor
There was a problem hiding this comment. @JonDouglas do you mean transitive dependencies in Solution-level PM UI? If so, 17.12. |
||
|
|
||
| ### Security vulnerabilities found with no updates | ||
|
|
||
| In the case that a known vulnerability exists in a package without a security fix, you can do the following. | ||
|
|
||
Uh oh!
There was an error while loading. Please reload this page.