Comments (4)
jgonz120
commented on August 24, 2024
Hello! There is a current issue with CPM, NuGet/NuGet.Client#5866, which we're working on fixing. In your setup are you enabling CPM on individual projects or within the Directory.Package.props file?
from home.
parase03
commented on August 24, 2024
Hello @jgonz120! In my setup, the CPM is enabled for the entire solution in a central Directory.Package.props file, located in the root of the solution (where the .sln file lies).
from home.
jgonz120
commented on August 24, 2024
I haven't been able to reproduce this using https://github.com/nkolev92/CentralPackageManagementDemo as an example repo.
After cloning I added a global.json file so I could specify the dotnet version and updated the projects to use net7.0 so I could test it in both versions.
Are there any differences with that example project and yours that you think could help us get a repro?
from home.
parase03
commented on August 24, 2024
Hello again! I managed to find the culprit but don't know if this is an expected behavior or a bug.
Indeed with the project you mentioned I wasn't able to reproduce the issue, so I compared with my local repository. I found out that the only difference in terms of structure and files, was the existence of Directory.Build.props, in addition to the CPM. Apologies for not mentioning this initially, I thought it was irrelevant.
In this file, there were also global package references mentioned. So I copied the same file in the the example repo and was able to reproduce this using .NET 8.0 SDK. When I moved these references to the Directory.Packages.props (while leaving the file with the rest of its contents), the problem was resolved and dotnet list package --vulnerable was able to work again.
Interestingly enough, when I switched .NET SDK to version 7.0 using global.json, and restored Directory.Build.Props to its original contents, the command wasn't failing.
This begs the question: was this behavior with v7.0 a pre-existing bug that got fixed with v8.0, or is the current behavior a bug? It looks like .NET 7.0 is parsing both Directory.* files for package references when a list package command is issued, whereas .NET 8.0 looks only in the CPM-specfic one.
Can (or should) Directory.Build.props contain global package references?
To re-create this, I followed these steps:
- Cloned https://github.com/nkolev92/CentralPackageManagementDemo project
- Created a
Directory.Build.Propsusing this sample. - I moved the below section:
<ItemGroup>
<GlobalPackageReference Include="Microsoft.SourceLink.GitHub" Version="1.1.1" />
</ItemGroup>
from Directory.Package.Props into the Directory.Build.Props.
4. I opened a terminal and run dotnet restore, followed by dotnet list package --vulnerable.
from home.
Related Issues (20)
- Possible NuGet vulnerability false positive when transitive package conflicts with BCL? HOT 1
- Update dotnet nuget why docs with assets file info
- Define `AuditSources` from an MSBuild property
- Map branch name from sourcelink to RepositoryBranch for NuGet pack
- dotnet nuget verify doesn't seem to match the checks run on nuget.org HOT 4
- Package Manager UI fails to load with a NRE due to restore errors HOT 2
- MSB4018 When using central package managing and package is not specified in Directory.Packages.props HOT 6
- Add opt-in warning/error to require a package readme file
- Bubble-up Known Vulnerability Indicators in Solution Explorer for Transitive Packages
- [Bug Bash] Punctuation located incorrectly in the bottom-text of the “License Acceptance” dialog HOT 7
- Make 'why' command available in NuGet.Commands HOT 1
- [Localization] Revert latest changes from 6.11.x branch HOT 1
- Error NU1301 instead of "TLS validation failed" displays when running ‘dotnet restore’ before TLS certificate validation is disabled HOT 9
- dotnet add package stops checking sources on the first failure http code HOT 2
- Can not install signed package with certificate chain building issue HOT 2
- Fetching Vulnerability Resources doesn't respect cancellation HOT 1
- Improve the PM UI (especially update) experience for CPM transitively pinned packages
- PERF: NuGet Cloning operations are showing heavily in allocations during VS solution load
- Consider offering snapshot functionality as an alternative to lock files HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from home.