My project uses .NET Standard Library version 2.1.0. One of the packages that it references is System.Net.WebSockets.Client version 4.0.2.0. This package in its turn has a dependency on System.Security.Cryptography.X509Certificates version 4.1.0. As a result, when I restore before build, this particular version gets downloaded. The issue is version 4.1.0 of System.Security.Cryptography.X509Certificates has a known vulnerability and should get updated to 4.1.2 which has the vulnerability fixed.
I am not sure how to update the version of a package that is being internally referenced from another package which itself is part of the .NET Standard Library.
I am getting flagged in my build for using the non-compliant version of the X509Cerificates package. Any pointers in this regard would be much appreciated.
Thanks.
Related
I am following this tutorial:
https://learn.microsoft.com/en-us/ef/core/get-started/overview/first-app?tabs=visual-studio
I am immediately stopped because I can not complete the following command:
Install-Package Microsoft.EntityFrameworkCore.Sqlite
This is the error:
Could not install package 'Microsoft.EntityFrameworkCore.Sqlite.Core 7.0.0'. You are trying to install a package into a project that targets '.NETFramework,Version=v4.7.2', but the package does not contain any assembly references or content files that are compatible with that framework. For more information, contact the package author.
I am attempting to learn how to use the Entity Framework and so I don't know much regarding this. Any advice would be helpful even if it's a link to something I need to read.
About the tutorial
The tutorial is about .netCore but in the error message you can see that you created a .netFramework project '.NETFramework,Version=v4.7.2'.
Create a new console application, but don't select projects that have (.NET Framework) in the description.
About the Sqlite package (only if continue the practicing with .netFramework)
The command Install-Package Microsoft.EntityFrameworkCore.Sqlite will try to install the last version. Currently, the last version is 7.0.0. This version only work with .NET 6.0.
You can check existing .net versions right here
So, you need to specify the version. The version for .NET 4.7.2 is the 3.1.31.
Install-Package Microsoft.EntityFrameworkCore.Sqlite -Version 3.1.31
Nuget Sqlite package info here
I created a new, console application. Nuget => Add PostSharp =>
Reading project file
/Users/jason/Projects/Postsharp/Postsharp/Postsharp.csproj.
Restoring packages for
/Users/jason/Projects/Postsharp/Postsharp/Postsharp.csproj...
Restoring packages for .NETCoreApp,Version=v3.1... Resolving conflicts
for .NETCoreApp,Version=v3.1... Cycle detected. Postsharp ->
PostSharp (>= 6.10.6). Checking compatibility of packages on
.NETCoreApp,Version=v3.1. Checking compatibility for Postsharp 1.0.0
with .NETCoreApp,Version=v3.1. Checking compatibility for Serilog
2.10.0 with .NETCoreApp,Version=v3.1. All packages and projects are compatible with .NETCoreApp,Version=v3.1. Package restore failed.
Rolling back package changes for 'Postsharp'.
Cycle Detected?
Geez, what am I doing wrong?
Thanks,
Jason
This is caused by naming your project PostSharp and having a dependency on the package of the same name.
Daniel, you were right, the project name was part of the problem.
The biggest issue was I needed to manually set PostSharpDependencyRestoreDisabled=True and then I had to manually add all the referenced Nuget packages. It was annoying, but at least it works now.
Thanks!
My packages.config has this entry:
<package id="xxxxxx" version="3.0.0" allowedVersions="[3.0,3.3)" targetFramework="net452">
Now there is no package xxxxxxx at version 3.0.0 (there might have been, once upon a time), but I am allowing anything between 3.0 and 3.3. I do have a package at 3.1.0, and I expected that nuget would find that one and pick it up, but I get the error
Unable to find version '3.0.0' of package xxxxxxxx
Questions:
Why does nuget not say, "oh I can't find 3.0.0 but I'm allowed to use anything from 3.0 to 3.3 and I have 3.1.0. I'll use that!"
What is the correct config to use to make it pick up the highest available version in the allowed range?
In packages.config, every dependency is listed with an exact
version attribute that's used when restoring packages. The
allowedVersions attribute is used only during update operations to
constrain the versions to which the package might be updated.
Source: https://learn.microsoft.com/en-us/nuget/concepts/package-versioning#references-in-project-files-packagereference
If you want to use ranges in your project, you will have to switch to References in project files (PackageReference), but keep in mind:
NuGet 2.8.x and earlier chooses the latest available package version
when resolving a dependency, whereas NuGet 3.x and later chooses the
lowest package version.
Option to always resolve to highest version was proposed and rejected: https://github.com/NuGet/Home/issues/1192
We have a project that is utilizing a set of Nuget-based Azure libraries. One of them was published with a specific MIN and MAX dependency on Newtonsoft.Json (max version being 7)
This was a headache, because other libraries depend on 8+ version of Netwon and this specific Azure library is just fine working with any modern Json package.
In VS2013, we forced to install this Azure library with newer version of Json package thru nuget installer and subsequently, Nuget never gave us any issues installing/updating other libraries.
However, after upgrading to VS2017, we cannot update any package (or at least the ones that depend on Json) and we get the error below.
Unable to resolve dependencies. 'Newtonsoft.Json 8.0.3' is not compatible with 'Microsoft.Azure.Insights 0.15.0-preview constraint: Newtonsoft.Json (>= 6.0.8 && < 7.0.0)'
How do we have Nuget ignore that specific Azure library's unimportant MAX version dependence?
How do we have Nuget ignore that specific Azure library's unimportant MAX version dependence?
If you confirm that Azure library is just fine working with any modern Json package and you want use the Microsoft.Azure.Insights 0.15.0-preview and 8+ version of Newtonsoft.Json at the same time. I would like provide a workaround to you, hope this can help you.
Detailed Steps:
Install the package Microsoft.Azure.Insights 0.15.0-preview with its dependencies first.
Only uninstall the package Microsoft.Azure.Insights 0.15.0-preview, Keep dependencies installed.
Update the Newtonsoft.Json to the version 8+.
Install the package Microsoft.Azure.Insights 0.15.0-preview in the Package Manager Console with following NuGet command:
Install-package Microsoft.Azure.Insights -IncludePrerelease -IgnoreDependencies
With the option -IgnoreDependencies, NuGet will ignore that specific Azure library's unimportant MAX version dependence:
Note: Need to mention is that if you update the Newtonsoft.Json package next time, you still need to follow the steps above to upgrade your Newtonsoft.Json package.
I've already moved to the xunit.net 2.0 beta version, but need some feature from AutoFixture, which still depends on the current 1.9.2 stable release (CompositeDataAttribute). As far as I see AutoFixture.Xunit hasn't been upgraded yet (when?)
When I just try to install AutoFixture.Xunit with nuget it complains of the conflict with it's dependency on xunit 1.9.2 and if I ignore dependencies it compiles but tests are not being run (at least by the VS2013 and Resharper runners)
Any suggestions? thanks
Support for xUnit.net 2 was added to AutoFixture on April 8 2015. It was added as a new NuGet package, in order to make it optional if and when to migrate to xUnit.net 2. Thus, there are two Glue Library packages for AutoFixture and xUnit.net:
AutoFixture.Xunit for use with xUnit.net 1.x
AutoFixture.Xunit2 for use with xUnit.net 2.x