I have a private NuGet package that I'm installing on an existing project. The project already contains several of the dependencies the private NuGet package requires but at a lower version than what the private package requires. When I try to install the private package the installation throws an error (no error number)
Package restore failed. Rolling back package changes for
'ConsoleApp1'.
In the package manager output it is reporting a
Detected package downgrade
Since the package that it's referencing is a public package on NuGet.org I would expect at a minimum to be prompted to upgrade the dependency during the installation process instead of erroring and rolling back. I've know packages that are not already included in the project are being installed automatically and can see that in the logs.
I've seen other posting that range from ignoring the warning/error to a pre-build script that does the upgrade (which is not a option for installing new packages)
Can the package manager be instructed to automatically upgrade the existing packages to at least the minimum version the dependency list has defined?
Afraid not.
It's not really a trivial problem to solve - suppose it uses the approach you suggested and your project currently references packageA v1.0.0 and packageB v1.0.0.
You add a new package with a dependency on package A v2.0.0.
It prompts you to upgrade packageAfrom 1.0.0 to 2.0.0 to avoid a downgrade.
But package A 2.0.0 has a new dependency on packageBat 2.0.0, which causes a downgrade for you on that package.
Every new upgrade in turn can trigger new upgrades. You can also engineer scenarios where there isn't even a way to upgrade other packages to make it all work. On top of that all of this requires fetching lots of information from your package source.
Since there's not a clear, general way to fix this the tooling leaves you to work out what you want to do yourself.
Related
According to a recent JFrog Xray scan, our application (.NET 5) has a "critical" vulnerability due to a dependency on a specific version of Microsoft.NETCore.Platforms. There is a newer version of the package with the vulnerability resolved that I want my project to use instead. The problem I'm having is that this is not a package that we've explicitly added to the project, but rather a dependency that some other packages have, so simply adding the newer version of the package to the project isn't enough to remove the dependency entirely; I can still see references to the "bad" version appearing in project.assets.json. Upgrading to the latest version of the top-level packages has helped, but has still left some references to the "bad" version of Microsoft.NETCore.Platforms via dependencies of dependencies of dependencies.
E.g, we're using the very latest version of Microsoft.ApplicationInsights, but this has a dependency on System.Diagnostics.PerformanceCounter, which has a dependency on the "bad" Microsoft.NETCore.Platforms.
TLDR; I want to be able to tell my project "If you have a dependency on this package anywhere in your dependency tree, don't use version X, use version Y instead", but I'm not sure if there exists a way to do this.
You can't change what version of a library your dependencies use because that could easily introduce breaking changes. This is the modern version of DLL hell.
The answer is to update the library that has the old dependency. If it's open source, you can do this yourself and use your forked version with the updated dependencies. If you don't have access to the source then you will have to contact the developer and tell them about the vulnerability.
If the developer is Microsoft, godspeed.
In my class library, Manage Nuget Packages shows the latest stable version of Newtonsoft as 12.0.3. In another application that references the class library, Manage Nuget Packages shows the latest stable version of Newtonsoft as 9.0.1
What would explain that difference, and how is it fixed in Visual Studio 2019? When I try to compile the application, it fails with the error that the class library's version of Newtonsoft is newer.
EDIT: I think I've found the reason: in the top right corner of the window the package source for the application was not nuget.org but Visual Studio Offline Sources.
Why is the latest stable version of Newtonsoft showing in Nuget
Package Manager as 12.0.3 in one project and as 9.0.1 in another?
When you install a nuget package, you should select the right nuget package source.
As it shows that, Visual Studio Offline Sources is your local nuget caches. It is required that you download the corresponding nuget version and then exist in this data source. So it depends on you and not all versions of the package are fully displayed.
nuget.org is the ultimate destination for developers releasing nuget packages. You can find every version of the package here. So you should check this link.
Check and enable that link.
Then, open Nuget Package Manager UI and choose nuget.org and you can find it.
I am working on VS2012 and have issue with installing Twilio Package via NuGet. It asks me to update NuGet Package Manager. I am concerned if updating NuGet Package Manager have effect on all the projects that are running without any issue. What are the effects of Package Manager Updates on existing projects or solution.
Coming from the Python world, I will attempt to see if I can help you here. Is the concern that a specific package will no longer be available to you if you do a global update on your NuGet package manager?
Is it possible then for you to install a specific NuGet version in a virtual machine encapsulating the project where you want to run with the Twilio package?
Otherwise, assuming all of the packages you use are regularly maintained, I'm not sure how an update to a package manager would affect them.
In a project we have Umbraco 7.3.4 and it has a dependency for JSON.NET <= 6.0.8. When I'm trying to install other 3rd party packages which require JSON.NET >= 8.0.0, this forces Umbraco to automatically update to version 7.4, which I don't want.
Putting aside considerations of pros and cons of making a hack, I am happy to do a hack because I know that Umbraco works with JSON.NET 8.0.0. The question is how to disable in Nuget automatic update (dependency resolving) only for the Umbraco package? In an ideal case (and much better one) I would only want to ignore JSON.NET dependency for Umbraco package, but let Nuget update Umbraco package if any other cross-dependency update requires this.
Many thanks for an advice
This isn't an Umbraco feature but a Nuget feature, you can include the flag -IgnoreDependencies but it's not selective as far as I am aware. Beware you may well miss other dependencies that could cause you to end up in dependency hell!
Example:
Update-Package Newtonsoft.Json -Version 8.0.0 -IgnoreDependencies
Nuget Documentation:
-IgnoreDependencies
Installs only this package and not its dependencies.
Required: false
See https://docs.nuget.org/consume/package-manager-console-powershell-reference
Warning: Backup your project before attempting this so you can roll it back in the event of a problem!
How can I search for a specific version of a package using the "Manage Packages" dialog and install in to current project?
I am trying to install "Fluent NHibernate 1.3.0.717", however the search only shows "Fluent NHibernate 1.2.0.712" .
I am aware that I can install specific version using the Package Manager console, but I want to know how can it be done via Manage Packages GUI.
There's currently no way to get a specific version of a package in NuGet Package Manager.
For simplicity the NuGet Pacackage Manager's current behavior is to show the latest versions only. The console offers more control over which versions can be installed.
But, in your case, the dialog should show 1.3.0.717. I filed a bug (#468) against the NuGet Gallery, since 1.2.0.712 is marked as the latest : http://nuget.org/packages/FluentNHibernate/1.3.0.717