NuGet Product Used
dotnet.exe
Product Version
10.0.100, but I also tried with the .NET 11 preview from the 17th of April.
Worked before?
Unknown, as file-based apps are new to .NET 10.
Impact
I'm unable to use this version
Repro Steps & Context
I have a .cs script that I'm running with dotnet run. It references a csproj file, that, as of yesterday, happens to indirectly reference a nuget package with vulnerabilities. I fixed this with an explicit reference to the fixed version of the nuget package, at the csproj level, as usual.
Now my script fails with error NU1605: Warning As Error: Detected package downgrade, and no matter what I try, this won't go away.
To Reproduce:
MyScript.cs:
/*
I get:
d:\NugetIssuesWithRunFile\MyScript.csproj : error NU1605: Warning As Error: Detected package downgrade: System.Security.Cryptography.Xml from 9.0.0 to 8.0.3. Reference the package directly from the project to select a different version.
d:\NugetIssuesWithRunFile\MyScript.csproj : error NU1605: MyScript -> ClassLibrary1 -> Microsoft.Identity.Web 3.8.2 -> Microsoft.Identity.Web.TokenCache 3.8.2 -> System.Security.Cryptography.Xml (>= 9.0.0)
d:\NugetIssuesWithRunFile\MyScript.csproj : error NU1605: MyScript -> ClassLibrary1 -> System.Security.Cryptography.Xml (>= 8.0.3)
Even with #:property TreatWarningsAsErrors=true commented out, WarningsNotAsErrors=NU1605 and NuGetAudit=false.
ClassLibrary1 has the explicit downgrade (<PackageReference Include="System.Security.Cryptography.Xml" Version="8.0.3" />), but it doesn't make a difference.
The explicit nuget reference below (#:package [email protected]) makes no difference either.
My scenario uses .NET 8 for the class library, but I also tried .NET 10 in this repro, and it doesn't make a difference.
*/
//#:property TreatWarningsAsErrors=true
#:package [email protected]
#:property WarningsNotAsErrors=NU1605
#:property NuGetAudit=false
#:project ClassLibrary1\ClassLibrary1.csproj
Console.WriteLine("Hello, World!");
ClassLibrary1\ClassLibrary1.csproj:
<Project Sdk="Microsoft.NET.Sdk">
<PropertyGroup>
<TargetFramework>net8.0</TargetFramework>
<ImplicitUsings>enable</ImplicitUsings>
<Nullable>enable</Nullable>
</PropertyGroup>
<ItemGroup>
<PackageReference Include="Microsoft.Bcl.Memory" Version="9.0.15" />
<PackageReference Include="Microsoft.Identity.Web" Version="3.8.2" />
<PackageReference Include="System.Security.Cryptography.Xml" Version="8.0.3" />
</ItemGroup>
</Project>
Verbose Logs
D:\NugetIssuesWithRunFile\dotnet-sdk-11.0.100\dotnet.exe run D:\NugetIssuesWithRunFile\MyScript.cs --verbosity diag
Determining projects to restore...
D:\NugetIssuesWithRunFile\MyScript.cs.csproj : error NU1605:
Warning As Error: Detected package downgrade: System.Security.Cryptography.Xml from 9.0.0 to 8.0.3. Reference the
package directly from the project to select a different version.
MyScript -> ClassLibrary1 -> Microsoft.Identity.Web 3.8.2 -> Microsoft.Identity.Web.TokenCache 3.8.2 -> System.Se
curity.Cryptography.Xml (>= 9.0.0)
MyScript -> System.Security.Cryptography.Xml (>= 8.0.3)
Failed to restore D:\NugetIssuesWithRunFile\MyScript.cs.csproj (in 298 ms).
1 of 2 projects are up-to-date for restore.
Restore failed with 1 error(s) in 1.0s
The build failed. Fix the build errors and run again.
NuGet Product Used
dotnet.exe
Product Version
10.0.100, but I also tried with the .NET 11 preview from the 17th of April.
Worked before?
Unknown, as file-based apps are new to .NET 10.
Impact
I'm unable to use this version
Repro Steps & Context
I have a .cs script that I'm running with dotnet run. It references a csproj file, that, as of yesterday, happens to indirectly reference a nuget package with vulnerabilities. I fixed this with an explicit reference to the fixed version of the nuget package, at the csproj level, as usual.
Now my script fails with error NU1605: Warning As Error: Detected package downgrade, and no matter what I try, this won't go away.
To Reproduce:
MyScript.cs:
ClassLibrary1\ClassLibrary1.csproj:
Verbose Logs