Skip to content

File-based apps - unable to recover from "NU1605: Warning As Error: Detected package downgrade" #14869

@KostasVsNT

Description

@KostasVsNT

NuGet Product Used

dotnet.exe

Product Version

10.0.100, but I also tried with the .NET 11 preview from the 17th of April.

Worked before?

Unknown, as file-based apps are new to .NET 10.

Impact

I'm unable to use this version

Repro Steps & Context

I have a .cs script that I'm running with dotnet run. It references a csproj file, that, as of yesterday, happens to indirectly reference a nuget package with vulnerabilities. I fixed this with an explicit reference to the fixed version of the nuget package, at the csproj level, as usual.

Now my script fails with error NU1605: Warning As Error: Detected package downgrade, and no matter what I try, this won't go away.

To Reproduce:

MyScript.cs:

/*
I get:

d:\NugetIssuesWithRunFile\MyScript.csproj : error NU1605: Warning As Error: Detected package downgrade: System.Security.Cryptography.Xml from 9.0.0 to 8.0.3. Reference the package directly from the project to select a different version. 
d:\NugetIssuesWithRunFile\MyScript.csproj : error NU1605:  MyScript -> ClassLibrary1 -> Microsoft.Identity.Web 3.8.2 -> Microsoft.Identity.Web.TokenCache 3.8.2 -> System.Security.Cryptography.Xml (>= 9.0.0) 
d:\NugetIssuesWithRunFile\MyScript.csproj : error NU1605:  MyScript -> ClassLibrary1 -> System.Security.Cryptography.Xml (>= 8.0.3)

Even with #:property TreatWarningsAsErrors=true commented out, WarningsNotAsErrors=NU1605 and NuGetAudit=false.

ClassLibrary1 has the explicit downgrade (<PackageReference Include="System.Security.Cryptography.Xml" Version="8.0.3" />), but it doesn't make a difference.

The explicit nuget reference below (#:package [email protected]) makes no difference either.

My scenario uses .NET 8 for the class library, but I also tried .NET 10 in this repro, and it doesn't make a difference.
*/

//#:property TreatWarningsAsErrors=true

#:package [email protected]

#:property WarningsNotAsErrors=NU1605

#:property NuGetAudit=false

#:project ClassLibrary1\ClassLibrary1.csproj

Console.WriteLine("Hello, World!");

ClassLibrary1\ClassLibrary1.csproj:

<Project Sdk="Microsoft.NET.Sdk">

  <PropertyGroup>
	<TargetFramework>net8.0</TargetFramework>
    <ImplicitUsings>enable</ImplicitUsings>
    <Nullable>enable</Nullable>
  </PropertyGroup>

  <ItemGroup>
    <PackageReference Include="Microsoft.Bcl.Memory" Version="9.0.15" />
    <PackageReference Include="Microsoft.Identity.Web" Version="3.8.2" />
    <PackageReference Include="System.Security.Cryptography.Xml" Version="8.0.3" />
  </ItemGroup>

</Project>

Verbose Logs

D:\NugetIssuesWithRunFile\dotnet-sdk-11.0.100\dotnet.exe run D:\NugetIssuesWithRunFile\MyScript.cs --verbosity diag

    Determining projects to restore...
    D:\NugetIssuesWithRunFile\MyScript.cs.csproj : error NU1605:
      Warning As Error: Detected package downgrade: System.Security.Cryptography.Xml from 9.0.0 to 8.0.3. Reference the
      package directly from the project to select a different version.
       MyScript -> ClassLibrary1 -> Microsoft.Identity.Web 3.8.2 -> Microsoft.Identity.Web.TokenCache 3.8.2 -> System.Se
      curity.Cryptography.Xml (>= 9.0.0)
       MyScript -> System.Security.Cryptography.Xml (>= 8.0.3)
    Failed to restore D:\NugetIssuesWithRunFile\MyScript.cs.csproj (in 298 ms).
    1 of 2 projects are up-to-date for restore.

Restore failed with 1 error(s) in 1.0s

The build failed. Fix the build errors and run again.

Metadata

Metadata

Assignees

No one assigned

    Type

    No type
    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions