Import Packages.props so central package versions actually apply#537
Open
Kaegun wants to merge 1 commit into
Open
Import Packages.props so central package versions actually apply#537Kaegun wants to merge 1 commit into
Kaegun wants to merge 1 commit into
Conversation
src/Packages.props defines the central PackageVersion_* properties but was never imported by any build file. As a result every <PackageReference Version="$(PackageVersion_*)"/> resolved to an empty version, so NuGet selected the oldest version on the feed (e.g. Newtonsoft.Json 3.5.8, Azure.Identity 1.0.0, System.Formats.Asn1 5.0.0). These surface as security vulnerabilities in the solution and, via the nuspec $PackageVersion_*$ tokens, as missing dependency lower bounds in the published packages. Importing Packages.props from src/Directory.Build.props makes the intended (non-vulnerable) pinned versions take effect. Restore no longer reports any NU1903/NU1902 (vulnerable) or NU1604/NU1602 (no lower bound) warnings; only the expected internal-feed NU1102 for Microsoft.Xrm.Sdk remains. Also bumps global.json SDK 6.0.406 -> 8.0.100 (rollForward latestFeature) so the net8.0 targets restore on a supported SDK. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
Building the solution (or consuming the published
Microsoft.PowerPlatform.Dataverse.Clientpackage) pulls in very old, vulnerable transitive package versions — e.g.Newtonsoft.Json 3.5.8,Azure.Identity 1.0.0(deprecated),System.Formats.Asn1 5.0.0,Microsoft.Rest.ClientRuntime 0.9.4(deprecated). Visual Studio's NuGet "Show only vulnerable" view lists them, anddotnet restorereportsNU1903/NU1902security advisories plus manyNU1604/NU1602"does not contain an inclusive lower bound" warnings.Root cause
src/Packages.propsdefines the centralPackageVersion_*properties, but no build file imports it. NeitherDirectory.Build.props(root orsrc/) nor theBuild.Common.*props import it. Consequently every<PackageReference Version="$(PackageVersion_XXX)" />evaluates to an empty version string, so NuGet treats it as having no lower bound and resolves the oldest version available on the feed.The same empty values feed the nuspec
version="[$PackageVersion_XXX$,)"tokens, producing dependencies with no lower bound ([,)) in the published packages — which is why downstream consumers also pull the ancient versions.Fix
Import
Packages.propsfromsrc/Directory.Build.props(auto-imported by every project undersrc/), so the intended, non-vulnerable pinned versions take effect:Also bump
global.jsonSDK6.0.406 → 8.0.100(rollForward: latestFeature) so thenet8.0targets restore on a supported SDK (.NET 6 is EOL).Verification
dotnet restoreofDataverseClient.sln, before vs after:NU1903/NU1902(vulnerable package)NU1604/NU1602(no lower bound)ServiceClientConverter(public deps only)NU1102for internalMicrosoft.Xrm.Sdk 9.2.x-master(expected; not on public feed)Notes / caveats
Microsoft.Xrm.Sdk,Microsoft.Crm.Sdk.Proxyat9.2.x-master) are untouched; they resolve on Microsoft's internal feed.Packages.propsvia a file not present in the public repo, this import is a harmless duplicate (same property values). If a different wiring is preferred, happy to adjust.Attribution
This investigation and fix were developed with the assistance of Claude Code (Anthropic). The root cause was diagnosed by reproducing the restore, correlating the
NU1604/NU1903warnings with the orphanedPackages.props, and verifying the fix removes all vulnerable-version resolutions.🤖 Generated with Claude Code