This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(262.40000000000003, 52%, 35%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ES%3C/text%3E%3C/svg%3E)
Microsoft.EntityFrameworkCore.SQLServer 8.0.1 (latest version) has High vulnerabilities due to transitive dependencies on Azure.Identity 1.7.0 and Microsoft.Data.SQLClient5.1.1.
Both these dependent packages have a non vulnerable latest version.
When will a new patch version for Microsoft.EntityFrameworkCore.SQLServer be released with no vulnerabilities on its transitive dependencies by using the non vulnerable versions for its dependencies?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(57.599999999999994, 16%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EWG%3C/text%3E%3C/svg%3E)
When you install the latest version of a package from Nuget, it brings in transitive dependencies. If you directly reference a newer version, then that version will be due to the nearest wins rule. be chosen. On how to get rid of the transitive dependency vulnerability, you can refer to the following methods:
<itemgroup>
<packagereference include="Microsoft.EntityFrameworkCore.SqlServer" Version="8.0.1">
</packagereference></itemgroup>
You can modify it to another safe version. 2. Use other .net frameworks. Because the Microsoft.EntityFrameworkCore.SQLServer 8.0.1 you are using only works with .NET 8.0, you can try using .NET 6.0 or .NET 7.0. At this time you can choose to use Microsoft.EntityFrameworkCore.SQLServer 6 or Microsoft.EntityFrameworkCore.SQLServer 7
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(243.2, 63%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESD%3C/text%3E%3C/svg%3E)
Sorry, this is not a solution. Imagine that I have a visual studio solution with many projects, each of which uses its own database and therefore each of which references EF8. I would then have to include the explicit dependency on Azure.Identity in every project. Then when the real solution (updated version of Microsoft.EntityFrameworkCore.SQLServer) does come out, I have to remember this and go back and undo it all.
Yes, if I had only one top-level project I could just reference Azure.Identity there. But I don't; I have many top-level projects (i.e., web applications) that reference the same set of dependent projects.
This is forcing me into a tangled mess to overcome what should have been a simple update of Microsoft.EntityFrameworkCore.SQLServer when its transitive vulnerabilities were discovered. Here we are in May 2024 and there's still no update. It's not a happy situation.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(211.20000000000002, 61%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBS%3C/text%3E%3C/svg%3E)
the nuget Microsoft.EntityFrameworkCore.SQLServer package only specifies the min supported version of these libraries. there is no reason to update. you can specify the specific desired versions in your project, which controls the deployed version.
When we install the latest version of the package from Nuget it brings in the transitive dependencies which are vulnerable as it’s seen from Manage Nuget packages in Visual Studio. What is the best way to get rid of the vulnerabilities of the transitive dependencies. I do not want to make them as direct dependency by installing their latest version, since I am not using them either.
your project is responsible for deploying all dependencies. It makes sense it has the full bill of materials, and specifies the deployed version of each nuget package.
but you can use nuget Central Package Management:
https://devblogs.microsoft.com/nuget/introducing-central-package-management/
I don't believe you're grasping the nature of transitive dependencies. See above.
transitive dependencies, by design, only reference the minimum required dependent version, not the latest patched. additional tools are required in the deployment to ensure latest versions (Central Package Management: being a start). currently there is no great tool that walks the nuget dependancies and updates them. The easiest method is still adding them as explicit dependencies in the deployment project.