I have a project that requires the System.ServiceModel.Http NuGet package.
That particular package references 6 other packages transitively.
One of the transitive packages has an identified vulnerability (System.Security.Cryptography.Pkcs).
I know I can promote the package to Top-level and then control the version. But my question is, is there any way to update the version of the transitive package without promoting it?
The scenario I am trying to avoid is:
- MyProject references PackageA v1
- PackageA v1 references PackageB (which I then promote)
- PackageA v2 is released and it no longer depends on PackageB
- Now MyProject has an unnecessary reference to PackageB (which I have to remember to remove)
Directly Update Transitive Dependency:
Since you've identified that the vulnerability lies in the transitive package System.Security.Cryptography.Pkcs, you can directly update its version to a fixed version that doesn't have the vulnerability.