Just installed a clean environment and see the following messages directly warning NU1903: Package 'Lucene.Net.Replicator' 4.8.0-beta00016 has a known high severity vulnerability warning NU1903: Package 'System.Text.Json' 8.0.4 has a known high severity vulnerability 13.5.3 out soon?

:o I just updated to latest v13 yesterday and don't see any vulnerability notices

Then you're probably not including transitive packages. The two examples above are from Umbraco.Cms 13.5.2 (and also come from optional Umbraco packages, e.g., Umbraco Forms, and the Azure BLOb Storage Provider).

I have the same issue. It seems that a lot of transitive vulnerabilities popped up recently. Since I always use 'treat warnings as errors', I couldn't build some packages, since it won't allow vulnerable dependencies. For now I included a non-vulnerable version of those packages as Top-Level package, but it's not ideal, maintenance wise.

You can speficic error codes, eg. NU1903 with NU1903 in your csproj. Then it will give the warning, but not count it as an error.

Welcome to .NET 9 I guess! https://improveandrepeat.com/2024/11/how-to-disable-the-nuget-audit-check-in-visual-studio-17-12/

Awesome that helped!

Also.. you can get aroud the Lucene one I think by installing the latest version of Examine - this has bumped it's lucene dependency (came out last week I think)

As a package developer I am stuggling to know which way to go with this, Traditionally I build the packages against the lowest possible version that they will work on, (e.g v13.0.0) so if you get someone picking up and installing your package it will work with every version above that. my understanding is , if i install Umbraco v13.2.5 and a package that requires say 13.0 then the actuall Umbraco dll's used will be the v13.2.5 ones ? (am i wrong). where as if i have Umbraco v13.2 installed and the package requires v13.4 then the v13.4 dlls' will override the core ones and the package has just upgraded my site ? (or at least the fact that the package will have a v13.4 dependency will do that for you?) So to stop unwanted upgrades of peoples sites, we stay low, and let them decided ? however with all the warnings firing around, should packages just be built against the latest and greatest at all times and its your own fault if you haven't upgraded umbraco when you install /upgrade the package?

@Kevin Jump for an Umbraco package, I think the Umbraco dependency should be the lowest version of Umbraco that can be supported (e.g. 13.0.0, and not 13.5.2). For my packages, I assume that you already have installed Umbraco, and it's not my business to force you to upgrade if you haven't already done so. That unfortunately may lead to warnings about transitive vulnerable packages that may not be true since a newer version of the affected packages are installed in a newer version via other dependencies or directly in the project.

I would say it depends on what the Packages does - if you are explicitly using a bit of functionality that is impacted by a vulnerability, then I'd say the package needs to target the secure version, but if it's not, then it can be lowest possible version as what ever version the site is using is what's actually being used. ... if that makes sense?

@Nik absolutely makes sense ... I should have included that 😄