Skip to content

Visual Studio incorrectly warns about System.Text.Json 8.0.5 already in use #48573

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
kimachov opened this issue Apr 18, 2025 · 1 comment
Open

Visual Studio incorrectly warns about System.Text.Json 8.0.5 already in use #48573

kimachov opened this issue Apr 18, 2025 · 1 comment
Labels
Area-NetSDK untriaged Request triage from a team member

Comments

@kimachov
Copy link

🐞 Issue: Incorrect Vulnerability Warning and Upgrade Suggestion for System.Text.Json in Visual Studio

Summary

Visual Studio incorrectly displays a vulnerability warning and suggests updating System.Text.Json to version 8.0.5, even though this version is already being resolved and used at runtime.

Affected Environment

  • Visual Studio 2022+
  • SDK-style .NET project
  • Target frameworks: net6.0;net8.0
  • Transitive dependency: System.Text.Json

Observed Behavior

  • Visual Studio shows System.Text.Json (8.0.5) as vulnerable.
  • It suggests an update to the same version, which is misleading.
  • Build artifacts show:
    • net6.0 resolves version 8.0.5 (from NuGet, transitively)
    • net8.0 resolves version 6.0.0 (from shared framework)

Expected Behavior

  • Visual Studio should detect that System.Text.Json version 8.0.5 is already resolved and used.
  • No update prompt should appear for the same version.
  • Vulnerability status should match runtime resolution.

Steps to Reproduce

  1. Create a .NET project targeting both net6.0 and net8.0.
  2. Include a dependency (e.g., Microsoft.Extensions.Configuration.Json) that pulls in System.Text.Json transitively.
  3. Open the project in Visual Studio.
  4. Observe vulnerability warning and update suggestion.

Workaround

Explicitly add the dependency in .csproj:

<PackageReference Include="System.Text.Json" Version="8.0.5" />

This suppresses the warning and aligns Visual Studio with the actual runtime resolution.

Impact

  • Causes confusion and redundant actions by developers.
  • Undermines trust in Visual Studio’s dependency analysis.
  • May trigger unnecessary package audits or rebuilds.

Suggested Fix

Update Visual Studio’s NuGet analysis to cross-reference runtime resolution (e.g., deps.json, project.assets.json) before issuing upgrade/vulnerability warnings.
@dotnet-issue-labeler dotnet-issue-labeler bot added Area-NetSDK untriaged Request triage from a team member labels Apr 18, 2025
@KalleOlaviNiemitalo
Copy link
Contributor

The RestoreEnablePackagePruning property in .NET SDK 10 might solve this. https://github.com/NuGet/Home/blob/451c27180d14214bca60483caee57f0dc737b8cf/accepted/2024/prune-package-reference.md

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Area-NetSDK untriaged Request triage from a team member
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@KalleOlaviNiemitalo @kimachov