Revise strategy for vulnerable transitive dependency on Microsoft.Extensions.Caching.Memory on net8.0

bkoelman · bkoelman · commit 5fac60774cf5 · 2025-11-27T12:16:42.000+01:00
diff --git a/package-versions.props b/package-versions.props
@@ -20,15 +20,18 @@
   <PropertyGroup Condition="'$(TargetFramework)' == 'net10.0'">
     <!-- Non-published dependencies (these are safe to update, won't cause a breaking change) -->
     <AspNetCoreVersion>10.0.*</AspNetCoreVersion>
+    <MicrosoftExtensionsCachingMemoryVersion>10.0.*</MicrosoftExtensionsCachingMemoryVersion>
   </PropertyGroup>
 
   <PropertyGroup Condition="'$(TargetFramework)' == 'net9.0'">
     <!-- Non-published dependencies (these are safe to update, won't cause a breaking change) -->
     <AspNetCoreVersion>9.0.*</AspNetCoreVersion>
+    <MicrosoftExtensionsCachingMemoryVersion>9.0.*</MicrosoftExtensionsCachingMemoryVersion>
   </PropertyGroup>
 
   <PropertyGroup Condition="'$(TargetFramework)' == 'net8.0'">
     <!-- Non-published dependencies (these are safe to update, won't cause a breaking change) -->
     <AspNetCoreVersion>8.0.*</AspNetCoreVersion>
+    <MicrosoftExtensionsCachingMemoryVersion>8.0.*</MicrosoftExtensionsCachingMemoryVersion>
   </PropertyGroup>
 </Project>
diff --git a/src/JsonApiDotNetCore.MongoDb/JsonApiDotNetCore.MongoDb.csproj b/src/JsonApiDotNetCore.MongoDb/JsonApiDotNetCore.MongoDb.csproj
@@ -32,12 +32,6 @@
 
   <ItemGroup>
     <PackageReference Include="JsonApiDotNetCore" Version="$(JsonApiDotNetCoreFrozenVersion)" />
-    <PackageReference Include="Microsoft.Extensions.Caching.Memory" Version="8.0.1" Condition="'$(TargetFramework)' == 'net8.0'" NoWarn="$(NoWarn);NU1510">
-      <!--
-        Microsoft.EntityFrameworkCore 8.0.0 depends on Microsoft.Extensions.Caching.Memory 8.0.0, which is vulnerable.
-        This package reference silences the vulnerability warning and suppresses the NU1510 warning that the dependency will not appear in our NuGet package.
-      -->
-    </PackageReference>
     <PackageReference Include="MongoDB.Driver" Version="$(MongoDBDriverFrozenVersion)" />
     <PackageReference Include="SauceControl.InheritDoc" Version="$(InheritDocVersion)" PrivateAssets="All" />
   </ItemGroup>
diff --git a/test/JsonApiDotNetCoreMongoDbTests/JsonApiDotNetCoreMongoDbTests.csproj b/test/JsonApiDotNetCoreMongoDbTests/JsonApiDotNetCoreMongoDbTests.csproj
@@ -14,6 +14,7 @@
     <PackageReference Include="coverlet.collector" Version="$(CoverletVersion)" PrivateAssets="All" />
     <PackageReference Include="GitHubActionsTestLogger" Version="$(GitHubActionsTestLoggerVersion)" PrivateAssets="All" />
     <PackageReference Include="Microsoft.AspNetCore.Mvc.Testing" Version="$(AspNetCoreVersion)" />
+    <PackageReference Include="Microsoft.Extensions.Caching.Memory" Version="$(MicrosoftExtensionsCachingMemoryVersion)" />
     <PackageReference Include="Microsoft.NET.Test.Sdk" Version="$(TestSdkVersion)" />
   </ItemGroup>
 </Project>
diff --git a/test/TestBuildingBlocks/TestBuildingBlocks.csproj b/test/TestBuildingBlocks/TestBuildingBlocks.csproj
@@ -1,4 +1,4 @@
-﻿<Project Sdk="Microsoft.NET.Sdk">
+<Project Sdk="Microsoft.NET.Sdk">
   <PropertyGroup>
     <TargetFrameworks>net10.0;net9.0;net8.0</TargetFrameworks>
   </PropertyGroup>
@@ -16,6 +16,7 @@
     <PackageReference Include="GitHubActionsTestLogger" Version="$(GitHubActionsTestLoggerVersion)" PrivateAssets="All" />
     <PackageReference Include="FluentAssertions" Version="$(FluentAssertionsVersion)" />
     <PackageReference Include="Microsoft.AspNetCore.Mvc.Testing" Version="$(AspNetCoreVersion)" />
+    <PackageReference Include="Microsoft.Extensions.Caching.Memory" Version="$(MicrosoftExtensionsCachingMemoryVersion)" />
     <PackageReference Include="Microsoft.NET.Test.Sdk" Version="$(TestSdkVersion)" />
     <PackageReference Include="MongoDB.Driver" Version="$(MongoDBDriverVersion)" />
     <PackageReference Include="xunit" Version="$(XunitVersion)" />
