You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
As part of the "Prevent" side of the Know, Prevent, Fix framework. Our next task is to ensure that package operations are blocked or warned whenever a user does a potential package operation such as installing or updating to a susceptible package version that includes known vulnerability/deprecation metadata.
This experience can re-use existing confirmation dialogs in Visual Studio and on the command line, provide a y/n confirmation prompt in CLI experiences for the user to continue.
A dialog may say something similar to:
You are attempting to install a package that has been flagged as deprecated or contains known security vulnerabilities. Installing this package may pose a risk to your project's security and stability.
Package Name: [Package_Name]
Version: [Version_Number]
Vulnerability/Deprecation Details: [Brief description of the vulnerability or reason for deprecation, if available]
It is recommended to either update to a newer, secure version of this package or choose an alternative package.
Do you want to continue with the installation/update?
Additional Context and Details
No response
The text was updated successfully, but these errors were encountered:
This should also include vulnerability/deprecation checks in transitive dependencies that would be installed/updated. If ones are found, it should explain (or link to a page explaining) how to update the transitive dependencies afterwards.
NuGet Product(s) Involved
Visual Studio Package Management UI, dotnet.exe
The Elevator Pitch
As part of the "Prevent" side of the Know, Prevent, Fix framework. Our next task is to ensure that package operations are blocked or warned whenever a user does a potential package operation such as installing or updating to a susceptible package version that includes known vulnerability/deprecation metadata.
This experience can re-use existing confirmation dialogs in Visual Studio and on the command line, provide a y/n confirmation prompt in CLI experiences for the user to continue.
A dialog may say something similar to:
Additional Context and Details
No response
The text was updated successfully, but these errors were encountered: