Forum Discussion

MahaauD's avatar
MahaauD
Copper Contributor
Jul 09, 2025

Do I need to upgrade Microsoft.AspNetCore.* NuGet packages after upgrading the .NET Runtime?

Hi,

I'm encountering an issue with our SCA (Software Composition Analysis) scan, which reports several known vulnerabilities in .NET Core components. Specifically, the scan detects that the following packages are still on version 8.0.0, which are flagged as vulnerable:

  • Microsoft.AspNetCore.Authorization
  • Microsoft.AspNetCore.Components
  • Microsoft.AspNetCore.Http.Connections.Client
  • Microsoft.AspNetCore.SignalR.Client

The scanner recommends upgrading these packages to version 8.0.15 to resolve the issues.

To address this, I upgraded the .NET Runtime on our environment to version 8.0.15. However, the SCA scan still reports the same vulnerabilities, indicating that the vulnerable component versions have not changed.

My question is:
Do I also need to manually upgrade the corresponding NuGet package versions in the project to 8.0.15, or is upgrading the .NET Runtime alone sufficient to ensure these components are updated as well?

Any clarification would be appreciated. Thank you!

1 Reply

  • UdhayarajanJ's avatar
    UdhayarajanJ
    Copper Contributor

    If your app is running fine, fully tested, and you’re not using new runtime features, you might delay some package upgrades.

    Run this after runtime upgrade:

    dotnet list package --outdated
    Check if outdated packages have versions compatible with the new runtime.

    Upgrade packages selectively based on:

    Security patches
    Compatibility
    Performance gains

Resources