Forum Discussion
Do I need to upgrade Microsoft.AspNetCore.* NuGet packages after upgrading the .NET Runtime?
Hi,
I'm encountering an issue with our SCA (Software Composition Analysis) scan, which reports several known vulnerabilities in .NET Core components. Specifically, the scan detects that the following packages are still on version 8.0.0, which are flagged as vulnerable:
- Microsoft.AspNetCore.Authorization
- Microsoft.AspNetCore.Components
- Microsoft.AspNetCore.Http.Connections.Client
- Microsoft.AspNetCore.SignalR.Client
The scanner recommends upgrading these packages to version 8.0.15 to resolve the issues.
To address this, I upgraded the .NET Runtime on our environment to version 8.0.15. However, the SCA scan still reports the same vulnerabilities, indicating that the vulnerable component versions have not changed.
My question is:
Do I also need to manually upgrade the corresponding NuGet package versions in the project to 8.0.15, or is upgrading the .NET Runtime alone sufficient to ensure these components are updated as well?
Any clarification would be appreciated. Thank you!
1 Reply
- UdhayarajanJCopper Contributor
If your app is running fine, fully tested, and you’re not using new runtime features, you might delay some package upgrades.
Run this after runtime upgrade:
dotnet list package --outdated
Check if outdated packages have versions compatible with the new runtime.Upgrade packages selectively based on:
Security patches
Compatibility
Performance gains