There’s a lot of older posts about the way that NuGet defaults to the lowest compatible version for transitive packages, and thus creates vulnerabilities in your code. It looks like until recently, the only “solution” was to promote them to top-level packages, which is not ideal.
I’m trying to deal with this problem in my solution at the moment and, nosing around for more recent solutions I chanced on this blog post about central package management. It claims:
You can automatically override a transitive package version even without an explicit top-level by opting into a feature known as transitive pinning. This promotes a transitive dependency to a top-level dependency implicitly on your behalf when necessary.
You can enable this feature by setting the MSBuild property CentralPackageTransitivePinningEnabled to true in a project or in a Directory.Packages.props or Directory.Build.props import file
But when I add this to a project file:
<PropertyGroup>
<CentralPackageTransitivePinningEnabled>true</CentralPackageTransitivePinningEnabled>
</PropertyGroup>
Nothing happens. The transitive packages stay at their minimal, vulnerable versions.
I’ve only tried adding this as text to the project file itself, not through any of the other suggested routes. Are there additional steps I need to take to get this working, or is it still not possible to get my transitive packages to upgrade?