Why does dotnet publish not publish the versions expected?

Question

Dealing with CVE-2018-8409, noted that our dotnet publish (.NET Core 2.1.403 ASPNET Core app) is publishing v4.0.0.1 of System.IO.Pipelines.dll in our output directory.

I added a nuget package reference to v4.5.3 of System.IO.Pipelines.

I see no reference to v4.0.0.1 in the build output, aside from this:

Unified primary reference "System.IO.Pipelines, Version=4.0.0.1, Culture=neutral, PublicKeyToken=cc7b13ffcd2ddd51".
         Using this version instead of original version "4.0.0.0" in "<home_dir>\.nuget\packages\microsoft.aspnetcore.connections.abstractions\2.1.3\lib\netstandard2.0\Microsoft.AspNetCore.Connections.Abstractions.dll" because AutoUnify is 'true'.
         Using this version instead of original version "4.0.0.0" in "<home_dir>\.nuget\packages\microsoft.aspnetcore.http.connections\1.0.4\lib\netstandard2.0\Microsoft.AspNetCore.Http.Connections.dll" because AutoUnify is 'true'.
         Using this version instead of original version "4.0.0.0" in "<home_dir>\.nuget\packages\microsoft.aspnetcore.server.kestrel.core\2.1.3\lib\netstandard2.0\Microsoft.AspNetCore.Server.Kestrel.Core.dll" because AutoUnify is 'true'.
         Using this version instead of original version "4.0.0.0" in "<home_dir>\.nuget\packages\microsoft.aspnetcore.server.kestrel.transport.abstractions\2.1.3\lib\netstandard2.0\Microsoft.AspNetCore.Server.Kestrel.Transport.Abstractions.dll" because AutoUnify is 'true'.
         Using this version instead of original version "4.0.0.0" in "<home_dir>\.nuget\packages\microsoft.aspnetcore.server.kestrel.transport.sockets\2.1.3\lib\netstandard2.0\Microsoft.AspNetCore.Server.Kestrel.Transport.Sockets.dll" because AutoUnify is 'true'.
         Using this version instead of original version "4.0.0.0" in "<home_dir>\.nuget\packages\microsoft.aspnetcore.signalr.core\1.0.4\lib\netstandard2.0\Microsoft.AspNetCore.SignalR.Core.dll" because AutoUnify is 'true'.
         Resolved file path is "<home_dir>\.nuget\packages\system.io.pipelines\4.5.3\lib\netstandard2.0\System.IO.Pipelines.dll".
         Reference found at search path location "{HintPathFromItem}".
         This reference is not "CopyLocal" because at least one source item had "Private" set to "false" and no source items had "Private" set to "true".
         The ImageRuntimeVersion for this reference is "v4.0.30319"

NOTE : <home_dir> is my user directory, it's not actually part of the output, fyi.

Yet when I check in VS2017, I clearly see that the nuget package says System.IO.Pipelines (4.5.3)

I'm expecting that System.IO.Pipelines 4.5.3 would be in the output, including any necessary assembly binding redirects.

Any ideas what I'm missing?

Thanks!

score 0 · Answer 1 · answered Apr 29 '19 at 17:45

0

In an extremely annoying move, further analysis has revealed to me that nuget package 4.5.3, contains assembly version 4.0.0.1

Whyyyyyyy Microsoft, Whyyyyyyy

answered Apr 29 '19 at 17:45

John

921
1
9
24

is this similar to: https://stackoverflow.com/questions/64555429/assembly-binding-added-in-compiled-output-app-config ? – BendEg Oct 27 '20 at 13:49

Why does dotnet publish not publish the versions expected?

1 Answers1