Update transitive NuGet packages in VS 2022 and .Net 7.0

I started to use Visual Studio 2022 some weeks ago and now am testing the "new" .NET 7.0 framework. One of the changes I presume is the handling of transitive NuGet packages. In the first place, it seems to be a good idea to have packages only installed because of another package's dependency handled separately, thus being uninstalled as well when the dependent package is being uninstalled.

But there are a few... weird behaviors, so I think I might do some (configuration?) wrong.

First issue: I don't see which transitive package is outdated. For example, DotNetCore.NPOI needs SharpZipLib >= 1.2. SharpZipLib 1.2 is not only outdated, but even vulnerable so I would of course want to update it to the latest stable version. But now it seems I have to go manually through all the transitive packages and clicking on the Version Dropdown to see if it is up to date.

Second Issue: When I then update the package to the latest version, it becomes a "first level package" and no transitive package anymore, even though I still only need it for the package dependent on it. So uninstalling the package that is depended on it (and the only reason the formerly transitive package was installed), won't uninstall the transitive package.

This makes the whole thing contradicting and useless for:

a) I have to manually scan for updates.

b) if I do the updates the transitive mechanism (forcing transitive packages to be uninstalled as well) is broken. The alternative is to stick with the outdated packages, thus having potentially erroneous and vulnerable packages in my project.

What did I miss here?

Solution

The situation you encountered is totally expected. And in fact, this is not a feature start from .NET7.

Take a look at this:

NuGet 6.3-View transitive dependencies in Visual Studio

And this is the original intention of why creating this feature:

Introducing Transitive Dependencies in Visual Studio-Why should I care?

What you are talking about even did not work as you thought in the past, let alone currently. It never design a check step of the risk(checking result is getting from nuget gallery), also the top-transitive package bind.

Ways to check risk:

dotnet list package --vulnerable

NuGet obtains its information regarding Common Vulnerabilities and Exposures (CVE) and GitHub Security Advisories (GHSA) directly from the centralized GitHub Advisory Database. This database provides listings of known vulnerabilities, where a CVE is a list of publicly disclosed computer security flaws, and a GHSA is a GitHub Security Advisory:

From what you described, do you want VS to have a simple button that can help you check all package risk issues, install them for you and that the installed update package will not become an independent top-level package?

If this is what you mean, then the current VS cannot yet meet your needs. For this kind of needs, you can only design tools yourself.

Or you can go directly to the developer forum to make suggestions/requests to the product team:

https://developercommunity.visualstudio.com/VisualStudio/suggest

By the way, currently, the responsibility should be the owner of the top level package. Some packages no updates for a long time.