Try to enforce using a specific .NET package version, but some earlier version is still visible in dependency tree

Marek Forys 0 Reputation points

Mend software found some vulnerable package which is used by our application in a transitive way (by another one that is used directly).
I try to enforce to use it by adding a line in Directory.Packages.props file
<PackageVersion Include="Newtonsoft.Json" Version="13.0.3" />
but the old, vulnerable package is still visible in some packages.lock.json files

"dependencies": {
          "Azure.Core": "1.19.0",
          "Microsoft.Bcl.AsyncInterfaces": "1.0.0",
          "Microsoft.Bcl.HashCode": "1.1.0",
          "Newtonsoft.Json": "10.0.2",

How to get rid of it?

Visual Studio
Visual Studio
A family of Microsoft suites of integrated development tools for building applications for Windows, the web and mobile devices.
4,432 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Anna Xiu-MSFT 23,576 Reputation points Microsoft Vendor

    Hi @Marek Forys

    Welcome to Microsoft Q&A! 

    Please open your project file and check if the <PackageReference /> items is declared without Version attributes.

    <PackageReference Include="Newtonsoft.Json" />

    And go to Directory.Packages.props file and check if you have set the ManagePackageVersionsCentrally property to true.

        <PackageVersion Include="Newtonsoft.Json" Version="13.0.3" />

    You can restore packages and rebuild your solution. 



    If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment". 
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.