[WebToolsE2E][Aspire] Creating Aspire project, there are warning icons displayed on Dependencies | Packages of the AppHost project.

[vmykagapuz]

REGRESSION

1. Doesn't repro with SDK 9.0 RC1 + Aspire 8.2.0

INSTALL STEPS

1. Clean machine: Win11 x64 22h2 ENU
2. Install SDK 9.0 RC2 daily build
3. Install Aspire 8.2.0
4. Install VSCode or VS

REPRO STEPS

1. Open CMD, create an Aspire Starter App using following commands:
   dotnet new aspire-starter -o AspireStarterApp
2. Open this project using VSCode or VS.

ACTUAL
Dependencies | Packages show warning icon. No warnings in Error List.

EXPECTED
There should be no warning icons displayed.

[v-elenafeng]

Should be a similar issue caused by SDK 9.0 RC2 as dotnet/sdk#43341.

[davidfowl]

cc @eerhardt @joperezr

[eerhardt]

Is there any indication for what is being warned?

cc @tlmii @BillHiebert

[BillHiebert]

This a duplicate issue. Tracked by #5436 which indicates it is fixed in Aspire 9.0.0-preview.4.24454.4.

[joperezr]

This a duplicate issue. Tracked by #5436 which indicates it is fixed in Aspire 9.0.0-preview.4.24454.4.

I don't think this is a duplicate, the referenced one was around project nodes and we ended up figuring out the issue for that, but this is about NuGet package dependencies, so I don't think this is a dupe. Re-opening to ensure we get to the bottom of the issue.

[joperezr]

I think I found out what the problem is. The issue is likely caused by the new feature in NuGet to surface vulnerabilities in dependencies. There is a vulnerability declared in NuGet for package System.Text.Json version 8.0.0 which is a transitive dependency for package Aspire.Hosting.AppHost. VS recently started surfacing these errors into the solution explorer, so that is likely what is happening here. The fix would be to make sure that we "pin up" our dependency of System.Text.Json so that new Aspire projects don't have these warnings.

Here is the dependency chain of how System.Text.Json 8.0.0 is coming to the picture:

dotnet nuget why .\AspireApp.AppHost.csproj System.Text.Json
Project 'AspireApp.AppHost' has the following dependency graph(s) for 'System.Text.Json':

  [net8.0]
   │
   └─ Aspire.Hosting.AppHost (v9.0.0-dev)
      ├─ Aspire.Hosting (v9.0.0-dev)
      │  └─ Microsoft.Extensions.Hosting (v8.0.0)
      │     ├─ Microsoft.Extensions.Configuration.Json (v8.0.0)
      │     │  └─ System.Text.Json (v8.0.0)
      │     ├─ Microsoft.Extensions.Configuration.UserSecrets (v8.0.0)
      │     │  └─ Microsoft.Extensions.Configuration.Json (v8.0.0)
      │     │     └─ System.Text.Json (v8.0.0)
      │     ├─ Microsoft.Extensions.Logging.Console (v8.0.0)
      │     │  └─ System.Text.Json (v8.0.0)
      │     └─ Microsoft.Extensions.Logging.EventSource (v8.0.0)
      │        └─ System.Text.Json (v8.0.0)
      └─ Microsoft.Extensions.Hosting (v8.0.0)
         ├─ Microsoft.Extensions.Configuration.Json (v8.0.0)
         │  └─ System.Text.Json (v8.0.0)
         ├─ Microsoft.Extensions.Configuration.UserSecrets (v8.0.0)
         │  └─ Microsoft.Extensions.Configuration.Json (v8.0.0)
         │     └─ System.Text.Json (v8.0.0)
         ├─ Microsoft.Extensions.Logging.Console (v8.0.0)
         │  └─ System.Text.Json (v8.0.0)
         └─ Microsoft.Extensions.Logging.EventSource (v8.0.0)
            └─ System.Text.Json (v8.0.0)

[v-elenafeng]

VS recently started surfacing these errors into the solution explorer, so that is likely what is happening here.

Yes, after manually updating 'System.Text.Json' to 8.0.4, the warning disappeared.
Here is a known issue 3047 tracks the vulnerable package.