System.Runtime.Caching / NuGet Package is marked as serviceable

[MichaelKetting]

Hello,

due to the recent security vulnerability, I noticed that System.Runtime.Caching is deployed to my bin directory and loaded from that place instead of C:\Program Files\dotnet\shared. Given the flag servicable on the package as well as the fact that the reference listed as "serviceable": true in the application's deps.json, I would have assumed that the package is part of the shared Microsoft.NETCore.App or Microsoft.AspNetCore.App frameworks.

Did anyone already stumble over this perceived inconcistency / have any helpful ideas?

I don't want to start a bug-ticket if it's just me mis-reading the intent of the flag in deps.json:
https://github.com/dotnet/sdk/blob/main/documentation/specs/runtime-configuration-file.md#libraries-section-depsjson

Thanks, Michael

[chrarnoldus]

I recently made this comment: #105120 (comment), seems to be the same type of behavior.

[MichaelKetting]

@chrarnoldus thank you for chmining. I have reviewed your anwser/scenario in the other ticket and it's different from my own.

I have the problem that a package is marked as serviceable in the deps.json but not part of one of the used frameworks.

In your scenario, a higher version of the package (System.Configuration.ConfigurationManager) is referenced and thus must be copied to the output folder. The assembly will be ignored if the respective centrally deployed assembly has a higher version.

Both scenarios make analysing which securty update is required more complex, but in my scenario, I need to analyze the file system to figure out if the assembly is part of a used framework. In your scenario, you only need to rely on the fact that a more recent security update will always cover the affected assembly so long as it remains the same major/minor version.

You do still have the problem with System.Data.OleDB, which is marked as serviceable but not included in the WindowsDesktopApp famework, but the other discussion doesn't go into that can of worms.