What is Transitive dependency in .NET Core and Resolution – Guidelines

Transitive dependency in NET Core

Today in this article on best practices, we will learn What is Transitive dependency in .NET Core.

Transitive dependencies occur when your project references a package that in turn uses or references another package.

For example:

You add a package B to your project A that in turn relies on another package C.

So here A-B shows a direct dependency whereas the A-C relationship is transitive in nature.

For fixing transitive dependency vulnerability, please refer to the below article,

  • Fixing transitive dependency vulnerability
  • Today in this article, we will cover the below aspects,

    What are Transitive Dependencies VS Direct Dependencies

    Transitive dependencies occur when your project references a package that in turn uses or references another package.

    Let’s take a real example.

    Create a .NET Core WebAPI service project. The Default .NET Core template will add the ‘Microsoft.NETCore.App‘ package to your project.

    Which in turn uses multiple system packages like “System.Net.Http” & “System.Text.Encoding“.

    So here in these scenarios,

    • Service has a direct dependency on “Microsoft.NETCore.App

    • Service has a transitive dependency on “System.Net.Http

    Based on the above understanding most of the .NET Core system DLLs are Transitive in nature.

    These transitive dependencies versions will rely on the parent version.

    If you fix the parent version, transitive will follow that fix accordingly.

    How to see .NET Core Transitive dependencies

    Transitive dependencies are viewable using IDE or .NET Core toolings.

    1. View .NET Core Transitive dependencies using Visual Studio

    One can easily view transitive dependency in Visual Studio

    2. .NET Core CLI Tooling – View .NET Core Transitive dependencies

    dotnet command provides an easy and convenient option to list all package references including direct and transitive dependencies for a specific project.

    Command

    dotnet list packages
    

    These commands show a list of direct dependencies. This command can be run on the command prompt or PMC(Package manager console) within VS2017.

    NET Core Transitive dependencies

    Please build the project in order to have the assets needed to process before using this command.

    Requested – This column indicates the package version specified in the project file and can be a range.

    Resolved – This column lists the version that the project is currently using.

    Command

    Below is an additional flag “–include-transitive” which can be used for getting the list of Transitive dependencies.

    dotnet list package --include-transitive

    dotnet list package include transitive

    The above figure shows limited transitive dependencies due to the size of the figure.

    One can use a few additional options like a flag –outdated. This option finds out if there are newer versions available for used packages.

    Command

    dotnet list package --outdated 

    dotnet list package outdated

    Command

    dotnet list package --outdated --include-prerelease
    

    NET Core Transitive dependencies

    Specify the above option to include prerelease versions when listing newer versions.

    3. Using project.assets.json

    This file gets generated after compiling and building the file in the obj directory of your project.

    This is also one of the good options to view dependencies while will be available in your bin output folder.

    4. Fix transitive dependency vulnerabilities

    One can fix transitive vulnerabilities easily by following the below measures,

    Do you have any comments or ideas or any better suggestions to share?

    Please sound off your comments below.

    Happy Coding !!



    Please bookmark this page and share it with your friends. Please Subscribe to the blog to receive notifications on freshly published(2024) best practices and guidelines for software design and development.



    Leave a Reply

    Your email address will not be published. Required fields are marked *