What is Transitive dependency in .NET Core and Resolution – Guidelines
Today in this article on best practices, we will learn What is Transitive dependency in .NET Core.
Transitive dependencies occur when your project references a package that in turn uses or references another package.
For example:
You add a package B to your project A that in turn relies on another package C.
So here A-B shows a direct dependency whereas the A-C relationship is transitive in nature.
For fixing transitive dependency vulnerability, please refer to the below article,
Today in this article, we will cover the below aspects,
What are Transitive Dependencies VS Direct Dependencies
Transitive dependencies occur when your project references a package that in turn uses or references another package.
Let’s take a real example.
Create a .NET Core WebAPI service project. The Default .NET Core template will add the ‘Microsoft.NETCore.App‘ package to your project.
Which in turn uses multiple system packages like “System.Net.Http” & “System.Text.Encoding“.
So here in these scenarios,
- Service has a direct dependency on “Microsoft.NETCore.App“
- Service has a transitive dependency on “System.Net.Http“
Based on the above understanding most of the .NET Core system DLLs are Transitive in nature.
These transitive dependencies versions will rely on the parent version.
If you fix the parent version, transitive will follow that fix accordingly.
How to see .NET Core Transitive dependencies
Transitive dependencies are viewable using IDE or .NET Core toolings.
1. View .NET Core Transitive dependencies using Visual Studio
One can easily view transitive dependency in Visual Studio
2. .NET Core CLI Tooling – View .NET Core Transitive dependencies
dotnet command provides an easy and convenient option to list all package references including direct and transitive dependencies for a specific project.
Command
dotnet list packages
These commands show a list of direct dependencies. This command can be run on the command prompt or PMC(Package manager console) within VS2017.
Please build the project in order to have the assets needed to process before using this command.
Requested – This column indicates the package version specified in the project file and can be a range.
Resolved – This column lists the version that the project is currently using.
Command
Below is an additional flag “–include-transitive” which can be used for getting the list of Transitive dependencies.
dotnet list package --include-transitive
The above figure shows limited transitive dependencies due to the size of the figure.
One can use a few additional options like a flag –outdated. This option finds out if there are newer versions available for used packages.
Command
dotnet list package --outdated
Command
dotnet list package --outdated --include-prerelease
Specify the above option to include prerelease versions when listing newer versions.
3. Using project.assets.json
This file gets generated after compiling and building the file in the obj directory of your project.
This is also one of the good options to view dependencies while will be available in your bin output folder.
4. Fix transitive dependency vulnerabilities
One can fix transitive vulnerabilities easily by following the below measures,
Do you have any comments or ideas or any better suggestions to share?
Please sound off your comments below.
Happy Coding !!
Please bookmark this page and share it with your friends. Please Subscribe to the blog to receive notifications on freshly published(2024) best practices and guidelines for software design and development.