Build errors with 31.2.0 packages

I'm working on getting a site ready to launch and went to apply the latest update of 31.2.0 to our 30.11.3 instance. I first updated the .net version to 10 and had no issues. Then modified the package versions to 31.2.0 on my 4 projects in the solution. When I built the project, I get 3 "Warnings As Errors" on 2 of the 4 projects that are supporting class library projects.

  1. Warning As Error: Detected package downgrade: Microsoft.Extensions.Options.ConfigurationExtensions from 9.0.0 to 8.0.0. Reference the package directly from the project to select a different version.
    <xxxx>.Core -> Kentico.Xperience.Core 31.2.0 -> Kentico.Aira.Client 5.1.1 -> Microsoft.Extensions.Options.ConfigurationExtensions (>= 9.0.0)
    <xxxx>.Core -> Kentico.Xperience.Core 31.2.0 -> Microsoft.Extensions.Options.ConfigurationExtensions (>= 8.0.0)
  2. Warning As Error: Detected package downgrade: Microsoft.Extensions.Logging from 9.0.0 to 8.0.1. Reference the package directly from the project to select a different version.
    <xxxx>.Core -> Kentico.Xperience.Core 31.2.0 -> Kentico.Aira.Client 5.1.1 -> Microsoft.Extensions.Http 9.0.0 -> Microsoft.Extensions.Logging (>= 9.0.0)
    <xxxx>.Core -> Kentico.Xperience.Core 31.2.0 -> Microsoft.Extensions.Logging (>= 8.0.1)
  3. Warning As Error: Detected package downgrade: Microsoft.Extensions.Configuration from 9.0.0 to 8.0.0. Reference the package directly from the project to select a different version.
    <xxxx>.Core -> Kentico.Xperience.Core 31.2.0 -> Kentico.Aira.Client 5.1.1 -> Microsoft.Extensions.Http 9.0.0 -> Microsoft.Extensions.Diagnostics 9.0.0 -> Microsoft.Extensions.Configuration (>= 9.0.0)
    <xxxx>.Core -> Kentico.Xperience.Core 31.2.0 -> Microsoft.Extensions.Configuration (>= 8.0.0)

I've attempted to "force" the use of the 9.0.0 version in my project files with no success. I can hide the error by adding this to my project file:

<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|AnyCPU'"> <NoWarn>NU1605;</NoWarn> </PropertyGroup>

But this only masks the underlying issue.

I'm also getting warnings about security vulnerabilities for Magick.NET-Q8-AnyCPU v14.10.2 that are directly related to core XbyK packages. I also have a ticket into Support regarding this.

Environment

  • Xperience by Kentico version: [30.11.3]

  • .NET version: [9]

  • Execution environment: [Private cloud - Azure

Tags:
Migration / upgrade v31.2.0 .NET
0

Answers

I've received the following response from Kentico Support:

Regarding the Magick.NET issue:

The Magick.NET vulnerability is known and will be fixed in 31.3.0.

Regarding the build issues with lower versions:

I was able to resolve the conflicts by directly referencing the proper versions of the packages in the class library:

<PackageReference Include="Microsoft.Extensions.Options.ConfigurationExtensions" Version="9.0.0" />

<PackageReference Include="Microsoft.Extensions.Logging" Version="9.0.0" />

<PackageReference Include="Microsoft.Extensions.Http" Version="9.0.0" />

However, this shouldn't be necessary and I think this would be considered a bug. I will forward the information to our developers to see if we can fix it.

I'll continue to update if I receive more information.

0

The package dependency mismatch is caused by multi-targeting and will be resolved in a hotfix.

Use the explicit package versions until then.

Magic.NET has had several vulnerabilities recently (most are actually from ImageMagick itself), which we've been handling by updating to the latest version... however every time we update, a new vulnerability is reported.

You can also resolve these yourself with an explicit package version.

0

The latest update I received from Kentico Support was the dependency mismatch will be resolved in 31.3.0 as well which will be released mid March 2026.

0

To response this discussion, you have to login first.