System.Security.Cryptography.Cng nuget pulls in older dlls than present in the .net framework

[Saurbaum]

Description

I got caught out by this today and have been in the past.

If you are targeting .netframework 4.8 and include System.Security.Cryptography.Cng via nuget because it has a dependency on System.Security.Cryptography.Algorithms that brings in a collection of nuget packages
System.IO
System.Runtime
System.Security.Cryptography.Algorithms
System.Security.Cryptography.Encoding
System.Security.Cryptography.Primitives

which are older than the versions distributed in the latest version of the .net 4.8 framework

Reproduction Steps

Include System.Security.Cryptography.Cng in a c# project targeting .netframework 4.8

Expected behavior

Only real dependencies should be included if they are newer than the released framework

Actual behavior

I suspect originally these versions were newer than the supported framework binaries available at that time. What this means is technically we run the risk of downgrading by accident at build time.

Regression?

No response

Known Workarounds

Manually deleting the references to the packages.

Configuration

No response

Other information

No response

[dotnet-policy-service]

Tagging subscribers to this area: @dotnet/area-system-security, @bartonjs, @vcsjones
See info in area-owners.md if you want to be subscribed.

[huoyaoyuan]

There is no risk for downgrading. The aforementioned packages like System.IO, System.Runtime are purely facades on .NET Framework that contains no executable code. The System.Security packages are purely additions on .NET Framework. There's nothing can be downgraded.

[huoyaoyuan]

Moreover, System.Security.Cryptography.Cng is already a facade that adds nothing on .NET Framework. You should not need the package at all.

[vcsjones]

System.Security.Cryptography.Cng as a nuget package is basically deprecated at this point. You shouldn't need it for .NET Framework or later versions of .NET, either. We should make a note of that on the package README.

[vcsjones]

But yes, @huoyaoyuan is correct - this nuget package cannot "downgrade" your experience. This nuget package is simply a facade assembly for .NET Framework. It means if someone tries the use the types from the package, it says "Go use the ones built-in to the framework instead".

runtime/src/libraries/System.Security.Cryptography.Cng/src/System.Security.Cryptography.Cng.csproj

Line 11 in 4aadfea

<IsPartialFacadeAssembly Condition="$(TargetFramework.StartsWith('net4'))">true</IsPartialFacadeAssembly>

However the actual src directory for this package is gone now - this package has not been updated since .NET 5.