Summary
Every todoapp-uno head emits three NU1510 warnings on restore:
warning NU1510: PackageReference System.Formats.Asn1 will not be pruned. Consider removing this package from your dependencies, as it is likely unnecessary.
warning NU1510: PackageReference System.Private.Uri will not be pruned. Consider removing this package from your dependencies, as it is likely unnecessary.
warning NU1510: PackageReference System.Text.Json will not be pruned. Consider removing this package from your dependencies, as it is likely unnecessary.
CI run: https://github.com/CommunityToolkit/Datasync/actions/runs/29093946725 (all todoapp-uno / * jobs)
Root cause
samples/todoapp/TodoApp.Uno/TodoApp.Uno/TodoApp.Uno.csproj and Directory.Packages.props explicitly pin System.Formats.Asn1, System.IO.Packaging, System.Private.Uri, and System.Text.Json as direct PackageReferences at specific versions (10.0.9/4.3.2). These look like leftover CVE-remediation floors added in earlier issues (e.g. #492/#498-era NU1903 fixes), similar in spirit to the still-necessary SQLitePCLRaw.bundle_e_sqlite3 override.
NuGet's package-pruning feature (enabled by default on modern TFMs) now considers these three redundant: the versions implicitly resolved via the SDK/other dependencies already satisfy (or exceed) the pinned floor, so the explicit top-level references add nothing and NuGet warns that pruning them would be a no-op either way.
Note: System.IO.Packaging is pinned in the same block but did not trigger a NU1510 warning in this run - worth double-checking whether it's still needed before removing the others.
Suggested fix
- For each of
System.Formats.Asn1, System.Private.Uri, System.Text.Json: confirm the implicitly-resolved version (via dotnet restore + inspecting obj/*/project.assets.json) still meets or exceeds the floor these pins were originally added for (check the originating CVE-fix issues/PRs for the specific advisory each pin was meant to remediate).
- If confirmed, remove the redundant
PackageVersion/PackageReference entries from Directory.Packages.props and TodoApp.Uno.csproj to eliminate the warning and simplify the dependency list.
- Leave
System.IO.Packaging and SQLitePCLRaw.bundle_e_sqlite3 alone unless they're independently confirmed unnecessary too - they didn't trigger NU1510 in this run.
Summary
Every
todoapp-unohead emits threeNU1510warnings on restore:CI run: https://github.com/CommunityToolkit/Datasync/actions/runs/29093946725 (all
todoapp-uno / *jobs)Root cause
samples/todoapp/TodoApp.Uno/TodoApp.Uno/TodoApp.Uno.csprojandDirectory.Packages.propsexplicitly pinSystem.Formats.Asn1,System.IO.Packaging,System.Private.Uri, andSystem.Text.Jsonas directPackageReferences at specific versions (10.0.9/4.3.2). These look like leftover CVE-remediation floors added in earlier issues (e.g. #492/#498-era NU1903 fixes), similar in spirit to the still-necessarySQLitePCLRaw.bundle_e_sqlite3override.NuGet's package-pruning feature (enabled by default on modern TFMs) now considers these three redundant: the versions implicitly resolved via the SDK/other dependencies already satisfy (or exceed) the pinned floor, so the explicit top-level references add nothing and NuGet warns that pruning them would be a no-op either way.
Note:
System.IO.Packagingis pinned in the same block but did not trigger a NU1510 warning in this run - worth double-checking whether it's still needed before removing the others.Suggested fix
System.Formats.Asn1,System.Private.Uri,System.Text.Json: confirm the implicitly-resolved version (viadotnet restore+ inspectingobj/*/project.assets.json) still meets or exceeds the floor these pins were originally added for (check the originating CVE-fix issues/PRs for the specific advisory each pin was meant to remediate).PackageVersion/PackageReferenceentries fromDirectory.Packages.propsandTodoApp.Uno.csprojto eliminate the warning and simplify the dependency list.System.IO.PackagingandSQLitePCLRaw.bundle_e_sqlite3alone unless they're independently confirmed unnecessary too - they didn't trigger NU1510 in this run.