Skip to content

Azure Function nuget restore fails due to quarantined/vulnerable dependencies in WorkerExtensions #3371

@sherman89

Description

@sherman89

We just started using Sonatype Nexus Repository to protect ourselves from supply chain attacks, but we are unable to build our Azure Function project because it has critically vulnerable dependencies in the generated WorkerExtensions.csproj project, which we have no control over.

This is a security risk, especially in the kind of environment we work in, so we might have to ditch the idea of using Azure Functions altogether and just stick to ASP.NET Core, which is less than ideal since we will most likely benefit from the different features Functions have to offer...

The vulnerable packages are:

  • Newtonsoft.Json.11.0.2
  • Microsoft.AspNetCore.Routing.2.2.2
  • Microsoft.Azure.WebJobs.Script.ExtensionsMetadataGenerator.4.0.1

Example from build output:

1>C:\Program Files\Microsoft Visual Studio\18\Professional\Common7\IDE\CommonExtensions\Microsoft\NuGet\NuGet.targets(198,5): warning : -------------------->>> Requested item is quarantined -------------------->>> FOR DETAILS SEE ------>>> https://redacted.iq.sonatype.app/ui/links/firewall/repositories/quarantinedComponent/REDACTED <<<------
1> Failed to download package 'Microsoft.AspNetCore.Routing.2.2.2' from 'https://redacted.repo.sonatype.app/repository/redacted-nuget/v3/content/0/microsoft.aspnetcore.routing/2.2.2/microsoft.aspnetcore.routing.2.2.2.nupkg'.

Would it be possible to at least update these? I don't know what ExtensionsMetadataGenerator is (seems like it's related to the legacy in-process model which isn't even supported in .NET 10) but it was last updated in 2021 which seems like a very long time, and even if I manage to somehow force updated the others, there is no update for this one...

We are using .NET 10, isolated worker model, and Visual Studio 2026, everything is as up to date as possible as far as I know...

Thank you!

Metadata

Metadata

Assignees

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions