Only update versions of all vulnerable reference packages

[fuyuesong]

仅更新所有有漏洞引用包的版本

[toddams]

Along the lines you also added reference to Microsoft.NETCore.App, which we did not have

[fuyuesong]

Hello! Glad to see your reply.

The reason why the reference to Microsoft.NETCore.App is added to the following two projects is that these two projects already have this package referenced by default. You can check your original projects to see if there is such a reference.

When the reference is not added manually, the default is to reference the lowest - version package with vulnerabilities. Only after adding the reference manually can a new version be specified.

These two projects are for demonstration and testing, and they have no impact on the core class library.

samples/RazorLight.Samples/Samples.EntityFrameworkProject.csproj

tests/RazorLight.Tests/RazorLight.Tests.csproj

If the Microsoft.NETCore.App package is not added manually, vulnerabilities exist.

Manually adding the Microsoft.NETCore.App package resolves the vulnerabilities.