Nuget fetching packages that should be in the .net core SDK

Question

If I create a new Azure Functions project and do dotnet restore -vn with a cleared nuget cache, I see that it fetches (among others) the following packages from https://api.nuget.org/v3/index.json as transitive dependencies of Microsoft.NET.Sdk.Functions 4.1.1 (the only top-level package I have installed):

Installed Microsoft.AspNetCore.Http 2.1.0 from https://api.nuget.org/v3/index.json with content hash eAPryjDRH41EYY2sOMHCu+tHXLI6PUN1AsOPKst6GbiIoMi8wJCiPcE4h9418tKje1oUzmMc2Iz8fFPPVamfaw==.
Installed System.Net.Http 4.3.0 from https://api.nuget.org/v3/index.json with content hash sYg+FtILtRQuYWSIAuNOELwVuVsxVyJGWQyOnlAzhV4xvhyFnON1bAzYYC+jjRW8JREM45R0R5Dgi8MTC5sEwA==.
Installed System.Net.Sockets 4.3.0 from https://api.nuget.org/v3/index.json with content hash m6icV6TqQOAdgt5N/9I5KNpjom/5NFtkmGseEH+AK/hny8XrytLH3+b5M8zL/Ycg3fhIocFpUMyl/wpFnVRvdw==.

My question is why is it fetching these packages from nuget.org when they are part of the .net core SDK? Why is it not using those? Surely I am doing something wrong. Shouldn't the default be to use the packages from the SDK, not these old packages, some of which have vulnerabilities ( System.Net.Sockets 4.3.0 for example)?

I'm not able to ignore these because we use a corporate JFrog repository that blocks these packages, so nuget restore errors when using that as a source. I'm showing the repro steps with nuget.org as the source to rule out an issue with JFrog. It also downloads (successfully) these old packages from nuget.org, so it can't be an issue with the repository. It must be something with my Visual Studio, nuget configuration, dotnet core installation, etc. I'm happy to volunteer specific details on any of these.

Any help or suggestions would be much appreciated.

Answer 1

Check your Package Sources under Tools>Options>NuGet Package Manager. If you uncheck the nuget.org it won't fetches packages from https://api.nuget.org/v3/index.json