I am looking for some clarification on why a "no dependencies" NuGet package upgrade in 1 project in a SLN is triggering multiple .config file changes across the entire solution.
Due to a vulnerability scan, I have been asked to upgrade ICSharpCode.SharpZipLib version 0.86. I chose version 1.3.3 because it is the latest version that states there are no dependencies. However, after the upgrade, all of the app.config and web.config files are showing changes to several Microsoft.Extensions bindings, including .DependencyInjection.Abstractions, .Options, .Logging.Abstractions, .Logging, and .Configuration. In what appears to be all cases, the binding redirects jumped from 2.0.0 to 2.1.1. (Configuration was added in some cases.)
This is a SLN from 2007, encompassing 150~ projects including websites, windows services, and WCF, all using a variety of .NET Framework from 3.5, mostly in 4.7.2, a few in 8.1, and standard 2. As far as I can tell, only 1 website uses this ICSharpCode.SharpZipLib library (at least according to the Manage Solution NuGet Packages tool), but the binding redirect was already existing in all the .config files.
I have tried package 1.0.0 (explicitly supports standard 2) as well as 1.3.3 (explicitly supports standards 2 and 2.1), and both want to version bump the config files to 2.1.1.
Any ideas what's going on here? Is it safe to undo all the config files except for the one website that uses it? Is this some kind of "special" DLL that needs to be included as a binding redirect, even in projects that don't use it?