Is DLL Hell a real issue in modern .NET package management
I'm investigating a nuget package called IronXL.Excel deeply since it hides a few dependencies and embeded the community open source packages in its nuget package.
According to Iron software credit page:
>There is no need to install any additional software; everything you need to run this library is included in our download & NuGet packages. All code is generally compiled into our software in such a way to avoid 'DLL Hell' and make installation easy for those teams who prefer not to use the NuGet package manager.
Looks the major reason is DLL Hell. But I have NOT encountered dll hell issue for years. Is this reason solid? Or you have the same feeling as I do that they are hiding something?
The reason I start investigating this package is because I saw this stackoverflow post
>IronXL uses NPOI internally. If you download the nuget package and decompile the dll, you'll see that it has embedded code from: NPOI, BouncyCastle, Newtonsoft, ICSharpCode, ImageSharp, and probably others.
>It seems to me that they have taken a bunch of open-source code and packaged it up to make it look standalone so that they can charge money for it. I don't have any issue with charging money for your own work, but when you're trying to sell someone else's work that feels a bit shady.
And I have further concern that if they hide dependency packages, they may also hide critical security bug because the security scanner will not know which version of these dependencies they are really using. It's not possible for it to rise CVE warning (or it's possible)?