- Notifications
You must be signed in to change notification settings - Fork311
remove unnecessary System.Text.Json dependency on modern .NET#2930
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.
Already on GitHub?Sign in to your account
Uh oh!
There was an error while loading.Please reload this page.
Conversation
@dotnet-policy-service agree |
/azp run |
| Azure Pipelines successfully started running 2 pipeline(s). |
Uh oh!
There was an error while loading.Please reload this page.
Uh oh!
There was an error while loading.Please reload this page.
cheenamalhotra left a comment• edited
Loading Uh oh!
There was an error while loading.Please reload this page.
edited
Uh oh!
There was an error while loading.Please reload this page.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
I don't agree with the changes, as this is added purposely. What false positives are you concerned about?
This dependency is simply not necessary since the .NET runtime itself already contains System.Text.Json . This causes false positives in NuGet Audit because if a library like Microsoft.Data.SqlClient e.g. depends on the vulnerable System.Text.Json 8.0.4, but I'm actually using the latest .NET runtime which contains the fixed 8.0.5, the SDK will use the latest version. Meaning I'm not actually affected by the vulnerability, but NuGet Audit will still claim that I am. NuGet is actually working on fixing this, so it considers the runtime dependencies (seeSupplied by Platform ). But even when they fix this, not having this unnecessary dependency in the first place is imho the better option. |
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@## main #2930 +/- ##==========================================+ Coverage 71.92% 75.94% +4.02%========================================== Files 294 246 -48 Lines 60342 40260 -20082 ==========================================- Hits 43398 30577 -12821+ Misses 16944 9683 -7261
Flags with carried forward coverage won't be shown.Click here to find out more. ☔ View full report in Codecov by Sentry. |
Based on commentNuGet/Home#7344 (comment), I believe Supplied by Platform is not yet available in .NET 8 or 9. Can you confirm my understanding? |
@cheenamalhotra that is correct, but only affects potential nuget audit warnings. Adding this as an explicit reference with .NET 8 is wrong. |
mungojam commentedOct 30, 2024
I hope this can be backported unless v6 is coming very soon and in ef SQL by default. Every time a system.text.json vuln comes up we're having to update it explicitly just because of SQL client lib, other Ms libs don't show the same explicit dependency |
@mungojam Why backported? This was introduced in 6.x |
mungojam commentedOct 31, 2024
It will still be needed for .net framework consumers so you might need a conditional package reference instead |
Uh oh!
There was an error while loading.Please reload this page.
The .NET Framework reference is still there, it was already conditional because .NET Framework/.NET have different csproj files. |
08a2433 intodotnet:mainUh oh!
There was an error while loading.Please reload this page.
mungojam commentedNov 1, 2024 • edited
Loading Uh oh!
There was an error while loading.Please reload this page.
edited
Uh oh!
There was an error while loading.Please reload this page.
Partial revert of#2921 . System.Text.Json is part of the framework on modern .NET, so this dependency is unnecessary and wil just cause false positives in NuGet audit.