Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

remove unnecessary System.Text.Json dependency on modern .NET #2930

Open
wants to merge 1 commit into
base: main
Choose a base branch
from

Conversation

mus65
Copy link

@mus65 mus65 commented Oct 26, 2024

Partial revert of #2921 . System.Text.Json is part of the framework on modern .NET, so this dependency is unnecessary and wil just cause false positives in NuGet audit.

@mus65
Copy link
Author

mus65 commented Oct 26, 2024

@dotnet-policy-service agree

@David-Engel
Copy link
Contributor

/azp run

Copy link

Azure Pipelines successfully started running 2 pipeline(s).

Copy link
Member

@cheenamalhotra cheenamalhotra left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't agree with the changes, as this is added purposely. What false positives are you concerned about?

@mus65
Copy link
Author

mus65 commented Oct 28, 2024

I don't agree with the changes, as this is added purposely. What false positives are you concerned about?

This dependency is simply not necessary since the .NET runtime itself already contains System.Text.Json . This causes false positives in NuGet Audit because if a library like Microsoft.Data.SqlClient e.g. depends on the vulnerable System.Text.Json 8.0.4, but I'm actually using the latest .NET runtime which contains the fixed 8.0.5, the SDK will use the latest version. Meaning I'm not actually affected by the vulnerability, but NuGet Audit will still claim that I am.

NuGet is actually working on fixing this, so it considers the runtime dependencies (see Supplied by Platform ). But even when they fix this, not having this unnecessary dependency in the first place is imho the better option.

Copy link

codecov bot commented Oct 28, 2024

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 75.94%. Comparing base (39c4604) to head (1569786).
Report is 4 commits behind head on main.

Additional details and impacted files
@@            Coverage Diff             @@
##             main    #2930      +/-   ##
==========================================
+ Coverage   71.92%   75.94%   +4.02%     
==========================================
  Files         294      246      -48     
  Lines       60342    40260   -20082     
==========================================
- Hits        43398    30577   -12821     
+ Misses      16944     9683    -7261     
Flag Coverage Δ
addons 92.90% <ø> (ø)
netcore 75.81% <ø> (-0.02%) ⬇️
netfx ?

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@cheenamalhotra
Copy link
Member

Based on comment NuGet/Home#7344 (comment), I believe Supplied by Platform is not yet available in .NET 8 or 9. Can you confirm my understanding?

@ErikEJ
Copy link
Contributor

ErikEJ commented Oct 29, 2024

@cheenamalhotra that is correct, but only affects potential nuget audit warnings. Adding this as an explicit reference with .NET 8 is wrong.

@cheenamalhotra cheenamalhotra added this to the 6.0-preview3 milestone Oct 29, 2024
@mungojam
Copy link

I hope this can be backported unless v6 is coming very soon and in ef SQL by default. Every time a system.text.json vuln comes up we're having to update it explicitly just because of SQL client lib, other Ms libs don't show the same explicit dependency

@ErikEJ
Copy link
Contributor

ErikEJ commented Oct 31, 2024

@mungojam Why backported? This was introduced in 6.x

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

8 participants