Verify project template dependencies #57560
Conversation
- Fix VS incrementality for Microsoft.DotNet.Web.ProjectTemplates
dotnet-issue-labeler
bot
added
the
area-mvc
| @@ -64,6 +69,11 @@ | |||
| <GeneratedContent Include="BlazorWeb-CSharp.csproj.in" OutputPath="content/BlazorWeb-CSharp/BlazorWeb-CSharp/BlazorWeb-CSharp.csproj" /> | |||
| <GeneratedContent Include="BlazorWeb-CSharp.Client.csproj.in" OutputPath="content/BlazorWeb-CSharp/BlazorWeb-CSharp.Client/BlazorWeb-CSharp.Client.csproj" /> | |||
| <GeneratedContent Include="ComponentsWebAssembly-CSharp.csproj.in" OutputPath="content/ComponentsWebAssembly-CSharp/ComponentsWebAssembly-CSharp.csproj" /> | |||
| <!-- This appears to use the right UpToDateCheckBuilt parameters, but DisableFastUpToDateCheck is still necessary for VS to pick up incremental updates. --> | |||
| <!-- Maybe this is related to the OutputPath being inside of the projects content directory rather than bin or obj. --> | |||
| <!--<UpToDateCheckBuilt Include="@(GeneratedContent->'%(OutputPath)')" Original="@(GeneratedContent)" />--> | |||
There was a problem hiding this comment.
@javiercn Do you have an idea why this doesn't work when running tests in VS?
I saw that the GenerateContent target has basically the same inputs and outputs as this, so this is probably redundant anyway. I just wanted to confirm that configurating DisableFastUpToDateCheck is really the only way to get VS to automatically rebuild this project when running a test after changing a .csproj.in file.
There was a problem hiding this comment.
It's the safest way.
We could take a look together if you want and figure out the details. I recently had to implement this for other reasons, so I'm relatively familiar with how it works.
@halter73 EF will definitely be bumping its version of Microsoft.Data.SqlClient - not to 5.2.2 (which isn't LTS and so would run out of support before EF 9.0 does), but to 5.1.6, which also shouldn't have the security issue. PR dotnet/efcore#34540 is out and should get merged for rc2.
Is the System.Drawing.Common dependency causing issues, even though it's not a runtime dependency (only referenced from an analyzer)? If so (would be interested in some context), we could also also add a direct dependency to a newer version in EF itself, rather than it being done in templates... |
|
/cc @ericstj |
|
It seems like there would be a product bug if an EF package has a dependency on CodeAnalysis that is visible to ASP.NET Core. EF should just be referencing CodeAnalysis for its surface area and hiding that dependency from any of its packages (since it doesn't participate in the library dependency graph). I chatted with @roji and mentioned it should be safe to add a drawing dependency and hide it in a similar way. It doesn't impact what ships to customers and it's safer since the tools that validate dependencies won't see the vulnerable reference. The fact that ASPNETCore is able to observe the CodeAnalysis dependency though makes we think there might be another bug to fix. @halter73 can you share the |
|
I double-checked, and am noting that CodeAnalysis is also referenced from Microsoft.EntityFrameworkCore.Design, which is another non-runtime package that is require for executing various EF CLI commands ( |
|
Is Microsoft.EntityFrameworkCore.Design meant to be used in a way that it brings CodeAnalysis along with it and is responsible for deploying it? That feels a bit unusual. Typically these sort of design-time dependencies should not be represented as package dependencies that would leak into the user's application / output directory. |
|
In typical applications |
I'm not sure what that means. I see a mix a references that look an awful lot like normal references from regular applications: https://github.com/search?q=org%3Adotnet+%2FPackageReference.*Include%3D%22Microsoft.EntityFrameworkCore.Design%22%2F&type=code Even for those that use EDIT: it does look like EF avoids passing those to the compiler (by omitting |
|
We allow |
I'm not sure I see a way to use this package at all that doesn't result in the compiler being copied to the output directory. Which is the default for add package, the compiler is still copied to the output directory. So even if that's uncommon, I think the support for it is leaking into all uses. Also if I can trust the what I'm seeing from the simple search of dotnet repos, most are referencing in the uncommon way as a regular PackageReference without include/private. IMO we should change this package to optimize for the common scenario rather than the uncommon one. |
|
What is the issue with the dependencies being present in the output directory if they aren't referenced from the app?
Even for the common scenario there are at least 3 design-time consumers of
All of them need to load |
You're taking on a very large dependency set that is causing people to need to update packages, for dependencies they don't even use. You may also be bloating the app significantly if no-one actually uses Microsoft.CodeAnalysis at runtime.
Right, I don't disagree with you having a package that puts |
In many cases they would still be needed when running the tools. Seems like it would just add friction with the same result. |
|
In general, while this type of a swiss-knife project is a good place to start as everything is readily available we recommend that the users move their migrations to a separate project. This migrations project wouldn't be deployed with the app and only used at design time (or deploy time) and would be the project that references Microsoft.EntityFrameworkCore.Tools and/or Microsoft.EntityFrameworkCore.Design |
|
@ericstj I understand the concerns about including the compiler in our Design package... But at least at the moment (for 9.0) it is what it is, I think. However, we still need to decide whether:
|
|
For the analyzers package you should upgrade and keep the dependency private. It's already that way. It doesn't leak to your users: https://github.com/dotnet/efcore/blob/f0965d6e88ac88ee235deef21804e64bbc62decf/src/EFCore.Analyzers/EFCore.Analyzers.csproj#L32-L33 For the designer package I do think you should rethink your dependencies for the next version. Seems to me more of those should be private given the little I've learned about the customers for this package. For the short term - can EF update the version of Microsoft.Build that it's pulling in? From above (thanks @halter73!) I see: It looks like the version of CodeAnalysis is 4.8 which can't move due to VS support and Roslyn hasn't provided a patched version to resolve these. Microsoft.Build.Framework looks rather old (16.10) and I think you could update to 17.8.3 and still maintain the same VS support (17.8) while getting greatly reduced dependencies. Take care when adding this reference to match the characteristics it has from Microsoft.CodeAnalysis.Workspaces.MSBuild: So you can have EF.Design add <PackageReference Include="Microsoft.CodeAnalysis.Workspaces.MSBuild" Version="$(MicrosoftCodeAnalysisVersion)" />
<!-- Upgrade the version of Microsoft.Build.Framework referenced by Microsoft.CodeAnalysis.Workspaces.MSBuild -->
<PackageReference Include="Microsoft.Build.Framework" Version="17.8.3" ExcludeAssets="Runtime" />PS: with CPM that is not hard at all. |
It's more sustainable for the transitive dependencies to be updated by the packages that directly depend on them. Also, at this point of the release it would be very risky for us to upgrade to a new major version of a dependency. For the scenarios that would be potentially impacted by this change in particular we don't have any automated tests (dotnet/efcore#33136) |
So here that would mean you'd need an update to
You could probably diff your assembly and see if it changed at all with this update. There is a good chance that it doesn't change at all since I don't see any references to |
|
I agree that bumping the MSBuild dependency around the Roslyn Workspaces package should generally be low-impact. I can't dig into this deeply today but I think @ericstj is looking at the right things. |
Some of our project templates transitively reference vulnerable NuGet packages. This PR adds automated testing to verify restoring NuGet packages for our project templates does not produce any vulnerability warnings.
This is complicated by the fact that we do not restore packages from nuget.org to avoid supply chain attacks, but the vulnerability warnings only appear if you use nuget.org as a package source. To work around this, I updated the
RunDotNetNewAsyncmethod used by most of our project template tests to calldotnet list package --vulnerable --include-transitive --source https://api.nuget.org/v3/index.jsonI updated the templates that I already know produce vulnerability warnings to directly reference the vulnerable packages and require up-to-date versions of them. I also made some updates to make it easier to run our template tests locally.
I'm leaving this as a draft for now since I want to confirm that it will be necessary to directly reference these packages. Some of these references, like the System.Text.Json ones, shouldn't be necessary because the version should already be hoisted to 9.* by the net9.0 shared runtime, but
dotnet restore,dotnet nuget whyanddotnet list package --vulnerable --include-transitivedon't appear to realize this. However, this wasn't a problem until recently because Microsoft.Extensions.DependencyModel took a new enough NuGet dependency until dotnet/runtime#106172 changed that for the net9.0 target. I plan to follow up with the SDK team about this.I'm also looking into whether Microsoft.EntityFrameworkCore.SqlServer can update its Microsoft.Data.SqlClient dependency to 5.2.2 (which was just released a few hours ago) before .NET 9 ships. @dotnet/efteam Do you know if this is something you're already planning?
I tried to encourage efcore to update its Microsoft.CodeAnalysis dependency and thereby its System.Drawing.Common dependency by opening dotnet/efcore#34116, but this caused some test failures, and there doesn't appear to be interest in updating this dependency for .NET 9. I think this means we'll be forced to at least add a direct System.Drawing.Common dependency to some of our templates.