Match SDK versions of MSBuild framework #3187
Conversation
sbomer
force-pushed
the
versionFixMain
branch
from
5e4a2b3 to
b8eb958
Compare
|
I think it was to sync with dotnet/runtime https://github.com/dotnet/runtime/blob/43b8dcf48e26019ce2aca5ae2f249001693b42c2/eng/Versions.props#L175 If this dependency versioning should probably be moved to arcade though to avoid further problems in source build. |
|
Got it, thanks! Another approach would be to upgrade to the version used by dotnet/runtime, which was also recently bumped to fix component governance warnings: dotnet/runtime#77678. However, my preference is to match the SDK version. I think using a later version creates the possibility for us to depend on APIs that don't exist at runtime. I think the SDK version should be OK from a component governance perspective, since they presumably aren't hitting warnings either - and if they do, we can upgrade to match when they do. |
Yes that's the preferred path. FWIW, we do have an open PR that removes the System.Drawing.Common dependency: dotnet/runtime#80347 (comment) |
|
Thanks - does dotnet/sdk need to be updated too? |
|
Unsure. I think what they use works for source-build so it's probably fine to keep it pinned to the lower version. cc @mmitche @marcpopMSFT |
* Match SDK versions of MSBuild framework * Bump to match runtime versions Commit migrated from dotnet/linker@053438e
The version of
Microsoft.Build.Frameworkthat we depend on has a transitive dependency onSystem.Drawing.Commonthat is being flagged due to a security vulnerablility in dotnet/sdk#29927. The dependency is probably unused, but we would like to fix it to prevent further false positive reports.This is being referenced as a transitive dependency of
Microsoft.Build.Framework: Microsoft.Build.Framework/17.0.0-preview-21267-01 -> System.Security.Permissions/4.7.0 -> System.Windows.Extensions/4.7.0 -> System.Drawing.Common/4.7.0.dotnet/sdkuses a lower version (15.4.8) ofMicrosoft.Build.Framework, which doesn't have a dependency on System.Drawing.Common.dotnet/linkerused to reference the same version but we bumped it in #1840 and #2047. @marek-safar do you know why we made the upgrade? My inclination is to change back to 15.4.8, since I don't think we can actually be depending on any API surface newer than what ships with the SDK. If there's a requirement to reference a higher version, please let me know.