-
Notifications
You must be signed in to change notification settings - Fork 33
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Create SECURITY.md #165
base: develop
Are you sure you want to change the base?
Create SECURITY.md #165
Conversation
Please enable Dependabot!!!
Hi - thank you for reminding me; I’ve been working on this issue (on and off) for a while now, and am hoping to have some time over the next couple of weeks to complete it (I’ve also been trying to write a code generator for resource models and the associated clients). It’s a little more challenging than it first appeared on the surface, both because of It’s further complicated by the need to port the HTTP templating library (HTTPlease) as well, which also involves the same types of issues as dotnet-kube-client. HTTPlease was built in the ASP.NET WebAPI era and, as such, much (although not all) of the functionality it provides is now also supplied by the “built-in” framework types and packages. It also needs some modernisation to support As for supporting All of the above is the main reason I haven’t enabled dependabot yet; much of what it asks for couldn’t be done without first completing the above work and I’m a little sensitive to interruptions by automated notifications. But, yes, you’re absolutely right it does need to be done. I’ve not had a |
It’s also worth noting that a large part of the reason the upgrade is proving to be painful is self-inflicted; it’s mainly because I’ve left it for far too long before upgrading but, you know, life gets in the way sometimes 🙂 |
OK I see now. HTTPlease is your library. Do you support the lib?
What is the primary benefit of the library? Why is it not possible to dereference from the |
Yes, I could do that (although it would be a breaking change for consumers who have written their own resource clients or other extensions for KubeClient). The immutable stuff is neither here nor there, but there are some aspects of making an API client that can be tricky to get right (e.g. handling differing response payloads depending on HTTP status code, surfacing error responses as meaningful exceptions, consistently constructing request URIs with correct escaping, consistently supporting multiple authentication methods, etc). I would like to extract a subset of the most important functionality that’s tricky to get right (e.g. URI templates and response/error-response body handling) and create a simplified version in KubeClient. |
I actually use HTTPlease in a couple of other projects (some of which are still in use) so I probably wouldn’t go as far as archiving it; I’d rather modernise it although it would still be good to remove the dependency from KubeClient. |
Well... Adam, I find the design and implementation complexity of |
Thanks - I’ll give that a try this weekend (will set up multi-targeting and see what - if anything - breaks for various platforms). And for what it’s worth I agree with you - while, at the time, the complexity felt justified given the existing landscape, things have moved on and it’s a good time to clean out some of that complexity and replace it (where practical) with implementations that I don’t have to maintain! |
Possible (partial) replacement (of implementation) for HTTPlease URI-template functionality: https://learn.microsoft.com/en-us/dotnet/api/microsoft.aspnetcore.http.extensions.urihelper?view=aspnetcore-6.0 |
Alternative (and one of the most popular) implementations of URI templates: https://github.com/tavis-software/Tavis.UriTemplates |
Moving HTTPlease-removal work to #166. |
Indeed, .NET offers an abundance of useful functionalities. I believe, it is feasible to transition to native Microsoft libraries and packages. |
I don't recommend to reference to the next external lib. But it is up to you! |
Only problem is the library from ASP.NET core is only available as a FrameworkReference (which, as a library , we probably don’t want to take as a dependency). |
Moving multi-targeting work to #167. |
Please enable Dependabot! Visual Studio reports multiple vulnerabilities due to an outdated target framework. Dependabot will assist in monitoring and managing vulnerabilities of referenced libraries and frameworks. An example can be found in Ocelot repository.
Warnings in VS
Outdated Target Frameworks
Additionally, KubeClient/2.5.12 is currently targeted to the
netstandard2.0
framework, which is outdated. It would be more appropriate to targetnetstandard2.1
. However, have concerns regardingnetstandard2.1
, as ideally, should targetnet6.0
,net7.0
, andnet8.0
. Furthermore,net9.0
has been released this month.Why do you not adhere to the standard End-of-Support periods for each .NET version?
Please consider changing the targeting frameworks!
I recommend releasing a library with targets for
net8.0
andnet9.0
only, asnet6.0
andnet7.0
are no longer supported by Microsoft.