Avoid package dependencies on inbox libraries #8669
Conversation
- System.Security.Principal.Windows is inbox since net6.0 - System.Net.Http is inbox since netcoreapp2.0 - System.Resources.Extensions is inbox since netcoreapp2.0 - System.Reflection.Metadata is inbox since netcoreapp2.0 - System.Threading.Tasks.Dataflow is inbox since netcoreapp2.0 By avoiding the dependencies, we minimize the dependency graph and with that the attack surface.
ViktorHofer
force-pushed
the
MSBuildDontReferenceInboxLibsOnNetCoreApp
branch
from
78c302d to
515fd70
Compare
|
I don't have permissions to hit the merge button. |
|
@dotnet/kitten will merge when appropriate. |
|
Just curious as I haven't stumbled upon such a policy in our stack yet. Does that mean that only dotnet/kitten (which I assume is a rotational assignment) is allowed to merge PRs into dotnet/msbuild? |
|
Yes, that's the general policy--the idea is to minimize the likelihood of causing regressions in Visual Studio, since we can't run their test suite inline with ours in PRs. |
rainersigwald
added
the
merge-when-branch-open
This reverts commit 8326396.
|
I tried to bring this back but leave @jeffkl do you know of anything that might have caused that? I tried to repro on a trivial new project referencing Shouldly 3.0.0 (which I think is the source of the problem for us) but it seemed fine there, so something more subtle might be going on in the MSBuild repo. |
System.Security.Principal.Windows is inbox since net6.0 System.Net.Http is inbox since netcoreapp2.0 System.Reflection.Metadata is inbox since netcoreapp2.0 System.Threading.Tasks.Dataflow is inbox since netcoreapp2.0 Leave System.Net.Http package references which aren't needed as they underlying assembly is inbox on both .NETFramework and .NETCoreApp, to avoid component governance alerts about downloading (but not using) an old version. By avoiding the dependencies, we minimize the dependency graph and with that the attack surface. cc @MichaelSimons (removes netstandard1.x dependencies)
|
I was going to open an issue for upgrading Shouldly/3.0.0 to 4.2.1 in the msbuild repo. Unfortunately there are >100 errors that would need to be resolved, presumably because of API changes. |
Not off the top of my head, the assets file should explain it. |
System.Security.Principal.Windows is inbox since net6.0 System.Net.Http is inbox since netcoreapp2.0 System.Reflection.Metadata is inbox since netcoreapp2.0 System.Threading.Tasks.Dataflow is inbox since netcoreapp2.0 Leave System.Net.Http package references which aren't needed as they underlying assembly is inbox on both .NETFramework and .NETCoreApp, to avoid component governance alerts about downloading (but not using) an old version. By avoiding the dependencies, we minimize the dependency graph and with that the attack surface. cc @MichaelSimons (removes netstandard1.x dependencies)
By avoiding the dependencies, we minimize the dependency graph and with that the attack surface.
cc @MichaelSimons (removes netstandard1.x dependencies)