Allow for modifying inner-builds packages from outer-build

[jviau]

This issue is primarily a response to the issue of vulnerable packages being brought in as part of WorkerExtensions.csproj. Today there is no convenient way to manually update these vulnerable packages from the outer-build. This issue is to track an enhancement that will allow for modification from the outer build.

Goals

• Provide a mechanism for extensions, or end users, to directly modify the package references used by WorkerExtensions.csproj
  • The intent is for extensions to be able to address transitive dependency CVE's from the WebJobs extension they rely on.
• NEEDS FURTHER CONSIDERATION: Have this MSBuild-based approach be an alternative to the extension assembly attribute used today
  • There is loss of context when shifting from an attribute to the msbuild item: we need to identify which of these items we add to extension.json. Additionally, today we default to including an extension only if a trigger or binding from it is actually used.

Non Goals

• Deprecate extension assembly attribute.
  • We will continue to support this, but we will most likely shim these assembly attributes to MSBuild items added from this work.

Preliminary Design

We will introduce a new MSBuild item group which can be used to add or update packages on the inner build.

<Project>

  <ItemGroup>
    <FunctionsExtensionsPackageReference Include="System.Net.Http" Version="4.3.4" />
  <ItemGroup>

</Project>

The above will add an explicit <PackageReference Include="System.Net.Http" Version="4.3.4" /> to the WorkerExtensions.csproj.

[jviau]

We discussed this and have decided not to proceed with this design for the time being. We will instead improve our validation to ensure we are keeping extension packages up to date.

#2237

[jviau]

We are reconsidering this feature

[josesos]

It is critical for our team to have a way to add or update packages on the inner build. We have critical CVE items against our team that we cannot resolve because of the WorkerExtension.csproj inner build.

Could we please get an update on this feature?

[josesos]

Another issue was opened recently that talks to the need for this feature.
#2593

[MaxMommersteeg]

Currently dealing with 3 dependencies that are referenced from generated WorkerExtensions.csproj project that are vulnerable, while I can't override package versions to resolve the issues from my own function project:

[REDACTED]

[josesos]

I have issues with the same dependencies In the same project. Get Outlook for iOS<https://aka.ms/o0ukef>

…

________________________________ From: Max ***@***.***> Sent: Tuesday, July 16, 2024 7:44:42 AM To: Azure/azure-functions-dotnet-worker ***@***.***> Cc: Jose Sosa ***@***.***>; Comment ***@***.***> Subject: Re: [Azure/azure-functions-dotnet-worker] Allow for modifying inner-builds packages from outer-build (Issue #2221) Currently dealing with 3 dependencies that are referenced from generated WorkerExtensions.csproj project that are vulnerable, while I can't override package versions to resolve the issues from my own function project: * System.Text.Json (4.7.2) * Azure.Identity (1.10.2) * Microsoft.Identity.Client (4.54.1) — Reply to this email directly, view it on GitHub<#2221 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/BDMAHFYF7R3EHYSSX3T37LTZMUBSVAVCNFSM6AAAAABCA5MUJGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDEMZQGY4DMMJZGY>. You are receiving this because you commented.Message ID: ***@***.***>