Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[DCR]: ExcludeAssets="all" should exclude the package from the restore graph #11567

Open
zivkan opened this issue Feb 6, 2022 · 1 comment
Open

[DCR]: ExcludeAssets="all" should exclude the package from the restore graph #11567

zivkan opened this issue Feb 6, 2022 · 1 comment
Assignees
@zivkan
Labels
Functionality:Restore Priority:2 Issues for the current backlog. Type:DCR Design Change Request

Comments

@zivkan
Copy link
Member

zivkan commented Feb 6, 2022

NuGet Product(s) Affected

Other/NA

Current Behavior

Say there's a transitive dependency of some package you use, but the way you use your own dependency doesn't need the transitive package. It's possible to use ExcludeAssets="all" to avoid the package actually being used in your build.

However, tools like Dependabot and other security analysis tools that analyze the project.assets.json file to see what versions of packages are actually used in your build, will think the package is used and tell you to upgrade the package. This is pointless busy work for the team that has already gone to the effort of excluding the package from their build.

Similarly, tools that generate a software "bill of materials" will list it as being used by your project, even though it is, in fact, excluded. It's difficult for such tools to recognize that the package is actually excluded.

Desired Behavior

My preferred requirements are:

  1. There should not be any warnings if the Version metadata is omitted. For example <PackageReference Include="SomePackage" ExcludeAssets="all" /> should not generate any warnings.
  2. The assets file does not list the package in the targets or libraries section, so tools that analyze the assets file to understand resolved versions of packages do not think it's installed. I don't have an opinion about whether or not it should be listed in the project section of the assets file.
  3. Therefore, dotnet list package --include-transitive --vulnerable should not report any vulnerabilities, since the vulnerable package was excluded. I don't have an opinion about whether dotnet list package should list it though. Maybe the output should list it, but say "excluded" or something like that under the version column?
  4. Similarly, the package should not be listed in the packages.lock.json file, since it's not used by the project. I realize this is a breaking change though. Maybe only exclude it from the lock file when the PackageReference does not have a version?
  5. NuGet's VS extensibility APIs that provide a GetInstalledPackages(Async) method should not return this package as being installed, since it is excluded.

I have no opinion about whether VS's PM UI or PMC should list the package as installed, or what happens if the customer tries to install/upgrade the package that has been excluded. Ideally PM UI should not list it as upgradable, but I don't want the scope of this issue to be so large that it never gets worked on.

Additional Context

No response
@zivkan zivkan added Type:DCR Design Change Request Functionality:Restore labels Feb 6, 2022
@nkolev92 nkolev92 added the Priority:2 Issues for the current backlog. label Feb 14, 2022
@nkolev92
Copy link
Member

Triage: Assigning @zivkan to start a conversation to explore the motivation better.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@zivkan zivkan

Labels
Functionality:Restore Priority:2 Issues for the current backlog. Type:DCR Design Change Request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@nkolev92 @zivkan @heng-liu