Bump protobuf-net #878
Closed
Bump protobuf-net #878
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
jonpryor
added a commit
to jonpryor/java.interop
that referenced
this pull request
Sep 22, 2021
Context: https://dev.azure.com/devdiv/DevDiv/_componentGovernance/112013/alert/2979569?typeId=6338203 [Component Governance][0] is a Microsoft internal tool which checks for known security issues in product dependencies. It is currently reporting a defect in Xamarin.Android because Java.Interop restores the `System.Net.Http` v4.1.0 NuGet package, which contains security vulnerability [CVE-2018-8292][1]: /s/xamarin-android/external/Java.Interop/packages/system.net.http/4.1.0/system.net.http.4.1.0.nupkg /s/xamarin-android/external/Java.Interop/packages/system.net.http/4.1.0/system.net.http.nuspec `System.Net.Http` v4.1.0 isn't actually *used* by Java.Interop or Xamarin.Android, it's just an implicit NuGet dependency of one of the various NuGet packages which Java.Interop relies on. The report is "noise". That said, we should still avoid "noise" when possible. Update most NuGet package versions within Java.Interop to the latest versions provided by `dotnet-public` or `dotnet-eng` (which may not be the latest versions on NuGet.org). Exceptions: * `Microsoft.Xml.SgmlReader` is not bumped, as the latest version introduced an ABI break. * `Microsoft.CodeAnalysis.FxCopAnalyzers` v3.3.2 deprecated the entire package, introducing additional warnings that I didn't want to deal with right now. * `protobuf-net` is still not updated, as the latest version causes unit test failures; see also PR dotnet#878. I've also moved most of the actual NuGet package version information into a set of MSBuild properties with a `NuGetPackageVersion` suffix, so that it will be easier to bump NuGet package versions in the future. [0]: https://docs.opensource.microsoft.com/tools/cg/ [1]: https://nvd.nist.gov/vuln/detail/CVE-2018-8292
jonpryor
added a commit
to jonpryor/java.interop
that referenced
this pull request
Sep 22, 2021
Context: https://dev.azure.com/devdiv/DevDiv/_componentGovernance/112013/alert/2979569?typeId=6338203 [Component Governance][0] is a Microsoft internal tool which checks for known security issues in product dependencies. It is currently reporting a defect in Xamarin.Android because Java.Interop restores the `System.Net.Http` v4.1.0 NuGet package, which contains security vulnerability [CVE-2018-8292][1]: /s/xamarin-android/external/Java.Interop/packages/system.net.http/4.1.0/system.net.http.4.1.0.nupkg /s/xamarin-android/external/Java.Interop/packages/system.net.http/4.1.0/system.net.http.nuspec `System.Net.Http` v4.1.0 isn't actually *used* by Java.Interop or Xamarin.Android, it's just an implicit NuGet dependency of one of the various NuGet packages which Java.Interop relies on. The report is "noise". That said, we should still remove "noise" when possible. Update most NuGet package versions within Java.Interop to the latest versions provided by `dotnet-public` or `dotnet-eng` (which may not be the latest versions on NuGet.org). Exceptions: * `Microsoft.Xml.SgmlReader` is not bumped, as the latest version introduced an ABI break. * `Microsoft.CodeAnalysis.FxCopAnalyzers` v3.3.2 deprecated the entire package, introducing additional warnings that I didn't want to deal with right now. * `protobuf-net` is still not updated, as the latest version causes unit test failures; see also PR dotnet#878. In order to better "centralize" NuGet package version information, instead of having multiple `%(PackageReference.Version)` values strewn throughout the codebase, instead have `.csproj` files contain `@(PackageReference)`s that *don't* contain `%(PackageReference.Version)`, and instead use [`%(Update)`][2] within `Directory.Build.targets` to provide the actual package version: <!-- .csproj --> <PackageReference Include="Example" /> <!-- Directory.Build.targets --> <PackageReference Update="Example" Version="1.0.0" /> This pattern requires that there be no "intervening" `Directory.Build.targets` between the `.csproj` and the root directory; see also the [MSBuild Customize your build][3] documentation. Rename the existing `Directory.Build.targets` files to instead use explicit `<Import/>`s against a newly added `.targets` file; conceptually reverts part of d70e40f and later commits which use `Directory.Build.targets`. [0]: https://docs.opensource.microsoft.com/tools/cg/ [1]: https://nvd.nist.gov/vuln/detail/CVE-2018-8292 [2]: https://docs.microsoft.com/en-us/visualstudio/msbuild/item-element-msbuild?view=vs-2019#attributes-and-elements [3]: https://docs.microsoft.com/en-us/visualstudio/msbuild/customize-your-build?view=vs-2019#directorybuildprops-and-directorybuildtargets
jonpryor
added a commit
to jonpryor/java.interop
that referenced
this pull request
Sep 23, 2021
Context: https://dev.azure.com/devdiv/DevDiv/_componentGovernance/112013/alert/2979569?typeId=6338203 [Component Governance][0] is a Microsoft internal tool which checks for known security issues in product dependencies. It is currently reporting a defect in Xamarin.Android because Java.Interop restores the `System.Net.Http` v4.1.0 NuGet package, which contains security vulnerability [CVE-2018-8292][1]: /s/xamarin-android/external/Java.Interop/packages/system.net.http/4.1.0/system.net.http.4.1.0.nupkg /s/xamarin-android/external/Java.Interop/packages/system.net.http/4.1.0/system.net.http.nuspec `System.Net.Http` v4.1.0 isn't actually *used* by Java.Interop or Xamarin.Android, it's just an implicit NuGet dependency of one of the various NuGet packages which Java.Interop relies on. The report is "noise". That said, we should still remove "noise" when possible. Update most NuGet package versions within Java.Interop to the latest versions provided by `dotnet-public` or `dotnet-eng` (which may not be the latest versions on NuGet.org). Exceptions: * `Microsoft.Xml.SgmlReader` is not bumped, as the latest version introduced an ABI break. * `Microsoft.CodeAnalysis.FxCopAnalyzers` v3.3.2 deprecated the entire package, introducing additional warnings that I didn't want to deal with right now. * `protobuf-net` is still not updated, as the latest version causes unit test failures; see also PR dotnet#878. In order to better "centralize" NuGet package version information, instead of having multiple `%(PackageReference.Version)` values strewn throughout the codebase, instead have `.csproj` files contain `@(PackageReference)`s that *don't* contain `%(PackageReference.Version)`, and instead use [`%(Update)`][2] within `Directory.Build.targets` to provide the actual package version: <!-- .csproj --> <PackageReference Include="Example" /> <!-- Directory.Build.targets --> <PackageReference Update="Example" Version="1.0.0" /> This pattern requires that there be no "intervening" `Directory.Build.targets` between the `.csproj` and the root directory; see also the [MSBuild Customize your build][3] documentation. Rename the existing `Directory.Build.targets` files to instead use explicit `<Import/>`s against a newly added `.targets` file; conceptually reverts part of d70e40f and later commits which use `Directory.Build.targets`. [0]: https://docs.opensource.microsoft.com/tools/cg/ [1]: https://nvd.nist.gov/vuln/detail/CVE-2018-8292 [2]: https://docs.microsoft.com/en-us/visualstudio/msbuild/item-element-msbuild?view=vs-2019#attributes-and-elements [3]: https://docs.microsoft.com/en-us/visualstudio/msbuild/customize-your-build?view=vs-2019#directorybuildprops-and-directorybuildtargets
jonpryor
added a commit
to jonpryor/java.interop
that referenced
this pull request
Sep 23, 2021
Context: https://dev.azure.com/devdiv/DevDiv/_componentGovernance/112013/alert/2979569?typeId=6338203 [Component Governance][0] is a Microsoft internal tool which checks for known security issues in product dependencies. It is currently reporting a defect in Xamarin.Android because Java.Interop restores the `System.Net.Http` v4.1.0 NuGet package, which contains security vulnerability [CVE-2018-8292][1]: /s/xamarin-android/external/Java.Interop/packages/system.net.http/4.1.0/system.net.http.4.1.0.nupkg /s/xamarin-android/external/Java.Interop/packages/system.net.http/4.1.0/system.net.http.nuspec `System.Net.Http` v4.1.0 isn't actually *used* by Java.Interop or Xamarin.Android, it's just an implicit NuGet dependency of one of the various NuGet packages which Java.Interop relies on. The report is "noise". That said, we should still remove "noise" when possible. Update most NuGet package versions within Java.Interop to the latest versions provided by `dotnet-public` or `dotnet-eng` (which may not be the latest versions on NuGet.org). Exceptions: * `Microsoft.Xml.SgmlReader` is not bumped, as the latest version introduced an ABI break. * `Microsoft.CodeAnalysis.FxCopAnalyzers` v3.3.2 deprecated the entire package, introducing additional warnings that I didn't want to deal with right now. * `protobuf-net` is still not updated, as the latest version causes unit test failures; see also PR dotnet#878. In order to better "centralize" NuGet package version information, instead of having multiple `%(PackageReference.Version)` values strewn throughout the codebase, instead have `.csproj` files contain `@(PackageReference)`s that *don't* contain `%(PackageReference.Version)`, and instead use [`%(Update)`][2] within `Directory.Build.targets` to provide the actual package version: <!-- .csproj --> <PackageReference Include="Example" /> <!-- Directory.Build.targets --> <PackageReference Update="Example" Version="1.0.0" /> This pattern requires that there be no "intervening" `Directory.Build.targets` between the `.csproj` and the root directory; see also the [MSBuild Customize your build][3] documentation. Rename the existing `Directory.Build.targets` files to instead use explicit `<Import/>`s against a newly added `.targets` file; conceptually reverts part of d70e40f and later commits which use `Directory.Build.targets`. [0]: https://docs.opensource.microsoft.com/tools/cg/ [1]: https://nvd.nist.gov/vuln/detail/CVE-2018-8292 [2]: https://docs.microsoft.com/en-us/visualstudio/msbuild/item-element-msbuild?view=vs-2019#attributes-and-elements [3]: https://docs.microsoft.com/en-us/visualstudio/msbuild/customize-your-build?view=vs-2019#directorybuildprops-and-directorybuildtargets
jonpryor
added a commit
that referenced
this pull request
Sep 24, 2021
Context: https://dev.azure.com/devdiv/DevDiv/_componentGovernance/112013/alert/2979569?typeId=6338203 [Component Governance][0] is a Microsoft internal tool which checks for known security issues in product dependencies. It is currently reporting a defect in Xamarin.Android because Java.Interop restores the `System.Net.Http` v4.1.0 NuGet package, which contains security vulnerability [CVE-2018-8292][1]: /s/xamarin-android/external/Java.Interop/packages/system.net.http/4.1.0/system.net.http.4.1.0.nupkg /s/xamarin-android/external/Java.Interop/packages/system.net.http/4.1.0/system.net.http.nuspec `System.Net.Http` v4.1.0 isn't actually *used* by Java.Interop or Xamarin.Android, it's just an implicit NuGet dependency of one of the various NuGet packages which Java.Interop relies on. The report is "noise". That said, we should still remove "noise" when possible. Update most NuGet package versions within Java.Interop to the latest versions provided by `dotnet-public` or `dotnet-eng` (which may not be the latest versions on NuGet.org). Exceptions: * `Microsoft.Xml.SgmlReader` is not bumped, as the latest version introduced an ABI break. * `Microsoft.CodeAnalysis.FxCopAnalyzers` v3.3.2 deprecated the entire package, introducing additional warnings that I didn't want to deal with right now. * `protobuf-net` is still not updated, as the latest version causes unit test failures; see also PR #878. In order to better "centralize" NuGet package version information, instead of having multiple `%(PackageReference.Version)` values strewn throughout the codebase, instead have `.csproj` files contain `@(PackageReference)`s that *don't* contain `%(PackageReference.Version)`, and instead use [`%(Update)`][2] within `Directory.Build.targets` to provide the actual package version: <!-- .csproj --> <PackageReference Include="Example" /> <!-- Directory.Build.targets --> <PackageReference Update="Example" Version="1.0.0" /> This pattern requires that there be no "intervening" `Directory.Build.targets` between the `.csproj` and the root directory; see also the [MSBuild Customize your build][3] documentation. Rename the existing `Directory.Build.targets` files to instead use explicit `<Import/>`s against a newly added `.targets` file; conceptually reverts part of d70e40f and later commits which use `Directory.Build.targets`. NuGet Package Version Bumps: - HtmlAgilityPack : `1.11.24` -> `1.11.30` - Microsoft.Build.Framework : `16.5.0` -> `16.11.0` - Microsoft.Build.Utilities.Core : `16.5.0` -> `16.11.0` - Microsoft.CodeAnalysis.CSharp : `16.5.0` -> `16.11.0` - Microsoft.NET.Test.Sdk : `16.2.0` -> `16.11.0` - Microsoft.NETFramework.ReferenceAssemblies : `1.0.0` -> `1.0.0` - Mono.Options : `6.6.0.161` -> `6.12.0.148` - nunit : `3.12.0` -> `3.13.2` - NUnit.ConsoleRunner : `3.11.1` -> `3.12.0` - NUnit3TestAdapter : `3.16.1` -> `4.0.0` [0]: https://docs.opensource.microsoft.com/tools/cg/ [1]: https://nvd.nist.gov/vuln/detail/CVE-2018-8292 [2]: https://docs.microsoft.com/en-us/visualstudio/msbuild/item-element-msbuild?view=vs-2019#attributes-and-elements [3]: https://docs.microsoft.com/en-us/visualstudio/msbuild/customize-your-build?view=vs-2019#directorybuildprops-and-directorybuildtargets
jpobst
pushed a commit
that referenced
this pull request
Sep 30, 2021
Context: https://dev.azure.com/devdiv/DevDiv/_componentGovernance/112013/alert/2979569?typeId=6338203 [Component Governance][0] is a Microsoft internal tool which checks for known security issues in product dependencies. It is currently reporting a defect in Xamarin.Android because Java.Interop restores the `System.Net.Http` v4.1.0 NuGet package, which contains security vulnerability [CVE-2018-8292][1]: /s/xamarin-android/external/Java.Interop/packages/system.net.http/4.1.0/system.net.http.4.1.0.nupkg /s/xamarin-android/external/Java.Interop/packages/system.net.http/4.1.0/system.net.http.nuspec `System.Net.Http` v4.1.0 isn't actually *used* by Java.Interop or Xamarin.Android, it's just an implicit NuGet dependency of one of the various NuGet packages which Java.Interop relies on. The report is "noise". That said, we should still remove "noise" when possible. Update most NuGet package versions within Java.Interop to the latest versions provided by `dotnet-public` or `dotnet-eng` (which may not be the latest versions on NuGet.org). Exceptions: * `Microsoft.Xml.SgmlReader` is not bumped, as the latest version introduced an ABI break. * `Microsoft.CodeAnalysis.FxCopAnalyzers` v3.3.2 deprecated the entire package, introducing additional warnings that I didn't want to deal with right now. * `protobuf-net` is still not updated, as the latest version causes unit test failures; see also PR #878. In order to better "centralize" NuGet package version information, instead of having multiple `%(PackageReference.Version)` values strewn throughout the codebase, instead have `.csproj` files contain `@(PackageReference)`s that *don't* contain `%(PackageReference.Version)`, and instead use [`%(Update)`][2] within `Directory.Build.targets` to provide the actual package version: <!-- .csproj --> <PackageReference Include="Example" /> <!-- Directory.Build.targets --> <PackageReference Update="Example" Version="1.0.0" /> This pattern requires that there be no "intervening" `Directory.Build.targets` between the `.csproj` and the root directory; see also the [MSBuild Customize your build][3] documentation. Rename the existing `Directory.Build.targets` files to instead use explicit `<Import/>`s against a newly added `.targets` file; conceptually reverts part of d70e40f and later commits which use `Directory.Build.targets`. NuGet Package Version Bumps: - HtmlAgilityPack : `1.11.24` -> `1.11.30` - Microsoft.Build.Framework : `16.5.0` -> `16.11.0` - Microsoft.Build.Utilities.Core : `16.5.0` -> `16.11.0` - Microsoft.CodeAnalysis.CSharp : `16.5.0` -> `16.11.0` - Microsoft.NET.Test.Sdk : `16.2.0` -> `16.11.0` - Microsoft.NETFramework.ReferenceAssemblies : `1.0.0` -> `1.0.0` - Mono.Options : `6.6.0.161` -> `6.12.0.148` - nunit : `3.12.0` -> `3.13.2` - NUnit.ConsoleRunner : `3.11.1` -> `3.12.0` - NUnit3TestAdapter : `3.16.1` -> `4.0.0` [0]: https://docs.opensource.microsoft.com/tools/cg/ [1]: https://nvd.nist.gov/vuln/detail/CVE-2018-8292 [2]: https://docs.microsoft.com/en-us/visualstudio/msbuild/item-element-msbuild?view=vs-2019#attributes-and-elements [3]: https://docs.microsoft.com/en-us/visualstudio/msbuild/customize-your-build?view=vs-2019#directorybuildprops-and-directorybuildtargets
|
We never got this to work, and things still seem fine using the older version, so we'll stick with that for now I guess. |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Testing bumping dependencies.