Skip to content

[build] Update more NuGet package versions #884

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Sep 24, 2021
Merged

[build] Update more NuGet package versions #884

merged 1 commit into from
Sep 24, 2021

Conversation

jonpryor
Copy link
Contributor

@jonpryor jonpryor commented Sep 22, 2021
edited
Loading

Context: https://dev.azure.com/devdiv/DevDiv/_componentGovernance/112013/alert/2979569?typeId=6338203

Component Governance is a Microsoft internal tool which checks
for known security issues in product dependencies. It is currently
reporting a defect in Xamarin.Android because Java.Interop restores
the System.Net.Http v4.1.0 NuGet package, which contains security
vulnerability CVE-2018-8292:

/s/xamarin-android/external/Java.Interop/packages/system.net.http/4.1.0/system.net.http.4.1.0.nupkg
/s/xamarin-android/external/Java.Interop/packages/system.net.http/4.1.0/system.net.http.nuspec

System.Net.Http v4.1.0 isn't actually used by Java.Interop or
Xamarin.Android, it's just an implicit NuGet dependency of one of the
various NuGet packages which Java.Interop relies on.

The report is "noise".

That said, we should still remove "noise" when possible.

Update most NuGet package versions within Java.Interop to the latest
versions provided by dotnet-public or dotnet-eng (which may not
be the latest versions on NuGet.org).

Exceptions:

  • Microsoft.Xml.SgmlReader is not bumped, as the latest version
    introduced an ABI break.

  • Microsoft.CodeAnalysis.FxCopAnalyzers v3.3.2 deprecated the
    entire package, introducing additional warnings that I didn't
    want to deal with right now.

  • protobuf-net is still not updated, as the latest version causes
    unit test failures; see also PR Bump protobuf-net #878.

In order to better "centralize" NuGet package version information,
instead of having multiple %(PackageReference.Version) values
strewn throughout the codebase, instead have .csproj files contain
@(PackageReference)s that don't contain
%(PackageReference.Version), and instead use %(Update) within
Directory.Build.targets to provide the actual package version:

<!-- .csproj -->
<PackageReference Include="Example" />

<!-- Directory.Build.targets -->
<PackageReference Update="Example" Version="1.0.0" />

This pattern requires that there be no "intervening"
Directory.Build.targets between the .csproj and the root directory;
see also the MSBuild Customize your build documentation.

Rename the existing Directory.Build.targets files to instead use
explicit <Import/>s against a newly added .targets file;
conceptually reverts part of d70e40f and later commits which use
Directory.Build.targets.

@jonpryor jonpryor force-pushed the jonp-update-nuget-versions-20210921 branch from 3f3568b to 86a2b70 Compare September 22, 2021 03:16
@jonpryor jonpryor changed the title Flushity flush. [build] Update more NuGet package versions Sep 22, 2021
@jonpryor jonpryor force-pushed the jonp-update-nuget-versions-20210921 branch from 86a2b70 to fa63f35 Compare September 22, 2021 14:00
@jonpryor jonpryor marked this pull request as ready for review September 22, 2021 14:00
@jonpryor jonpryor requested a review from jpobst September 22, 2021 14:00
@jonpryor jonpryor force-pushed the jonp-update-nuget-versions-20210921 branch from fa63f35 to 77d598d Compare September 22, 2021 17:54
jonpryor added a commit to jonpryor/xamarin-android that referenced this pull request Sep 22, 2021
@jonpryor
Try dotnet/java-interop#884
f4788e4 
Context: dotnet/java-interop#884

Does It Build™?

Changes: jonpryor/java.interop@8f7ddcd...77d598d

  * jonpryor/java.interop@77d598d6: [build] Update more NuGet package versions
  * jonpryor/java.interop@b37a6478: [build] Bump various NuGets to match related repositories (dotnet#877)
  * jonpryor/java.interop@1e8f5137: [generator] Remove androidx.annotation from Annotation names (dotnet#882)
@jonpryor jonpryor mentioned this pull request Sep 22, 2021
Merged
@jpobst
Copy link
Contributor

jpobst commented Sep 22, 2021
edited
Loading

The actual updates get kinda lost in the noise of moving things around, updated nugets:

  • HtmlAgilityPack: 1.11.24 -> 1.11.30
  • Microsoft.Build.Framework: 16.5.0 -> 16.11.0
  • Microsoft.Build.Utilities.Core: 16.5.0 -> 16.11.0
  • Microsoft.CodeAnalysis.CSharp: 16.5.0 -> 16.11.0
  • Microsoft.NET.Test.Sdk: 16.2.0 -> 16.11.0
  • Microsoft.NETFramework.ReferenceAssemblies: 1.0.0 -> 1.0.0
  • Mono.Options: 6.6.0.161 -> 6.12.0.148
  • nunit: 3.12.0 -> 3.13.2
  • NUnit.ConsoleRunner: 3.11.1 -> 3.12.0
  • NUnit3TestAdapter: 3.16.1 -> 4.0.0

jonpryor added a commit to jonpryor/xamarin-android that referenced this pull request Sep 23, 2021
@jonpryor
Try dotnet/java-interop#884
baf81ed 
Context: dotnet/java-interop#884

Does It Build™?

Changes: jonpryor/java.interop@8f7ddcd...27a4bf1

  * jonpryor/java.interop@77d598d6: [build] Update more NuGet package versions
  * jonpryor/java.interop@b37a6478: [build] Bump various NuGets to match related repositories (dotnet#877)
  * jonpryor/java.interop@1e8f5137: [generator] Remove androidx.annotation from Annotation names (dotnet#882)
@jonpryor jonpryor force-pushed the jonp-update-nuget-versions-20210921 branch from 27a4bf1 to 7ec3325 Compare September 23, 2021 22:26
@jonpryor
[build] Update more NuGet package versions
659ac71 
Context: https://dev.azure.com/devdiv/DevDiv/_componentGovernance/112013/alert/2979569?typeId=6338203

[Component Governance][0] is a Microsoft internal tool which checks
for known security issues in product dependencies.  It is currently
reporting a defect in Xamarin.Android because Java.Interop restores
the `System.Net.Http` v4.1.0 NuGet package, which contains security
vulnerability [CVE-2018-8292][1]:

	/s/xamarin-android/external/Java.Interop/packages/system.net.http/4.1.0/system.net.http.4.1.0.nupkg
	/s/xamarin-android/external/Java.Interop/packages/system.net.http/4.1.0/system.net.http.nuspec

`System.Net.Http` v4.1.0 isn't actually *used* by Java.Interop or
Xamarin.Android, it's just an implicit NuGet dependency of one of the
various NuGet packages which Java.Interop relies on.

The report is "noise".

That said, we should still remove "noise" when possible.

Update most NuGet package versions within Java.Interop to the latest
versions provided by `dotnet-public` or `dotnet-eng` (which may not
be the latest versions on NuGet.org).

Exceptions:

  * `Microsoft.Xml.SgmlReader` is not bumped, as the latest version
    introduced an ABI break.

  * `Microsoft.CodeAnalysis.FxCopAnalyzers` v3.3.2 deprecated the
     entire package, introducing additional warnings that I didn't
     want to deal with right now.

  * `protobuf-net` is still not updated, as the latest version causes
     unit test failures; see also PR dotnet#878.

In order to better "centralize" NuGet package version information,
instead of having multiple `%(PackageReference.Version)` values
strewn throughout the codebase, instead have `.csproj` files contain
`@(PackageReference)`s that *don't* contain
`%(PackageReference.Version)`, and instead use [`%(Update)`][2] within
`Directory.Build.targets` to provide the actual package version:

	<!-- .csproj -->
	<PackageReference Include="Example" />

	<!-- Directory.Build.targets -->
	<PackageReference Update="Example" Version="1.0.0" />

This pattern requires that there be no "intervening"
`Directory.Build.targets` between the `.csproj` and the root directory;
see also the [MSBuild Customize your build][3] documentation.

Rename the existing `Directory.Build.targets` files to instead use
explicit `<Import/>`s against a newly added `.targets` file;
conceptually reverts part of d70e40f and later commits which use
`Directory.Build.targets`.

[0]: https://docs.opensource.microsoft.com/tools/cg/
[1]: https://nvd.nist.gov/vuln/detail/CVE-2018-8292
[2]: https://docs.microsoft.com/en-us/visualstudio/msbuild/item-element-msbuild?view=vs-2019#attributes-and-elements
[3]: https://docs.microsoft.com/en-us/visualstudio/msbuild/customize-your-build?view=vs-2019#directorybuildprops-and-directorybuildtargets
@jonpryor jonpryor force-pushed the jonp-update-nuget-versions-20210921 branch from 7ec3325 to 659ac71 Compare September 23, 2021 22:28
jonpryor added a commit to jonpryor/xamarin-android that referenced this pull request Sep 23, 2021
@jonpryor
Try dotnet/java-interop#884
49b9645 
Context: dotnet/java-interop#884

Does It Build™?

Changes: jonpryor/java.interop@8f7ddcd...659ac71

  * jonpryor/java.interop@659ac71c: [build] Update more NuGet package versions
  * jonpryor/java.interop@3f12cd25: Revert "[generator] Remove androidx.annotation from Annotation names (dotnet#882)"
  * jonpryor/java.interop@b37a6478: [build] Bump various NuGets to match related repositories (dotnet#877)
  * jonpryor/java.interop@1e8f5137: [generator] Remove androidx.annotation from Annotation names (dotnet#882)
@jonpryor jonpryor merged commit c936d09 into dotnet:main Sep 24, 2021
jpobst pushed a commit that referenced this pull request Sep 30, 2021
@jonpryor @jpobst
[build] Update more NuGet package versions (#884)
1282b57 
Context: https://dev.azure.com/devdiv/DevDiv/_componentGovernance/112013/alert/2979569?typeId=6338203

[Component Governance][0] is a Microsoft internal tool which checks
for known security issues in product dependencies.  It is currently
reporting a defect in Xamarin.Android because Java.Interop restores
the `System.Net.Http` v4.1.0 NuGet package, which contains security
vulnerability [CVE-2018-8292][1]:

	/s/xamarin-android/external/Java.Interop/packages/system.net.http/4.1.0/system.net.http.4.1.0.nupkg
	/s/xamarin-android/external/Java.Interop/packages/system.net.http/4.1.0/system.net.http.nuspec

`System.Net.Http` v4.1.0 isn't actually *used* by Java.Interop or
Xamarin.Android, it's just an implicit NuGet dependency of one of the
various NuGet packages which Java.Interop relies on.

The report is "noise".

That said, we should still remove "noise" when possible.

Update most NuGet package versions within Java.Interop to the latest
versions provided by `dotnet-public` or `dotnet-eng` (which may not
be the latest versions on NuGet.org).

Exceptions:

  * `Microsoft.Xml.SgmlReader` is not bumped, as the latest version
    introduced an ABI break.

  * `Microsoft.CodeAnalysis.FxCopAnalyzers` v3.3.2 deprecated the
     entire package, introducing additional warnings that I didn't
     want to deal with right now.

  * `protobuf-net` is still not updated, as the latest version causes
     unit test failures; see also PR #878.

In order to better "centralize" NuGet package version information,
instead of having multiple `%(PackageReference.Version)` values
strewn throughout the codebase, instead have `.csproj` files contain
`@(PackageReference)`s that *don't* contain
`%(PackageReference.Version)`, and instead use [`%(Update)`][2] within
`Directory.Build.targets` to provide the actual package version:

	<!-- .csproj -->
	<PackageReference Include="Example" />

	<!-- Directory.Build.targets -->
	<PackageReference Update="Example" Version="1.0.0" />

This pattern requires that there be no "intervening"
`Directory.Build.targets` between the `.csproj` and the root directory;
see also the [MSBuild Customize your build][3] documentation.

Rename the existing `Directory.Build.targets` files to instead use
explicit `<Import/>`s against a newly added `.targets` file;
conceptually reverts part of d70e40f and later commits which use
`Directory.Build.targets`.

NuGet Package Version Bumps:

  - HtmlAgilityPack                             : `1.11.24`   -> `1.11.30`
  - Microsoft.Build.Framework                   : `16.5.0`    -> `16.11.0`
  - Microsoft.Build.Utilities.Core              : `16.5.0`    -> `16.11.0`
  - Microsoft.CodeAnalysis.CSharp               : `16.5.0`    -> `16.11.0`
  - Microsoft.NET.Test.Sdk                      : `16.2.0`    -> `16.11.0`
  - Microsoft.NETFramework.ReferenceAssemblies  : `1.0.0`     -> `1.0.0`
  - Mono.Options                                : `6.6.0.161` -> `6.12.0.148`
  - nunit                                       : `3.12.0`    -> `3.13.2`
  - NUnit.ConsoleRunner                         : `3.11.1`    -> `3.12.0`
  - NUnit3TestAdapter                           : `3.16.1`    -> `4.0.0`

[0]: https://docs.opensource.microsoft.com/tools/cg/
[1]: https://nvd.nist.gov/vuln/detail/CVE-2018-8292
[2]: https://docs.microsoft.com/en-us/visualstudio/msbuild/item-element-msbuild?view=vs-2019#attributes-and-elements
[3]: https://docs.microsoft.com/en-us/visualstudio/msbuild/customize-your-build?view=vs-2019#directorybuildprops-and-directorybuildtargets
@github-actions github-actions bot locked and limited conversation to collaborators Apr 13, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@jpobst jpobst Awaiting requested review from jpobst

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@jonpryor @jpobst