Skip to content

[Release/8.0-staging] Reduce net core app current package dependencies #107161

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 5 commits into from
Sep 5, 2024
Merged

[Release/8.0-staging] Reduce net core app current package dependencies #107161

merged 5 commits into from
Sep 5, 2024

Conversation

ericstj
Copy link
Member

@ericstj ericstj commented Aug 29, 2024
edited
Loading

Customer Impact

  • Customer reported
  • Found internally

Customers using packages like Microsoft.Extensions.Logging.Console, System.Memory.Data, Microsoft.Extensions.Hosting, etc and targeting net8.0 need to update package references for packages like System.Text.Json, System.Text.Encodings.Web, System.Collections.Immutable, etc even though those libraries are provided by the shared framework.

We can reduce the number of places where folks need to update packages by omitting packages when the same library is provided by the framework. In particular this will fix Aspire templates so that they'll not need to add packages in servicing to avoid vulnerability warnings from NuGet audit.

Regression

  • Yes
  • No

Testing

Build packages. Add validation to make sure all up-stack packages ship as well. Tested these updates with Aspire template to confirm that NuGet audit warnings go away - 2 framework packages were dropped (JSON and STEW).

Risk

Low. This is removing package references for a few packages and enabling more packages. The biggest risk here is that we'll be enabling a lot of packages that need to flow in servicing.

Background

This drops package dependencies from all packages which can reference the framework copy of the same library (without downgrading the library exposed to a compatible TFM like netstandard2.0).

I also added a feature to our build that enforces transitive servicing. You can specify ServiceTransitiveDependencies to make sure that you enable all up-stack packages for shipping when enabling a single package.

I enabled all packages I changed, then all upstack packages (separate commits).

This should improve the situation where folks are asked to update just to update a package reference on the latest framework.

It will also help reduce application size since the libraries will no longer be bundled in the app.

ericstj added 4 commits August 29, 2024 13:48
@ericstj
Avoid package dependencies on libraries in the shared framework (dotn…
ec7f311 
…et#106172)

* Avoid package dependencies on libraries in the shared framework

We can avoid these dependencies since we can count on the library being
part of the shared framework.  Fewer dependencies means less packages
downloaded, less for customers to service, less copied into the output
directory when serviced.

* Add warning code.

* Address feedback
@ericstj
Add an option to enable servicing for transitive dependencies
c2c72e9
@ericstj
Enable all packages that removed dependencies
aa79d9a
@ericstj
Add additional packages required for up-stack servicing
dc94a21
@dotnet-policy-service Dotnet Policy Service
Copy link
Contributor

Tagging subscribers to this area: @dotnet/area-infrastructure-libraries
See info in area-owners.md if you want to be subscribed.

@ericstj
Copy link
Member Author

ericstj commented Aug 29, 2024

This is a backport of the fix for #105120

eerhardt
eerhardt reviewed Aug 29, 2024
View reviewed changes
@ericstj ericstj changed the title Reduce net core app current package dependencies [Release/8.0-staging] Reduce net core app current package dependencies Sep 3, 2024
@ericstj ericstj force-pushed the reduceNetCoreAppCurrentPackageDependencies branch from b71a69b to 93d0af7 Compare September 3, 2024 16:44
@ericstj ericstj added the Servicing-consider Issue for next servicing release review label Sep 3, 2024
@rbhanda rbhanda added this to the 8.0.10 milestone Sep 3, 2024
@rbhanda rbhanda added Servicing-approved Approved for servicing release and removed Servicing-consider Issue for next servicing release review labels Sep 3, 2024
carlossanlop
carlossanlop approved these changes Sep 4, 2024
View reviewed changes
Copy link
Contributor

@carlossanlop carlossanlop left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM after your explanation in our call.

@carlossanlop carlossanlop mentioned this pull request Sep 5, 2024
Open
@carlossanlop
Copy link
Contributor

/ba-g The unknown failure seems unrelated to this PR. I opened #107413 to track it.

@carlossanlop
Copy link
Contributor

@ericstj do you want to do the honors and smash the squash and merge button?

@ericstj ericstj merged commit 8072b23 into dotnet:release/8.0-staging Sep 5, 2024
176 of 180 checks passed
@ericstj ericstj mentioned this pull request Sep 12, 2024
Closed
@github-actions github-actions bot locked and limited conversation to collaborators Oct 6, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@steveharter steveharter steveharter left review comments

@eerhardt eerhardt eerhardt left review comments

@carlossanlop carlossanlop carlossanlop approved these changes

@directhex directhex Awaiting requested review from directhex

@ViktorHofer ViktorHofer Awaiting requested review from ViktorHofer

Assignees

@ericstj ericstj

Labels
area-Infrastructure-libraries Servicing-approved Approved for servicing release
Projects
None yet
Milestone
8.0.10
Development

Successfully merging this pull request may close these issues.
5 participants
@ericstj @carlossanlop @steveharter @eerhardt @rbhanda