-
Notifications
You must be signed in to change notification settings - Fork 253
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support "Supplied by Platform" scenario in restore #7344
Comments
We can possibly represent this more generally than "supplied by platform". It is almost like a PackageReference with ExcludeAssets="All", but since we won't be taking any assets, then we shouldn't need to pick a version. |
@nguerrera I think we would want to supply a version for these packages. IE, .NET Core 3.0 might include System.Collections.Immutable 1.6.0, so we could specify that package as "Supplied by platform", but we wouldn't want to exclude a later version (ie 1.7.0) from the graph if it was encountered. |
See the uptick in discussion on dotnet/sdk#3044 and https://github.com/dotnet/core-setup/issues/6222 As we concluded in our last meeting, there's no viable workaround left for SDK on this. We deferred it based on data that suggested it would not be common. The fact that there have been more reports suggests this should be revisited. |
Bump? |
@rrelyea @dsplaisted More customer pressure on dotnet/sdk#3044. I suspect we'll see even more as 3.0 rolls out. Can we now move past the "do we need to do this?" and start talking about getting this work on the schedule and designing the feature? |
Bump. Just hit this again and would really like to see progress here. /cc @rrelyea |
Related to #8087 cc @JonDouglas |
While this is quite an old issue, I think it's more important now because of the change done in security checks to consider vulnerabilities from transitive packages, which causes false positives like #13622. @nkolev92 Should we expect this to be fixed before .NET 9 becomes stable? Otherwise, how should we deal with false positives? |
Supplied by platform will not make the 9.0.100 SDK, but it is among our highest priorities, so it is getting actively worked on currently. As per our recent blog post: https://devblogs.microsoft.com/nuget/nugetaudit-2-0-elevating-security-and-trust-in-package-management/ there are a few options, such as:
|
With .NET Core 3.0, we will be using targeting packs to deliver reference assemblies for the framework. These targeting packs will not be represented as NuGet packages in the package graph in the way that Microsoft.NETCore.App, Microsoft.AspNetCore.App, and NETStandard.Library currently are.
When a .NET Core 3 project depends on a package that has a dependency on one of these older "platform" packages, we want that platform package and its dependencies to be ignored in the NuGet graph, as those APIs are supplied by the platform via other mechanisms (targeting packs at build time and runtime packs for self-contained deployments).
We've thought of two possible ways to exclude the platform packages and dependencies from the graph. This issue is for one of them. The other one is #7343
To exclude these packages, we could pass an additional list of packages to the restore operation that should be ignored in the graph walk. We might call these "Supplied by Platform" packages. When walking the graph, if the restore operation encountered a dependency on any of these package (with a version less than or equal to the version marked as supplied by the platform), then it would ignore that dependency (and would not walk its dependencies further).
WIP spec:
The text was updated successfully, but these errors were encountered: