[Release/8.0-staging] Reduce net core app current package dependencies#107161
Merged
ericstj merged 5 commits intodotnet:release/8.0-stagingfrom Sep 5, 2024
Merged
Conversation
…et#106172) * Avoid package dependencies on libraries in the shared framework We can avoid these dependencies since we can count on the library being part of the shared framework. Fewer dependencies means less packages downloaded, less for customers to service, less copied into the output directory when serviced. * Add warning code. * Address feedback
ericstj
requested review from
ViktorHofer,
carlossanlop,
directhex and
eerhardt
ghost
added
the
Contributor
|
Tagging subscribers to this area: @dotnet/area-infrastructure-libraries |
Member
Author
|
This is a backport of the fix for #105120 |
eerhardt
reviewed
Aug 29, 2024
steveharter
reviewed
Aug 30, 2024
ericstj
changed the title
ericstj
force-pushed
the
reduceNetCoreAppCurrentPackageDependencies
branch
from
b71a69b to
93d0af7
Compare
rbhanda
added
Servicing-approved
carlossanlop
approved these changes
Sep 4, 2024
Contributor
carlossanlop
left a comment
carlossanlop
left a comment
There was a problem hiding this comment.
LGTM after your explanation in our call.
Contributor
|
/ba-g The unknown failure seems unrelated to this PR. I opened #107413 to track it. |
Contributor
|
@ericstj do you want to do the honors and smash the squash and merge button? |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
5 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Customer Impact
Customers using packages like
Microsoft.Extensions.Logging.Console,System.Memory.Data,Microsoft.Extensions.Hosting, etc and targetingnet8.0need to update package references for packages likeSystem.Text.Json,System.Text.Encodings.Web,System.Collections.Immutable, etc even though those libraries are provided by the shared framework.We can reduce the number of places where folks need to update packages by omitting packages when the same library is provided by the framework. In particular this will fix Aspire templates so that they'll not need to add packages in servicing to avoid vulnerability warnings from NuGet audit.
Regression
Testing
Build packages. Add validation to make sure all up-stack packages ship as well. Tested these updates with Aspire template to confirm that NuGet audit warnings go away - 2 framework packages were dropped (JSON and STEW).
Risk
Low. This is removing package references for a few packages and enabling more packages. The biggest risk here is that we'll be enabling a lot of packages that need to flow in servicing.
Background
This drops package dependencies from all packages which can reference the framework copy of the same library (without downgrading the library exposed to a compatible TFM like netstandard2.0).
I also added a feature to our build that enforces transitive servicing. You can specify
ServiceTransitiveDependenciesto make sure that you enable all up-stack packages for shipping when enabling a single package.I enabled all packages I changed, then all upstack packages (separate commits).
This should improve the situation where folks are asked to update just to update a package reference on the latest framework.
It will also help reduce application size since the libraries will no longer be bundled in the app.