[release/6.0] Reduce net core app current package dependencies, increase direct update availability #108797
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…an avoid these dependencies since we can count on the library being part of the shared framework. Fewer dependencies means less packages downloaded, less for customers to service, less copied into the output directory when serviced.��Backport of 6e440de
|
Tagging subscribers to this area: @dotnet/area-infrastructure-libraries |
ericstj
force-pushed
the
6.0-package-reduction
branch
from
db0e28f
to
861aa32
Compare
ericstj
changed the title
carlossanlop
approved these changes
Oct 11, 2024
src/libraries/Microsoft.Extensions.Http/src/Microsoft.Extensions.Http.csproj
Outdated
Show resolved
Hide resolved
...nsions.FileProviders.Abstractions/src/Microsoft.Extensions.FileProviders.Abstractions.csproj
Outdated
Show resolved
Hide resolved
src/libraries/Microsoft.Extensions.Primitives/src/Microsoft.Extensions.Primitives.csproj
Show resolved
Hide resolved
Co-authored-by: Carlos Sánchez López <[email protected]>
|
Lots of System.IO.Tests failures here which appear to be #100558 but it's not being linked. |
|
How's this looking @ericstj? Friendly reminder that today 10/14 is Code Complete for the November Release. |
ericstj
added
Servicing-approved
|
Approved over email. |
|
This needs to resolve conflicts with #108675 |
… into 6.0-package-reduction
…ntime into 6.0-package-reduction
|
@carlossanlop - Ok, this had some churn with resolving conflicts, but it should be ready to go. The tests failing earlier were all known issues but BA gave up with too many wasm failures. |
carlossanlop
approved these changes
Oct 14, 2024
|
Both all configurations legs which build packages have completed. Going to merge this to get the 6.0 servicing release moving |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Customer Impact
Customers using packages like
Microsoft.Extensions.Logging.Console,System.Memory.Data,Microsoft.Extensions.Hosting, etc and targetingnet6.0need to update package references for packages likeSystem.Text.Json,System.Text.Encodings.Web,System.Collections.Immutable, etc even though those libraries are provided by the shared framework.We can reduce the number of places where folks need to update packages by omitting packages when the same library is provided by the framework.
Additionally we've shipped many packages over the course of
net6.0but haven't shipped every package that depends on them - causing customers to update more transitive dependencies to get updates. We have seen slower up-take for security fixes when transitive updates are required - the goal here is to ensure more direct updates are available.Regression
Testing
Build packages. Add validation to make sure all up-stack packages ship as well. Examined package diffs.
Risk
Low. This is removing package references for a few packages and enabling more packages. The biggest risk here is that we'll be enabling a lot of packages that need to flow in servicing - a total of 55 - but the goal here is that this set of packages will help customers better get clean of CVEs.
Background
This drops package dependencies from all packages which can reference the framework copy of the same library (without downgrading the library exposed to a compatible TFM like netstandard2.0).
I also added a feature to our build that enforces transitive servicing. You can specify
ServiceTransitiveDependenciesto make sure that you enable all up-stack packages for shipping when enabling a single package.I enabled all packages I changed, then all upstack packages (separate commits).
This should improve the situation where folks are asked to update just to update a package reference on the latest framework.
It will also help reduce application size since the libraries will no longer be bundled in the app.
PR detail
This is a backport of #107161.
I also reviewed all packages that ever shipped in 6.0 with a CVE to ensure that we've shipped at least one package version that references that - to ensure folks have availability of a direct update for the CVE.
The only "code changes" in this PR are to remove dependencies when the same dependency is in the shared framework. You can see the result of that diff here: ericstj/diffs@499919a
The remaining changes are infrastructure or enabling packages.