-
Notifications
You must be signed in to change notification settings - Fork 256
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix Microsoft.CodeAnalysis.Analyzer.Testing nuget package dependencies for downstream clients #1025
Conversation
bc0cf63
to
5395d70
Compare
1556573
to
eb6363e
Compare
56d32ed
to
d848ffe
Compare
@@ -31,7 +31,7 @@ | |||
</When> | |||
<Otherwise> | |||
<PropertyGroup> | |||
<NuGetApiVersion>5.6.0</NuGetApiVersion> | |||
<NuGetApiVersion>6.3.0</NuGetApiVersion> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is needed for the right runtime assemblies to be discovered.
@@ -21,7 +21,7 @@ | |||
<Import Project="$([MSBuild]::GetPathOfFileAbove('Directory.Build.props', '$(MSBuildThisFileDirectory)../'))" /> | |||
|
|||
<PropertyGroup> | |||
<TestTargetFrameworks>netcoreapp3.1;net472;net46</TestTargetFrameworks> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
forcing the Newtonsoft.Json
version means that net46 will find the wrong assemblies at runtime in this repo. We will get flagged if we have tests that use a Newtonsoft.Json
version that is older than 13.0.1
. I don't have any good ideas on how to solve this problem other than to remove the TFM from our test suite.
Pull request was closed
Update the version of Microsoft.CodeAnalysis.Testing we use to include this change: dotnet/roslyn-sdk#1025 This should unblock unit testing in Visual Studio
@jmarolf Will we have updated packages on NuGet.org soon? |
We haven't release 1.1.2 yet the packages on nuget are 1.1.1 and should not have this issue are you observing the same problem for 1.1.1? |
Ah sorry. It was a bad assumption on my end. I tested 1.1.1 and it works. |
In #1004 we pinned the version of
Newtonsoft.Json
to be13.0.1
because older versions have security problems.However, this meant that the nuget packages now also required consumers to only use that version of
Newtonsoft.Json
. This breaks downstream test runners who rely on older versions of this assembly.This change make the nuspec look like this
Microsoft.CodeAnalysis.Analyzer.Testing.nuspec:
<package xmlns="http://schemas.microsoft.com/packaging/2013/05/nuspec.xsd"> <metadata> <dependencies> <group targetFramework=".NETFramework4.7.2"> <dependency id="DiffPlex" version="1.5.0" include="Runtime,Build,Native,ContentFiles,Analyzers,BuildTransitive" /> <dependency id="Microsoft.CodeAnalysis.Analyzers" version="2.6.1" exclude="Build,Analyzers" /> <dependency id="Microsoft.CodeAnalysis.Workspaces.Common" version="1.0.1" exclude="Build,Analyzers" /> <dependency id="Microsoft.VisualBasic" version="10.0.1" exclude="Build,Analyzers" /> <dependency id="Microsoft.VisualStudio.Composition" version="16.1.8" exclude="Build,Analyzers" /> - <dependency id="Newtonsoft.Json" version="13.0.1" exclude="Build,Analyzers" /> <dependency id="NuGet.Common" version="5.6.0" include="Runtime,Build,Native,ContentFiles,Analyzers,BuildTransitive" /> <dependency id="NuGet.Packaging" version="5.6.0" include="Runtime,Build,Native,ContentFiles,Analyzers,BuildTransitive" /> <dependency id="NuGet.Protocol" version="5.6.0" include="Runtime,Build,Native,ContentFiles,Analyzers,BuildTransitive" /> <dependency id="NuGet.Resolver" version="5.6.0" include="Runtime,Build,Native,ContentFiles,Analyzers,BuildTransitive" /> <dependency id="System.ValueTuple" version="4.5.0" exclude="Build,Analyzers" /> </group> </dependencies> </metadata> </package>
by adding
ExcludeAssets="all"
we can ensure that this does not appear in the package dependencies list.which should ensure that we comply with security standards while also allowing runners to use whatever version of
Newtonsoft.Json
they require.