[6.1] Dependency Cleanup #3843
[6.1] Dependency Cleanup #3843
Conversation
- Updated some dependencies, avoiding transitive vulnerabilities. - Updated nuspec files to remove/update dependencies accordingly.
There was a problem hiding this comment.
Pull request overview
This PR performs a dependency cleanup across the Microsoft.Data.SqlClient driver and related test projects. The changes update several dependencies to address transitive vulnerabilities, remove unused dependencies (Microsoft.Bcl.Cryptography, System.Memory, System.Text.Encodings.Web), and update nuspec files to reflect the new dependency structure. The code changes suppress warnings for deliberately used obsolete APIs in Azure Active Directory authentication methods.
- Removed unused dependencies: Microsoft.Bcl.Cryptography, System.Memory, and System.Text.Encodings.Web across driver and test projects
- Updated Azure and identity-related packages to newer versions (Azure.Core 1.50.0, Azure.Identity 1.17.0, Azure.Security.KeyVault.Keys 4.8.0)
- Updated System.Buffers from 4.5.1 to 4.6.1 and System.Text.Json from 8.0.5 to 8.0.6 for net462
- Added pragma warning suppressions for obsolete APIs in authentication code
Reviewed changes
Copilot reviewed 17 out of 17 changed files in this pull request and generated 8 comments.
Show a summary per file
| File | Description |
|---|---|
| tools/specs/add-ons/Microsoft.Data.SqlClient.AlwaysEncrypted.AzureKeyVaultProvider.nuspec | Updated Azure package dependencies and Microsoft.Extensions.Caching.Memory for net9.0 to 9.0.11 |
| tools/specs/Microsoft.Data.SqlClient.nuspec | Updated multiple dependencies across all target frameworks; removed Microsoft.Bcl.Cryptography, System.Text.Encodings.Web, and System.Text.Json from various targets |
| src/Microsoft.Data.SqlClient/tests/tools/Microsoft.Data.SqlClient.TestUtilities/Microsoft.Data.SqlClient.TestUtilities.csproj | Removed unused Microsoft.Bcl.Cryptography dependency |
| src/Microsoft.Data.SqlClient/tests/tools/Microsoft.Data.SqlClient.ExtUtilities/Microsoft.Data.SqlClient.ExtUtilities.csproj | Changed approach from pinning System.Formats.Asn1 to referencing MDS 5.1.8 to avoid transitive vulnerability |
| src/Microsoft.Data.SqlClient/tests/ManualTests/SQL/ConnectivityTests/AADConnectionTest.cs | Added pragma warning suppressions for obsolete AcquireTokenByUsernamePassword API |
| src/Microsoft.Data.SqlClient/tests/ManualTests/Microsoft.Data.SqlClient.ManualTesting.Tests.csproj | Removed unused Microsoft.Bcl.Cryptography dependency |
| src/Microsoft.Data.SqlClient/tests/ManualTests/DataCommon/DataTestUtility.cs | Added pragma warning suppressions for obsolete AcquireTokenByUsernamePassword API |
| src/Microsoft.Data.SqlClient/tests/FunctionalTests/Microsoft.Data.SqlClient.FunctionalTests.csproj | Removed unused Microsoft.Bcl.Cryptography dependency |
| src/Microsoft.Data.SqlClient/tests/Directory.Packages.props | Changed approach to reference MDS 5.1.8 instead of pinning System.Formats.Asn1 |
| src/Microsoft.Data.SqlClient/src/Microsoft/Data/SqlClient/ActiveDirectoryAuthenticationProvider.cs | Added pragma warning suppressions for obsolete APIs (AcquireTokenByUsernamePassword and SharedTokenCacheUsername) |
| src/Microsoft.Data.SqlClient/src/Microsoft.Data.SqlClient.csproj | Removed unused Microsoft.Bcl.Cryptography and System.Memory dependencies |
| src/Microsoft.Data.SqlClient/netfx/src/Microsoft.Data.SqlClient.csproj | Removed unused Microsoft.Bcl.Cryptography and System.Text.Encodings.Web dependencies |
| src/Microsoft.Data.SqlClient/netfx/ref/Microsoft.Data.SqlClient.csproj | Removed unused Microsoft.Bcl.Cryptography and System.Text.Encodings.Web dependencies |
| src/Microsoft.Data.SqlClient/netcore/src/Microsoft.Data.SqlClient.csproj | Removed unused Microsoft.Bcl.Cryptography dependency and System.Text.Json reference (provided by framework) |
| src/Microsoft.Data.SqlClient/netcore/ref/Microsoft.Data.SqlClient.csproj | Removed unused Microsoft.Bcl.Cryptography dependency and System.Text.Json reference (provided by framework) |
| src/Microsoft.Data.SqlClient/add-ons/AzureKeyVaultProvider/Microsoft.Data.SqlClient.AlwaysEncrypted.AzureKeyVaultProvider.csproj | Removed unused System.Text.Encodings.Web dependency |
| src/Directory.Packages.props | Updated package versions and reorganized framework-specific dependencies; removed System.Memory and some test dependencies; updated Microsoft.NET.Test.Sdk, xunit, and other test packages |
tools/specs/add-ons/Microsoft.Data.SqlClient.AlwaysEncrypted.AzureKeyVaultProvider.nuspec
Show resolved
Hide resolved
tools/specs/add-ons/Microsoft.Data.SqlClient.AlwaysEncrypted.AzureKeyVaultProvider.nuspec
Show resolved
Hide resolved
tools/specs/add-ons/Microsoft.Data.SqlClient.AlwaysEncrypted.AzureKeyVaultProvider.nuspec
Show resolved
Hide resolved
paulmedynski
left a comment
paulmedynski
left a comment
There was a problem hiding this comment.
Commentary for reviewers.
| <dependency id="Azure.Identity" version="1.17.0" /> | ||
| <dependency id="Microsoft.Data.SqlClient.SNI.runtime" version="6.0.2" exclude="Compile" /> | ||
| <dependency id="Microsoft.Extensions.Caching.Memory" version="9.0.4" exclude="Compile" /> | ||
| <dependency id="Microsoft.Extensions.Caching.Memory" version="8.0.1" exclude="Compile" /> |
There was a problem hiding this comment.
These 9.0.4 versions were incorrect. The .NET Standard 2.0 target shares the .NET 8.0 package versions.
…to avoid strong-name errors. - Added System.Text.Json back for .NET Standard 2.0.
| </ItemGroup> | ||
| <ItemGroup> | ||
| <PackageReference Include="Azure.Core" /> | ||
| <PackageReference Include="System.Text.Encodings.Web" /> |
There was a problem hiding this comment.
Not used directly, likely an old transient vulnerability fix.
There was a problem hiding this comment.
Were you thinking of doing an akv release for this?
There was a problem hiding this comment.
I don't think it should be necessary. This is a dependency that will be included via Azure.Core
| <ItemGroup> | ||
| <PackageReference Include="Azure.Core" /> | ||
| <PackageReference Include="Azure.Identity" /> | ||
| <PackageReference Include="Microsoft.Bcl.Cryptography" /> |
There was a problem hiding this comment.
Not used directly, likely an old transient vulnerability fix.
| <Reference Include="System.Data" /> | ||
| <Reference Include="System.Xml" /> | ||
| <Reference Include="System.Runtime.Caching" /> | ||
| <Reference Include="System.EnterpriseServices" /> |
There was a problem hiding this comment.
Re-ordered to match the sibling src project.
| <PackageReference Include="Microsoft.Extensions.Caching.Memory" /> | ||
| <PackageReference Include="Microsoft.IdentityModel.JsonWebTokens" /> | ||
| <PackageReference Include="Microsoft.IdentityModel.Protocols.OpenIdConnect" /> | ||
| <PackageReference Include="Microsoft.SqlServer.Server" /> |
There was a problem hiding this comment.
Hmmm... was this omitted previously because the Microsoft.SqlServer.Server namespace and all its types already exist within .NET Framework already? I see a TypeForwards.cs file that is used only for .NET Framework, but it isn't clear where this type's forward to.
| <PackageReference Include="Microsoft.IdentityModel.Protocols.OpenIdConnect" /> | ||
| <PackageReference Include="Microsoft.SqlServer.Server" /> | ||
| <PackageReference Include="System.Buffers" /> | ||
| <PackageReference Include="System.Data.Common" /> |
There was a problem hiding this comment.
Not used directly, likely an old transient vulnerability fix.
There was a problem hiding this comment.
It was added with PR: https://github.com/dotnet/SqlClient/pull/2967/files#diff-d6cdac7c9f92790e995dce24e966c09119385fdc076757b8f70b08bd14dde23fR47 since in .NET Framework v4.6.2 the type referenced by us from this namespace (IDbColumnSchemaGenerator) is not available directly in BCL and downloading this package with NuGet is required for applications to work. I would not recommend removing this dependency due to that reason.
There was a problem hiding this comment.
Is this a case where testing using .NET Framework Runtime 4.6.2 would have produced an error? But testing with .NET Framework Runtime 4.8.1 (which is what we do) doesn't?
| <PropertyGroup> | ||
| <DefineConstants>$(DefineConstants);NETFRAMEWORK;</DefineConstants> | ||
| </PropertyGroup> | ||
| <ItemGroup> |
There was a problem hiding this comment.
Moved below to match the sibling ref project grouping.
…T Framework project. - Inhibiting dependency on Microsoft.SqlServer.Server in UDT test projects for .NET Framework. - Fixed duplicate MDS package version in test utilities.
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## release/6.1 #3843 +/- ##
================================================
+ Coverage 62.83% 90.82% +27.99%
================================================
Files 279 6 -273
Lines 53293 316 -52977
================================================
- Hits 33484 287 -33197
+ Misses 19809 29 -19780
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
| <ProjectReference Include="$(AddOnsPath)AzureKeyVaultProvider\Microsoft.Data.SqlClient.AlwaysEncrypted.AzureKeyVaultProvider.csproj" /> | ||
| <ProjectReference Condition="'$(TargetGroup)'=='netcoreapp' AND $(ReferenceType)=='Project'" Include="$(NetCoreSource)src\Microsoft.Data.SqlClient.csproj" /> | ||
| <ProjectReference Condition="'$(TargetGroup)'=='netfx' AND $(ReferenceType)=='Project'" Include="$(NetFxSource)src\Microsoft.Data.SqlClient.csproj" /> | ||
| <ProjectReference Condition="!$(ReferenceType.Contains('Package'))" Include="$(SqlServerSource)Microsoft.SqlServer.Server.csproj" /> |
There was a problem hiding this comment.
Not used by this project.
| <ItemGroup> | ||
| <ProjectReference Condition="'$(TargetGroup)'=='netcoreapp' AND $(ReferenceType)=='Project'" Include="$(NetCoreSource)src\Microsoft.Data.SqlClient.csproj" /> | ||
| <ProjectReference Condition="'$(TargetGroup)'=='netfx' AND $(ReferenceType)=='Project'" Include="$(NetFxSource)src\Microsoft.Data.SqlClient.csproj" /> | ||
| <ProjectReference Condition="!$(ReferenceType.Contains('Package'))" Include="$(SqlServerSource)Microsoft.SqlServer.Server.csproj" /> |
There was a problem hiding this comment.
These project refs were polluting the artifacts with un-signed Microsoft.SqlServer.Server DLLs that .NET Framework was refusing to load. I changed them to package refs to avoid this. We never need a project ref for MSS here.
| <None Update="config.json"> | ||
| <CopyToOutputDirectory>PreserveNewest</CopyToOutputDirectory> | ||
| </None> | ||
| <PackageReference Include="Azure.Identity" /> |
There was a problem hiding this comment.
Not used by this project.
| <PrivateAssets>all</PrivateAssets> | ||
| </PackageReference> | ||
| <PackageReference Include="Microsoft.DotNet.XUnitExtensions" /> | ||
| <PackageReference Include="Microsoft.SqlServer.Server" /> |
There was a problem hiding this comment.
Not used by this project.
| </ItemGroup> | ||
| <ItemGroup> | ||
| <PackageReference Include="Azure.Core" /> | ||
| <PackageReference Include="System.Text.Encodings.Web" /> |
There was a problem hiding this comment.
Were you thinking of doing an akv release for this?
| <PackageReference Include="Microsoft.IdentityModel.Protocols.OpenIdConnect" /> | ||
| <PackageReference Include="System.Buffers" /> | ||
| <PackageReference Include="System.Data.Common" /> | ||
| <PackageReference Include="System.Security.Cryptography.Pkcs" /> |
There was a problem hiding this comment.
This package is referenced in
I would recommend we keep this explicit reference included.
| <Reference Include="System.Xml" /> | ||
| <Reference Include="System.Runtime.Caching" /> | ||
| <Reference Include="System.Transactions" /> | ||
| <Reference Include="System.EnterpriseServices" /> |
There was a problem hiding this comment.
If you need EnterpriseServices here, might as well keep them in ref as well?
There was a problem hiding this comment.
It's there - line 32.
| <PackageReference Include="Microsoft.IdentityModel.Protocols.OpenIdConnect" /> | ||
| <PackageReference Include="System.Buffers" /> | ||
| <PackageReference Include="System.Security.Cryptography.Pkcs" /> | ||
| <PackageReference Include="System.Text.Encodings.Web" /> |
There was a problem hiding this comment.
Removing System.Text.Encodings.Web seems fine, however we should be including "System.IdentityModel.Tokens.Jwt" NuGet package as we have a direct usage of it here:
Description
Details
MDS
AKV
Issues
Resolves #3807.
Testing