-
Notifications
You must be signed in to change notification settings - Fork 94
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Lowering System.Collections.Immutable to 1.5.0 #2533
Lowering System.Collections.Immutable to 1.5.0 #2533
Conversation
## **v3.0.0** [Sdk](https://www.nuget.org/packages/Sarif.Sdk/3.0.0) | [Driver](https://www.nuget.org/packages/Sarif.Driver/3.0.0) | [Converters](https://www.nuget.org/packages/Sarif.Converters/3.0.0) | [Multitool](https://www.nuget.org/packages/Sarif.Multitool/3.0.0) | [Multitool Library](https://www.nuget.org/packages/Sarif.Multitool.Library/3.0.0) | ||
* BUGFIX: Loosen Newtonsoft.JSON minimum version requirement to 6.0.8 (for .NET framework) or 9.0.1 (for all other compilations) for Sarif.Sdk. Sarif.Converts requires 8.0.1, minimally, for .NET framework compilations. | ||
* BUGFIX: Broaden set of supported .NET frameworks for compatibility reasons. Sarif.Sdk, Sarif.Driver and Sarif.WorkItems requires net461. | ||
* BUGFIX: Set default stack limit in Newtonsoft.JSON utilization (if `JsonConvert.Defaults` is not already configured) to address GitHub advisory [GHSA-5crp-9r3c-p9vr](/~https://github.com/advisories/GHSA-5crp-9r3c-p9vr). |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We're no longer setting a limit? Which PR was this removed in and why?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This got removed in this:
#2527
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We discussed today in the IcMs meeting about this. The point is: the consume will need to fix and the sarif.sdk, since its the lower level, it cannot enforce the fix on anyone.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Got it. Thanks for the context.
@@ -1,9 +1,12 @@ | |||
# SARIF Package Release History (SDK, Driver, Converters, and Multitool) | |||
|
|||
## **v3.1.0-beta1** [Sdk](https://www.nuget.org/packages/Sarif.Sdk/3.1.0-beta1) | [Driver](https://www.nuget.org/packages/Sarif.Driver/3.1.0-beta1) | [Converters](https://www.nuget.org/packages/Sarif.Converters/3.1.0-beta1) | [Multitool](https://www.nuget.org/packages/Sarif.Multitool/3.1.0-beta1) | [Multitool Library](https://www.nuget.org/packages/Sarif.Multitool.Library/3.1.0-beta1) | |||
|
|||
* DEPENDENCY BREAKING: SARIF.SDK now requires `System.Collections.Immutable` 1.5.0. [#2504](/~https://github.com/microsoft/sarif-sdk/pull/2533) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is there a compatibility issue between 1.5.0 and 5.0.0? If 5.0.0 was previously required, is this really a breaking change or are we actually loosening restrictions for the sarif sdk? #Resolved
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
we have other systems that uses sarif-sdk which is causing major breaking changes in other projects.
So, with that in mind, I want to reduce to the previous version that we were using.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If it is considered breaking, we need to increment the major version (4.0.0).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I choose 3.1.0 because its a minor change, with backwards compatibility. No API changes and everything should work as is.
I would only choose for a major bump if: we are changing the targetframework or if we are breaking existing APIs.
Can you explain in the description the reason for downgrading this dependency? Is it for VS compatibility like the newtonsoft downgrade? Is there an external motivation for this? Or are we simply applying a principle of lowest required version for all dependencies? |
@@ -49,7 +49,6 @@ | |||
<PackageReference Include="FluentAssertions" Version="5.10.2" /> | |||
<PackageReference Include="Microsoft.NET.Test.Sdk" Version="17.4.0-preview-20220707-01" /> | |||
<PackageReference Include="Moq" Version="4.13.1" /> | |||
<PackageReference Include="System.Collections.Immutable" Version="5.0.0" /> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@@ -1,9 +1,12 @@ | |||
# SARIF Package Release History (SDK, Driver, Converters, and Multitool) | |||
|
|||
## **v3.1.0-beta1** [Sdk](https://www.nuget.org/packages/Sarif.Sdk/3.1.0-beta1) | [Driver](https://www.nuget.org/packages/Sarif.Driver/3.1.0-beta1) | [Converters](https://www.nuget.org/packages/Sarif.Converters/3.1.0-beta1) | [Multitool](https://www.nuget.org/packages/Sarif.Multitool/3.1.0-beta1) | [Multitool Library](https://www.nuget.org/packages/Sarif.Multitool.Library/3.1.0-beta1) | |||
|
|||
* DEPENDENCY BREAKING: SARIF.SDK now requires `System.Collections.Immutable` 1.5.0. [#2504](/~https://github.com/microsoft/sarif-sdk/pull/2533) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If it is considered breaking, we need to increment the major version (4.0.0).
This change will drop to a previous version of
System.Collections.Immutable
that we used to use (1.5.0).We did this update nearly two years ago: #2146 but we didn't have any reason to do it.
Approach:
Tests: