Skip to content

Conversation

@wtgodbe
Copy link
Member

@wtgodbe wtgodbe commented Oct 20, 2025

Fixes a CG alert

@wtgodbe wtgodbe requested a review from halter73 as a code owner October 20, 2025 16:38
@Copilot Copilot AI review requested due to automatic review settings October 20, 2025 16:38
@wtgodbe wtgodbe requested review from a team, BrennanConroy and JamesNK as code owners October 20, 2025 16:38
@github-actions github-actions bot added the area-infrastructure Includes: MSBuild projects/targets, build scripts, CI, Installers and shared framework label Oct 20, 2025
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR updates various package versions across the codebase to address component governance (CG) alerts. The changes include updating Microsoft.Build-related packages from version 17.12.36 to 17.12.50, and updating several ASP.NET Core and Microsoft.Extensions packages in a test project.

  • Microsoft.Build package family updated to version 17.12.50
  • ASP.NET Core packages updated from 2.2.0 to 2.3.0/2.3.6
  • Microsoft.Extensions packages updated from 2.2.0 to 8.0.0/8.0.1

Reviewed Changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated no comments.

File Description
InProcessNewShimWebSite.csproj Updates multiple ASP.NET Core and Microsoft.Extensions package references to newer versions
Version.Details.xml Updates Microsoft.Build package versions and commit SHAs to 17.12.50
Version.Details.props Updates Microsoft.Build package version properties to 17.12.50

<AllowExplicitReference>true</AllowExplicitReference>
</PackageReference>
<PackageReference Include="Microsoft.AspNetCore.Server.IISIntegration" Version="2.2.0" >
<PackageReference Include="Microsoft.AspNetCore.Server.IISIntegration" Version="2.3.0" >
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I suspect this won't work as I think InProcess support was added in 2.2.

This csproj exists to test ANCM compatibility with older TFMs. Is there a way to change it to target the oldest supported TFM that is not 2.3?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

All of these packages were discontinued after 2.2, so I'm not sure - the only update we need to make is kestrel.core, so maybe I'll try just updating that one

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No, that doesn't work - would it be sufficient to multitarget DefaultNetCoreTargetFramework and CurrentLtsTargetFramework, and remove all the 2.x PackageRefs?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No because we want to target an older TFM to verify back-compat. Those are the same values currently

<DefaultNetCoreTargetFramework>net10.0</DefaultNetCoreTargetFramework>
<!-- this should usually match for LTS builds, and be off-by-one otherwise;
example use-case here is OOB packages where Aspire wants to be able to consume
new features specific to OOB -->
<CurrentLtsTargetFramework>net10.0</CurrentLtsTargetFramework>

Ideally, it'd target net8.0 right now.

@wtgodbe
Copy link
Member Author

wtgodbe commented Oct 21, 2025

Going to separate this into 2 PRs

@wtgodbe wtgodbe changed the title Fix CG alerts Stop using 2.x packages in InProcessNewShimWebsite testasset Oct 21, 2025

<PropertyGroup>
<TargetFramework>$(DefaultNetCoreTargetFramework)</TargetFramework>
<TargetFrameworks>$(DefaultNetCoreTargetFramework);$(NetMinimum)</TargetFrameworks>
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

NetMinimum is net8.0 currently, and is controlled by Arcade

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

area-infrastructure Includes: MSBuild projects/targets, build scripts, CI, Installers and shared framework

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants