Which projects and javascript modules are strictly needed in a source-build only scenario?

omajid commented 7 months ago

Is there an existing issue for this?

[X] I have searched the existing issues

Is your feature request related to a problem? Please describe the problem.

For ASP.NET Core in a source-build context, there are two goals that are generally in tension with each other:

Ease of development: ASP.NET Core developers want to use the best tools for development, including the best bundling tools, linting tools, and anything else that makes it easier to build, test and release bug-free versions of ASP.NET Core with the least amount of work.
Ease of packaging: .NET maintainers want to build everything from source, without any binaries. With the javascript/npm ecosystem,that can mean having to include and build thousands of npm packages, which creates extra work.

Describe the solution you'd like

Perhaps we can reduce the pain in the second point by focusing on things that are really needed in a VMR/source-build context?

For example, in a VMR/source-build context, we don't need to:

Create npm packages (like @microsoft/signalr) for publishing to npmjs.org
Build Windows-only components in a source-build-only context
Create nupkgs that are only published to nuget.org
Run linting tools

Is there a list of packages/projects that are strictly required for creating the .NET SDK in a source-build context? Can we trim down the ASP.NET Core dependency tree (and build system) to focus on just those packages, to make it easier to source-build all of ASP.NET Core?

Additional context

No response

omajid commented 7 months ago

cc @javiercn @mthalman @MichaelSimons @tmds

wtgodbe commented 7 months ago

Thanks for filing this - we'll look into having a good long-term solution for this after our current security wave ends, likely for .NET 10.

tmds commented 2 months ago

@javiercn @wtgodbe we'd like to understand better where the pre-built JavaScript that source-build uses ends up. Does it become part of the distro packages, or is it part of Microsoft nuget.org packages? What types of .NET projects use it? If it is part of nuget.org packages, does the SDK assume specific versions for these packages?

javiercn commented 1 month ago

@tmds We generate JS bundles that get checked in any time we change our Typescript for Blazor Web and Blazor Server and those bundles get embedded in the assembly as part of the build.

From the build point of view, those JS files are source files like if we were using any other JS library (like the ones we ship in our templates)

tmds commented 1 month ago

get embedded in the assembly as part of the build.

Can you be specific as to what the assembly names are? And do they come as part of the .NET installation, or through nuget.org?

The typescript that is in these assemblies is only ever ran in a browser, right?

javiercn commented 1 month ago

@tmds It's JavaScript at that point, not Typescript.

Microsoft.AspNetCore.Components.Server and Microsoft.AspNetCore.Components.Endpoints.Server the JS code only runs on the browser.

tmds commented 1 month ago

Thank you for this information @javiercn!

For us it is important to know that we are including this JS code bundled in our .NET packages, and security issues reported against the JS/TS modules only apply if they are for browsers and not for other environments, like the Node.js runtime.

dotnet / aspnetcore