search

dotnet / runtime

.NET is a cross-platform runtime for cloud, mobile, desktop, and IoT apps.
https://docs.microsoft.com/dotnet/core/
MIT License
15.18k stars 4.72k forks source link

Auto-referenced packages gets added to packages.lock.json for Microsoft.NET.Sdk.BlazorWebAssembly #100082

Closed vedion closed 6 months ago

vedion commented 7 months ago

Is there an existing issue for this?

Describe the bug

Hi,

I have a project using: <Project Sdk="Microsoft.NET.Sdk.BlazorWebAssembly"> and <RestorePackagesWithLockFile>true</RestorePackagesWithLockFile>

I get two Auto-referenced packages added to the "packages.lock.json" file:

{
  "version": 2,
  "dependencies": {
    "net8.0": {
      "Microsoft.AspNetCore.Components.WebAssembly": {
        "type": "Direct",
        "requested": "[8.0.3, )",
        "resolved": "8.0.3",
        "contentHash": "fjmErNTFesEhytAEw/MNddi5oubBPPZB/2jivD4G+hv5Z+vQnuHRAh1YNy0IKJV3T49Fvu4AhUdcLfEZvO24QA==",
        "dependencies": {
          "Microsoft.AspNetCore.Components.Web": "8.0.3",
          "Microsoft.Extensions.Configuration.Binder": "8.0.1",
          "Microsoft.Extensions.Configuration.Json": "8.0.0",
          "Microsoft.Extensions.Logging": "8.0.0",
          "Microsoft.JSInterop.WebAssembly": "8.0.3"
        }
      },
      "Microsoft.AspNetCore.SignalR.Client": {
        "type": "Direct",
        "requested": "[8.0.3, )",
        "resolved": "8.0.3",
        "contentHash": "zjQGIt4s+2zIVy0etNRxcMf79JEI4C3zpPwNu3pPFepe7G/T1lbyg6Q/rqW8GTr7SEVHWlwTNRbeaJ5FTENjrA==",
        "dependencies": {
          "Microsoft.AspNetCore.Http.Connections.Client": "8.0.3",
          "Microsoft.AspNetCore.SignalR.Client.Core": "8.0.3"
        }
      },
      "Microsoft.Extensions.Http": {
        "type": "Direct",
        "requested": "[8.0.0, )",
        "resolved": "8.0.0",
        "contentHash": "cWz4caHwvx0emoYe7NkHPxII/KkTI8R/LC9qdqJqnKv2poTJ4e2qqPGQqvRoQ5kaSA4FU5IV3qFAuLuOhoqULQ==",
        "dependencies": {
          "Microsoft.Extensions.Configuration.Abstractions": "8.0.0",
          "Microsoft.Extensions.DependencyInjection.Abstractions": "8.0.0",
          "Microsoft.Extensions.Diagnostics": "8.0.0",
          "Microsoft.Extensions.Logging": "8.0.0",
          "Microsoft.Extensions.Logging.Abstractions": "8.0.0",
          "Microsoft.Extensions.Options": "8.0.0"
        }
      },
      "Microsoft.Extensions.Logging.Configuration": {
        "type": "Direct",
        "requested": "[8.0.0, )",
        "resolved": "8.0.0",
        "contentHash": "ixXXV0G/12g6MXK65TLngYN9V5hQQRuV+fZi882WIoVJT7h5JvoYoxTEwCgdqwLjSneqh1O+66gM8sMr9z/rsQ==",
        "dependencies": {
          "Microsoft.Extensions.Configuration": "8.0.0",
          "Microsoft.Extensions.Configuration.Abstractions": "8.0.0",
          "Microsoft.Extensions.Configuration.Binder": "8.0.0",
          "Microsoft.Extensions.DependencyInjection.Abstractions": "8.0.0",
          "Microsoft.Extensions.Logging": "8.0.0",
          "Microsoft.Extensions.Logging.Abstractions": "8.0.0",
          "Microsoft.Extensions.Options": "8.0.0",
          "Microsoft.Extensions.Options.ConfigurationExtensions": "8.0.0"
        }
      },
      "Microsoft.NET.ILLink.Tasks": {
        "type": "Direct",
        "requested": "[8.0.2, )",
        "resolved": "8.0.2",
        "contentHash": "hKTrehpfVzOhAz0mreaTAZgbz0DrMEbWq4n3hAo8Ks6WdxdqQhNPvzOqn9VygKuWf1bmxPdraqzTaXriO/sn0A=="
      },
      "Microsoft.NET.Sdk.WebAssembly.Pack": {
        "type": "Direct",
        "requested": "[8.0.2, )",
        "resolved": "8.0.2",
        "contentHash": "sq7Zs4E699WDIbFloiK/qmp9JtL8vpzMGILjnzYjkY4O1qj6z1Iu36dl4xWXrkVsKDnxw8CZ7NDqsntq5FFPgg=="
      },

I do not have a direct reference to "Microsoft.NET.ILLink.Tasks" and "Microsoft.NET.Sdk.WebAssembly.Pack". They are also marked with "(A)" when doing a "dotnet list .\Client.csproj package":

Project 'Client' has the following package references
   [net8.0]: 
   Top-level Package                                     Requested        Resolved      
   > Microsoft.AspNetCore.Components.WebAssembly         8.0.3            8.0.3
   > Microsoft.AspNetCore.SignalR.Client                 8.0.3            8.0.3
   > Microsoft.Extensions.Http                           8.0.0            8.0.0
   > Microsoft.Extensions.Logging.Configuration          8.0.0            8.0.0
   > Microsoft.NET.ILLink.Tasks                    (A)   [8.0.3, )        8.0.3
   > Microsoft.NET.Sdk.WebAssembly.Pack            (A)   [8.0.3, )        8.0.3

It is correct that the auto-referenced packages gets added to the "packages.lock.json" file?

Best Regards, Anders Havn

Expected Behavior

Auto-referenced packages not added to the "packages.lock.json" file.

Steps To Reproduce

No response

Exceptions (if any)

No response

.NET Version

8.0.203

Anything else?

No response

maraf commented 7 months ago

Both Microsoft.NET.ILLink.Tasks and Microsoft.NET.Sdk.WebAssembly.Pack are packages implicitly used by the SDK. It's an SDK implementation detail for WebAssembly and ILLink

@dotnet/nuget-team Is there a way to exclude such packages from lock file? The versions are defined by SDK, not by user, and their versions should be synced by the SDK logic

cc @lewing

vedion commented 7 months ago

For us this is an issue when the Microsoft-hosted agents are being updated. While updating the agents are running different .NET Core SDK versions and we will get this error:

"error NU1004: The package reference Microsoft.NET.ILLink.Tasks version has changed from [8.0.2, ) to [8.0.3, ).The packages lock file is inconsistent with the project dependencies so restore can't be run in locked mode."

zivkan commented 7 months ago

@maraf lock files have 2 purposes:

  1. pin versions of packages to make restore deterministic (in the case of using floating versions, or if specific versions become no-longer available)
  2. record the package hash, to ensure that the package has not been tampered with

Ignoring implicitly defined packages might be suitable for 1 (for some opinions of suitable). But ignoring those implicit packages would violate the protection provided by 2, the content hash.

It's an unfortunate design mismatch between lock files and implicit packages (both were implemented before I joined NuGet, I don't know which happened first). The .NET SDK and other teams that add implicit packages would need to work with NuGet to come up with a new design for lock files to enable the request, and that's assuming we can come to an agreement on the security implication of the changing package hash.

Customers who want to use lock files with the current limitation need to use a global.json to lock the .NET SDK to a specific version. On CI, they'll need to use the dotnet-install script to install global.json's SDK version, and not use the .NET SDK that's pre-installed on the agent. This means that every month there's a chance that a security fix will be released and customers will need to increment the .NET SDK version, run a restore without locked mode to update the lock file, then commit it all into source control.

vedion commented 7 months ago

While the agents are being rolled out I can still run into an agent with the previous version of .NET SDK and then it will fail on that agent.

A solution for me could be to disable rollForward in global.json: { "sdk": { "version": "8.0.200", "rollForward": "disable" } }

And then install that version on the pipeline:

BUT then I run into another issue. When running "dotnet restore --force-evaluate" it respects global.json but when running "dotnet restore --locked-mode" it does not.

That is quite bad.

maraf commented 6 months ago

Closing as duplicate of https://github.com/dotnet/sdk/issues/39635