search

eventflow / EventFlow

Async/await first CQRS+ES and DDD framework for .NET
https://geteventflow.net
Other
2.39k stars 445 forks source link

v0: Maintenance #1023

Closed yzhoholiev closed 1 month ago

yzhoholiev commented 7 months ago
CLAassistant commented 7 months ago

CLA assistant check
All committers have signed the CLA.

rasmus commented 7 months ago

A lot of good changes here, quite a lot braking as they are removing old (deprecated) .NET versions. Any specific reason why v1 won't cut it for you?

v0 builds currently aren't running due to the incompatibility with running Linux Docker containers on Windows GHA runners. So, getting something up and running that could actually make v0 releasable again (build and test) would be priority number one.

yzhoholiev commented 7 months ago

I agree, that those changes are considered breaking changes, unfortunately, there is no version available between v0.x and v1.x. For our project, we are waiting for v1.x to be released before planning the upgrade as it also contains breaking changes. At the same time, the main reason for these changes is. actually, to deprecate the netstandard1.6 as it is not supported and remove usage of vulnerable versions of dependencies.

janrybka commented 7 months ago

I agree, that those changes are considered breaking changes, unfortunately, there is no version available between v0.x and v1.x. For our project, we are waiting for v1.x to be released before planning the upgrade as it also contains breaking changes. At the same time, the main reason for these changes is. actually, to deprecate the netstandard1.6 as it is not supported and remove usage of vulnerable versions of dependencies.

As I understand, as long you don't use netstandard1.6 it won't affect versions of libraries in result service. We're using version "0.83.4713" in .net 8 service and all artifact libraries are in correct, updated version, working fine on .net 8 runtime (EventFlow.dll used from package is from netcoreapp3.1 folder). Vulnerabilities tools used on service and final docker image don't show problems.

As for vulnerable dependencies, we managed to get green even in current EventFlow state. "System.Data.SqlClient" in newest version is not a problem, but it lags behind .net releases and is not the best option when working with Azure SQL and for now we only identified this as problem (https://github.com/eventflow/EventFlow/discussions/1022).

yzhoholiev commented 7 months ago

I agree, that those changes are considered breaking changes, unfortunately, there is no version available between v0.x and v1.x. For our project, we are waiting for v1.x to be released before planning the upgrade as it also contains breaking changes. At the same time, the main reason for these changes is. actually, to deprecate the netstandard1.6 as it is not supported and remove usage of vulnerable versions of dependencies.

As I understand, as long you don't use netstandard1.6 it won't affect versions of libraries in result service. We're using version "0.83.4713" in .net 8 service and all artifact libraries are in correct, updated version, working fine on .net 8 runtime (EventFlow.dll used from package is from netcoreapp3.1 folder). Vulnerabilities tools used on service and final docker image don't show problems.

As for vulnerable dependencies, we managed to get green even in current EventFlow state. "System.Data.SqlClient" in newest version is not a problem, but it lags behind .net releases and is not the best option when working with Azure SQL and for now we only identified this as problem (#1022).

The main problem was with the EventFlow.MongoDB as it only uses netstandard1.6 which has vulnerabilities in System.Net.Http (CVE-2018-8292) and System.Text.RegularExpressions (CVE-2019-0820)

yzhoholiev commented 7 months ago

I can roll back some changes to make the PR more lightweight, such as replacing the System.Data.SqlClient, but everything else is worth keeping.

janrybka commented 7 months ago

If it's only about MongoDB then with small step you could add .netstandard2.0 to the list (like in Autofac case) or drop support for 1.6 and replace with new one. Still it'll be a smaller backward incompatibility.

github-actions[bot] commented 4 months ago

Hello there!

We hope this message finds you well. We wanted to let you know that we have noticed that there has been no activity on this pull request for the past 90 days, which makes it a stale pull request.

As a result, we will be closing this pull request within the next seven days. If you still think this pull request is necessary or relevant, please feel free to update it or leave a comment within the next seven days.

Thank you for your contributions and understanding.

Best regards, EventFlow

github-actions[bot] commented 4 months ago

Hello there! I'm a bot and I wanted to let you know that your pull request has been closed due to inactivity after being marked as stale for seven days. If you believe this was done in error, or if you still plan to work on this pull request, please don't hesitate to reopen it and let us know. We're always happy to review and merge high-quality contributions. Thank you for your interest in our project! Best regards, EventFlow

rasmus commented 1 month ago

I'm working on getting a GHA runner up and running for EventFlow that has Docker properly configured (Linux containers).

rasmus commented 1 month ago

Got builds up and running again for v0 using a self-hosted Windows server. Unfortunately the changes required left a lot of conflicts with this PR @yzhoholiev

yzhoholiev commented 1 month ago

I think you can close this PR as it is outdated. If you think it makes sense I can update it actually.

rasmus commented 1 month ago

I'll close it then. There's a lot of changes here and some related to .NET 8, which properly belong in v1. Don't think the users of v0 would want it to change too much as it might break their setup. If they need .NET 8, they might as well switch to v1.