search

microsoft / playwright-dotnet

.NET version of the Playwright testing and automation library.
https://playwright.dev/dotnet/
MIT License
2.51k stars 241 forks source link

Multi-target to reduce dependencies #3033

Open mus65 opened 1 month ago

mus65 commented 1 month ago

Currently, Microsoft.Playwright has a few dependencies which are all unnecessary on modern .NET because they are part of the framework itself. This will become even more of an issue with .NET 9 since NuGet Audit will start complaining about CVEs in transitive dependencies, so all consuming modern. NET applications will get false positive warnings about e.g. a CVE in System.Text.Json .

Multi-targeting would allow to remove these dependencies on modern .NET . It would also allow to conditionally make use of newer APIs in modern .NET.

I could make a PR for this and already looked into this. Unfortunately this is not as simple as editing the csproj since quite a few new warnings are introduced in the net8.0 target which would need fixing or suppressing. So I first wanted to get some feedback on whether a PR for this would be accepted.

mxschmitt commented 1 month ago

Which CVEs are you referring to? We aim to fix security vulnerabilities so we did it with https://github.com/microsoft/playwright-dotnet/pull/3016.

mus65 commented 1 month ago

I'm referring to CVEs in general. Currently a CVE in System.Text.Json would affect both .NET Framework and modern .NET applications. With multi-targeting, only .NET Framework applications would be affected since the dependency isn't even needed on modern .NET. So something like #3016 would not be necessary in the first place (at least for modern .NET users).

mxschmitt commented 3 weeks ago

Lets collect feedback for it. So far we didn't see much demand for it. Multi-targeting means having compiler directives inside the code which adds a lot of overhead for us to maintain the library, also testing wise these are then different code-paths etc.

kblok commented 3 weeks ago

My two cents. Some libraries have different implementations, whether you use the netstandard version or the .NET 8 version, for good or bad. The good part is that you might get a bump in performance if you use .NET-specific libraries and fewer dependencies. The bad part is that you might have different behaviors (potential bugs) on different platforms.