Skip to content

Microsoft.Azure.WebJobs.Extensions.Http depends on deprecated "Microsoft.AspNetCore.*" packages #855

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
fowl2 opened this issue Jul 26, 2023 · 5 comments
Closed

Microsoft.Azure.WebJobs.Extensions.Http depends on deprecated "Microsoft.AspNetCore.*" packages #855

fowl2 opened this issue Jul 26, 2023 · 5 comments
Labels
Needs: Attention 👋

Comments

@fowl2
Copy link

fowl2 commented Jul 26, 2023

Microsoft.Azure.WebJobs.Extensions.Http (3.2.0, the current version) is a direct dependency of Microsoft.NET.Sdk.Functions ie. the main Functions SDK, which means it is included in all in-proc Functions.

And it depends on several deprecated packages:

There were announced deprecated by the .Net team at dotnet/announcements#217 (discussion: dotnet/core#7420) in May 2022.

This dependency has caused at least one issue: https://github.com/MicrosoftDocs/azure-docs/issues/54934.

It would be great if it could be removed.
@ghost ghost added the Needs: Triage 🔍 label Jul 26, 2023
@Havunen
Copy link

Havunen commented Aug 21, 2023
edited
Loading

This is annoying issue because the main function app SDK depends on Microsoft.Azure.WebJobs.Extensions.Http
and certain things (like new extension methods) does not work as expected. https://www.nuget.org/packages/Microsoft.NET.Sdk.Functions

image

This was referenced Aug 21, 2023
Closed
Closed
@patelriki13
Copy link

Any updates on this?
Critical vulnerabilities and deprecated packages still low priorities?
After 6 months, is there no progress on this?

@lzandman
Copy link

Still no progress. This issue is flagged in our SCA tooling. Technically you're requiring us to run vulnerable software, which, as The Mandalorian would say it, isn't the way...

@bhagyshricompany
Copy link

bhagyshricompany commented Nov 26, 2024
edited
Loading

Hi @jviau please comment.Thanks

@jviau
Copy link
Contributor

jviau commented Dec 2, 2024

AspNetCore no longer ships these packages out of band. We would need to add an AspNetCore Framework reference to address this. However, it is fully in the end users' power to uplift this package to by adding <FrameworkReference Include="Microsoft.AspNetCore.App" /> to their csproj, which will pin this package to the version shipped with the aspnetcore runtime (so it will match your TFM). Additionally, for function apps the real package versions loaded at runtime are the current ones for the TFM. So when running .net6 in-proc functions, we will be loading all the 6.x versions, and similarly for net8 in-proc it is 8.x.

Given the workaround and that these packages are only compile-time dependencies (with later versions used at runtime), we do not intend to address this.

@jviau jviau closed this as not planned Won't fix, can't repro, duplicate, stale Dec 2, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Needs: Attention 👋
Projects
None yet
Milestone
No milestone
6 participants
@Havunen @lzandman @patelriki13 @jviau @fowl2 @bhagyshricompany