#848 Tweak dependencies

[thompson-tomo]

Closes #848

[mtmk]

thanks @thompson-tomo i like the idea. i must ask though with this change are the applications going to get a benefit as a result of this? what I mean is that, the STJ and SIOP packages will be upgraded by the sdk building them, if used by other packages or the application itself with higher versions. would we be breaking builds or exposing the applications to security issues if the build servers still running old sdks? i know it's a simple change but i want to make sure we cover everything so that we won't break existing builds in some fashion.

[thompson-tomo]

are the applications going to get a benefit as a result of this?.... exposing the applications to security issues if the build servers still running old sdks?

This depends on how the end application is packaged:

• Self contained: if build server sdk is not maintained then yes risk is increased as the deployment bundles in the version provided by sdk. But the security risk overall is not significantly increased due to other security risks existing
• framework dependent: security risks can be addressed by updating framework on target machine ie windows update. This is because the version provided by the framework is used

would we be breaking builds

Only scenario I can foresee is where another library/app targets net 6/7, uses a feature introduced in STJ 7/8 and doesn't have either an explicit or transitive dependency for a version of STJ which includes the necessary feature.

[thompson-tomo]

Hopefully the build issue has been resolved with the latest changes.

[thompson-tomo]

@mtmk any idea why package restore is only failing on 1 os. Maybe it needs to be re-triggered?

[mtmk]

@mtmk any idea why package restore is only failing on 1 os. Maybe it needs to be re-triggered?

it's interesting it's only failing a couple of them. usually in these cases where there is an issue with build they all fail. kicked it again anyway

[thompson-tomo]

Agree @mtmk it seems very interesting and that the issue is infrastructure related given that the most recent run only failed 1 project which is now talking about an ssl verification issue. Can you give it another kick?

[mtmk]

just kicked the build again. i'm guessing something funny going on with ci workers nuget sources then when they failed. let's see.

edit: ok good. all passed this time!

[mtmk]

seeing these at the bottom of the diff tab. i wonder if that's a netstandard/ net6 issue

edit: hmm can't be netstandard. sounds like it's an AOT related warning.

[thompson-tomo]

Ok based on dotnet/runtime#58770 they look to be false warnings. Let's see if the suggestion in that issue resolves the warnings. 🤞

[thompson-tomo]

@mtmk did the last commit resolve the warnings?

[mtmk]

@mtmk did the last commit resolve the warnings?

just kicked the checks

[mtmk]

may i move this PR onto release/2.7?

[thompson-tomo]

Yes that is fine with me.

[mtmk]

LGTM thanks @thompson-tomo