Supplied by platform design #13634
Supplied by platform design #13634
Conversation
There was a problem hiding this comment.
It doesn't look like the spec explicitly states whether pruned packages will be downloaded at all. It would be good to explicitly never download pruned packages. Some vulnerability scanners look at the global packages folder, so this would ensure that those scanners wouldn't have false positives for pruned packages.
Apparently I only had that in the summary.
I'll add that explicitly in the rest of the spec as well. |
|
Pushed some more changes to the spec based on the feedback. |
|
|
||
| See [Prior art](#net-sdk-package-pruning) for more details on how the .NET SDK prunes packages at runtime today. | ||
| The particular pruning is based on the resulting list of shared frameworks. | ||
| The .NET SDK will provide the list at the beginning of the restore operation, as such the .NET SDK *must* only consider direct shared frameworks, and not transitive ones. |
There was a problem hiding this comment.
Honestly I've only ever seen folks complain when they get transitive shared frameworks. It's often accidental and it breaks deployment -- @dsplaisted what if the SDK encouraged people to make them direct?
IOW if the result of a restore or resolving project references changed the shared framework of the project the SDK would warn the user and ask them explicitly reference that framework.
There was a problem hiding this comment.
I'm wary of changing that behavior, because we don't know how many people we aren't hearing from who are relying on it (knowingly or not).
With respect to the supplied by platform design, I think it would probably be OK to only consider the direct framework references.
There was a problem hiding this comment.
What if we made it just a warning:
- When transitive framework was brought in after restore.
- We can see that the project has packages that overlap with that framework.
- Warn that those packages could be dropped by directly referencing the framework.
There was a problem hiding this comment.
I like that idea.
I added it in future possibilities.
|
|
||
| ### Functional explanation | ||
|
|
||
| A list of package id/versions to be pruned will be provided by the .NET SDK. The version will signify the highest version to be pruned. |
There was a problem hiding this comment.
@ericstj would these be specified by the individual targeting packs or the SDK as a whole?
There was a problem hiding this comment.
Today this information already ships in the individual targeting packs. @dsplaisted doesn't think that NuGet nor the SDK can directly consume it from here since they will not be available prior to restore, so the SDK build would need to capture them and store locally - similar to what it does with "KnownFramework" information.
However nothing should prevent other components specifying these, so long as they can specify them before restore. IOW they can come from user files and SDKs but not packages.
Prototype in https://github.com/NuGet/NuGet.Client/tree/dev-nkolev92-suppliedByPlatform
Related: NuGet/NuGet.Client#5919
To get dummy values from prototype, set
AddDummyPrunedPackageReferencestotrue.