Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remove legacy dependency System.Security.Cryptography.Algorithms for netstandard2.1 target #223

Open
OronDF343 opened this issue Apr 19, 2023 · 7 comments
Open

Remove legacy dependency System.Security.Cryptography.Algorithms for netstandard2.1 target #223

OronDF343 opened this issue Apr 19, 2023 · 7 comments

Comments

@OronDF343
Copy link

The reference to System.Security.Cryptography.Algorithms should not be required for the netstandard2.1 target. In general, any System.* packages with version 4.3.x are meant for .NET Core 1.x based platforms only. I believe that this dependency can be safely removed, and will clean up the list of installed transient dependencies for modern platforms.
@dvsekhvalnov
Copy link
Owner

Hey @OronDF343 , thanks for note, i'll double check.

@EraYaN
Copy link

EraYaN commented Dec 5, 2024

You could also just add a target for the latest .NET LTS version in addition to .NET Standard 1.6 and 2.0 for .NET framework and older stuff.

@dvsekhvalnov
Copy link
Owner

Hi @EraYaN , probably can, why not.

Curious, how it can be helpful though? Aren't .netstandatad2.1 package compatible with LTS versions?

@EraYaN
Copy link

EraYaN commented Dec 9, 2024

The problem is that it then includes a whole host of extra dependencies (all the 4.3.0 version) many of which are very much out of support and insecure. You really want to use the newer standard lib. That .NET Standard 1.6.1 thing pulls in tons of stuff. So it's not only a new target, it's also cleaning the deps for that target.

@OronDF343
Copy link
Author

OronDF343 commented Dec 9, 2024
edited
Loading

This package already has a netstandard2.1 target. Specifically for this target there is a reference to System.Security.Cryptography.Algorithms here that is not necessary in netstandard2.1 as far as I know. It is required for netstandard1.x but that has a separate target with a separate list of dependencies. No need to change anything, just remove it. Unless I am missing something?

The reference to System.Security.Cryptography.Cng is also debatable whether it is useful for anything, and brings in a vulnerable package, but at least it doesn't have 10s of dependencies.

@dvsekhvalnov
Copy link
Owner

dvsekhvalnov commented Dec 10, 2024
edited
Loading

Can double check if System.Security.Cryptography.Algorithms required. MSDN quite confusing.

System.Security.Cryptography.Cng - yeah not sure, i think pretty much all algs now have managed counterpart, may be can be dropped. But CNG provides FIPS compliancy on other other hand, don't know about managed parts.

@dvsekhvalnov
Copy link
Owner

@OronDF343 , removed System.Security.Cryptography.Algorithms, if case you want to check and see if it better now, here is pre-release: https://github.com/dvsekhvalnov/jose-jwt/releases/tag/v5.1.1-alpha

Still thinking about Cng package.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@EraYaN @dvsekhvalnov @OronDF343