Skip to content
This repository has been archived by the owner on Nov 19, 2024. It is now read-only.

Update wilson and framework dependencies #92

Merged
merged 4 commits into from
Apr 19, 2024
Merged

Conversation

josephdecock
Copy link
Member

This relaxes our dependencies on the wilson and framework dependencies.

Our priorities:

  1. Avoid depending on a version that has a known security vulnerability
  2. Avoid depending on a version that has a transitive dependency on a vulnerability
  3. Use the same wilson version as the asp.net oidc handler
  4. Depend on the minimum patch version that accomplishes that

Also, while here I'm updating the net6.0 build, we may (probably will) drop support for that in the 3.0 release.

We want to match our requirements with the oidc handler in asp.net. As of today, the latest version is 8.0.3, which depends on wilson >= 7.1.2

https://www.nuget.org/packages/Microsoft.AspNetCore.Authentication.OpenIdConnect/8.0.3#dependencies-body-tab
6.0.26 of the asp.net packages was the first version to depend on wilson 6.35.0.
We want wilson 6.35 because it contains security fixes. We don't depend on anything more recent than that, so we can keep our requirements as relaxed possible beyond that.
We take the earliest version that doesn't have a known security vulnerability, so we go with 8.0.1 to ensure that our transitive dependency on the wilson JWT library is at least 7.1.2.
@josephdecock josephdecock requested a review from brockallen April 19, 2024 14:39
@josephdecock josephdecock added the dependencies Pull requests that update a dependency file label Apr 19, 2024
@josephdecock josephdecock added this to the 3.0.0 milestone Apr 19, 2024
@josephdecock josephdecock linked an issue Apr 19, 2024 that may be closed by this pull request
IdentityServer depends on version 8.0.3 of the oidc auth handler, while
we only use 8.0.1. This is normally fine, but if we explicitly take a
dependency on both the handler at version 8.0.1 and identity server,
then our explicit dependency is a downgrade of what identity server
wants, producing a warning. We don't actually need the explicit
dependency, and removing it fixes the build.
@brockallen brockallen merged commit 438c54d into main Apr 19, 2024
5 checks passed
@brockallen brockallen deleted the joe/dependencies branch April 19, 2024 16:51
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
dependencies Pull requests that update a dependency file
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Update dependencies for the 3.0 release
2 participants