Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update wilson and framework dependencies #92

Merged
merged 4 commits into from
Apr 19, 2024
Merged

Update wilson and framework dependencies #92

merged 4 commits into from
Apr 19, 2024

Conversation

josephdecock
Copy link
Member

This relaxes our dependencies on the wilson and framework dependencies.

Our priorities:

  1. Avoid depending on a version that has a known security vulnerability
  2. Avoid depending on a version that has a transitive dependency on a vulnerability
  3. Use the same wilson version as the asp.net oidc handler
  4. Depend on the minimum patch version that accomplishes that

Also, while here I'm updating the net6.0 build, we may (probably will) drop support for that in the 3.0 release.

@josephdecock
Match wilson version with minimum required by asp.net
4febeb4 
We want to match our requirements with the oidc handler in asp.net. As of today, the latest version is 8.0.3, which depends on wilson >= 7.1.2

https://www.nuget.org/packages/Microsoft.AspNetCore.Authentication.OpenIdConnect/8.0.3#dependencies-body-tab
@josephdecock
Match Framework version with minimum required
b17f56b 
6.0.26 of the asp.net packages was the first version to depend on wilson 6.35.0.
We want wilson 6.35 because it contains security fixes. We don't depend on anything more recent than that, so we can keep our requirements as relaxed possible beyond that.
@josephdecock
Relax dependency on auth handler to 8.0.1
39820dc 
We take the earliest version that doesn't have a known security vulnerability, so we go with 8.0.1 to ensure that our transitive dependency on the wilson JWT library is at least 7.1.2.
@josephdecock josephdecock added the dependencies Pull requests that update a dependency file label Apr 19, 2024
@josephdecock josephdecock added this to the 3.0.0 milestone Apr 19, 2024
@josephdecock josephdecock linked an issue Apr 19, 2024 that may be closed by this pull request
Update dependencies for the 3.0 release #67
Closed
@josephdecock
Remove explicit dependency on oidc from tests
efc4eda 
IdentityServer depends on version 8.0.3 of the oidc auth handler, while
we only use 8.0.1. This is normally fine, but if we explicitly take a
dependency on both the handler at version 8.0.1 and identity server,
then our explicit dependency is a downgrade of what identity server
wants, producing a warning. We don't actually need the explicit
dependency, and removing it fixes the build.
@brockallen brockallen merged commit 438c54d into main Apr 19, 2024
5 checks passed
@brockallen brockallen deleted the joe/dependencies branch April 19, 2024 16:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@brockallen brockallen brockallen approved these changes

Assignees
No one assigned
Labels
dependencies Pull requests that update a dependency file
Projects
None yet
Milestone
3.0.0
Development

Successfully merging this pull request may close these issues.

Update dependencies for the 3.0 release
2 participants
@josephdecock @brockallen