Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Investigate why transitive dependencies are leaking #1113

Closed
kevinchalet opened this issue Oct 3, 2020 · 6 comments · Fixed by #1130
Closed

Investigate why transitive dependencies are leaking #1113

kevinchalet opened this issue Oct 3, 2020 · 6 comments · Fixed by #1130
Assignees
@kevinchalet
Labels
external important
Milestone
3.0.0-beta6

Comments

@kevinchalet
Copy link
Member

kevinchalet commented Oct 3, 2020
edited
Loading

For reasons I ignore, something regressed in beta4/5 that caused transitive dependencies to leak across packages.
It shouldn't cause any technical issue, but it adds unnecessary/unwanted noise in the package dependencies:

https://github.com/openiddict/openiddict-core/blob/dev/src/OpenIddict.AspNetCore/OpenIddict.AspNetCore.csproj
https://www.nuget.org/packages/OpenIddict.AspNetCore/3.0.0-beta5.20503.76

Beta4:

image

Beta3:

image
@kevinchalet kevinchalet added this to the 3.0.0-beta6 milestone Oct 3, 2020
@kevinchalet kevinchalet self-assigned this Oct 3, 2020
@kevinchalet
Copy link
Member Author

Potential culprits:

  • .NET SDK 5.0 RC1.
  • snupkgs, that we enabled recently.
  • CPVM.

@cristinamanum cristinamanum mentioned this issue Oct 7, 2020
Closed
@kevinchalet
Copy link
Member Author

The NuGet team confirmed this is caused by CPVM: NuGet/Home#10115.

@kevinchalet
Copy link
Member Author

The NuGet team doesn't plan to change this behavior in 5.0 RTM and it's not clear when they'll be able to introduce a switch to opt out this unwanted behavior. As such, we'll need to remove CPVM.

@martincostello I'm afraid we'll also have to do that in the aspnet-contrib repos... 😭

@martincostello
Copy link
Contributor

How much of an issue is this in the other repos with minimum dependencies? For example, MyGet only shows this for the Apple provider for 5.0 RC2:

image

@kevinchalet
Copy link
Member Author

Hum yeah, good point. It looks like we don't have <PackageVersion>s for the transitive dependencies referenced by the IM packages we depend on, so it's much less visible in the OAuth/OpenID 2.0 repos than here (in another project, we now have up to 44 direct references compared to 7 before this change 🤣).

@kevinchalet kevinchalet mentioned this issue Oct 14, 2020
Merged
@kevinchalet
Copy link
Member Author

@martincostello we can get a similar centralized management experience by using <PackageReference Update />: #1130. Thoughts?

This was referenced Nov 9, 2022
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@kevinchalet kevinchalet

Labels
external important
Projects
None yet
Milestone
3.0.0-beta6
Development

Successfully merging a pull request may close this issue.

Stop using NuGet's Central Package Version Management feature kevinchalet/openiddict-core
2 participants
@martincostello @kevinchalet