Upgrade 3 ASP.NET Core AdvancedSearch samples to net8.0#44
Upgrade 3 ASP.NET Core AdvancedSearch samples to net8.0#44devin-ai-integration[bot] wants to merge 4 commits into
Conversation
- Blazor, React, Vue3 AdvancedSearch projects: net6.0 -> net8.0 - EF Core (Sqlite/SqlServer/Diagnostics) 6.0.1 -> 8.0.8 - Microsoft.Data.SqlClient 2.1.7 -> 5.2.0 - Bump IdentityModel JsonWebTokens/Tokens.Jwt 6.34.0 -> 6.35.0 to satisfy SqlClient 5.2.0 - Vue3: SpaProxy 6.*-* -> 8.*-*, drop unused SpaServices.Extensions - React: keep SpaServices.Extensions (bumped to 8.0.8) since Startup uses UseSpa/ReactDevelopmentServer Co-Authored-By: Ian Moritz <ian.moritz@cognition.ai>
🤖 Devin AI EngineerI'll be helping with this pull request! Here's what you should know: ✅ I will automatically:
Note: I can only respond to comments from users who have write access to this repository. ⚙️ Control Options:
|
![devin-ai-integration[bot]](https://avatars.githubusercontent.com/in/811515?s=60&v=4){kind=small}
Adds explicit PackageReferences (Azure.Identity 1.11.4, Microsoft.Identity.Client 4.61.3, Microsoft.Extensions.Caching.Memory 8.0.8, System.Runtime.Caching 8.0.1 / System.Formats.Asn1 8.0.1, System.Text.Json 8.0.5) to override vulnerable transitive versions pulled in by Microsoft.Data.SqlClient 5.2.0 and EF Core 8. All 3 projects now report 0 Snyk vulnerable paths (master had 2 pre-existing high-severity issues). Co-Authored-By: Ian Moritz <ian.moritz@cognition.ai>
…rsions Snyk's PR/SCM scanner parses .csproj without restore and did not honor the direct transitive pins. Committing packages.lock.json captures the unified resolved versions (Azure.Identity 1.11.4, Microsoft.Identity.Client 4.61.3, System.Text.Json 8.0.5, etc.) so the scan reports the patched closure. Co-Authored-By: Ian Moritz <ian.moritz@cognition.ai>
Snyk's SCM PR check does not honor the lock files (it scans .csproj without restore), so they had no effect on CI and added repo inconsistency. The direct transitive pins are authoritative and keep Snyk's own engine at 0 issues. Co-Authored-By: Ian Moritz <ian.moritz@cognition.ai>
![staging-devin-ai-integration[bot]](https://avatars.githubusercontent.com/in/870844?s=60&v=4){kind=small}
| <ItemGroup> | ||
| <!-- Transitive dependency pins to address Snyk-reported vulnerabilities pulled in via Microsoft.Data.SqlClient / EF Core 8 --> | ||
| <PackageReference Include="Azure.Identity" Version="1.11.4" /> | ||
| <PackageReference Include="Microsoft.Identity.Client" Version="4.61.3" /> | ||
| <PackageReference Include="Microsoft.Extensions.Caching.Memory" Version="8.0.8" /> | ||
| <PackageReference Include="System.Runtime.Caching" Version="8.0.1" /> | ||
| <PackageReference Include="System.Text.Json" Version="8.0.5" /> |
There was a problem hiding this comment.
🚩 Transitive pins only affect Snyk if the project is restored/resolved
The added direct references to Azure.Identity, Microsoft.Identity.Client, Microsoft.Extensions.Caching.Memory, System.Runtime.Caching/System.Formats.Asn1, and System.Text.Json are intended to override transitive versions for vulnerability scanning. Since this PR also removed previously-added NuGet lock files in the branch history, SCM-only scanners that do not perform a NuGet restore may still not observe the resolved transitive graph; this depends on the scanner configuration rather than the project code itself, so I did not flag it as a code bug.
Was this helpful? React with 👍 or 👎 to provide feedback.
Debug
| <PackageReference Include="Microsoft.EntityFrameworkCore.Sqlite" Version="6.0.1" /> | ||
| <PackageReference Include="Microsoft.EntityFrameworkCore.SqlServer" Version="6.0.1" /> | ||
| <PackageReference Include="Microsoft.IdentityModel.JsonWebTokens" Version="6.34.0" /> | ||
| <PackageReference Include="Microsoft.AspNetCore.SpaServices.Extensions" Version="8.0.8" /> |
There was a problem hiding this comment.
🚩 React remains on the legacy SpaServices development-server path
The React project was retargeted to net8.0 but still references Microsoft.AspNetCore.SpaServices.Extensions and Startup.cs continues to call UseSpa/UseReactDevelopmentServer (AspNetCore/React/AdvancedSearch/Startup.cs:108-114). That is consistent with the current code and not an immediate bug from this diff, but it differs from sibling net8 SPA samples that use SpaProxy metadata, so maintainers may want to confirm this is the intended dev-server approach for the React sample.
Was this helpful? React with 👍 or 👎 to provide feedback.
Debug
1 participant
Summary
Upgrades the first 3 ASP.NET Core
AdvancedSearchsample projects fromnet6.0tonet8.0and bumps their NuGet refs to .NET 8-compatible versions. All 3 build clean against the .NET 8 SDK (8.0.421). No code changes were needed —Program.cs/Startup.csuse no APIs removed in .NET 8.Projects:
AspNetCore/Blazor/AdvancedSearch.BlazorServer/EqDemo.BlazorServer.AdvancedSearch.csprojAspNetCore/React/AdvancedSearch/EqDemo.AspNetCoreReact.AdvancedSearch.csprojAspNetCore/Vue3/AdvancedSearch.Server/AdvancedSearch.Server.csprojPackage changes (all 3)
Microsoft.EntityFrameworkCore.Sqlite/.SqlServer/.Diagnostics.EntityFrameworkCoreMicrosoft.Data.SqlClientMicrosoft.IdentityModel.JsonWebTokens/System.IdentityModel.Tokens.JwtThe IdentityModel bump (6.34.0 → 6.35.0) is required:
Microsoft.Data.SqlClient5.2.0 transitively depends on IdentityModel ≥ 6.35.0, which otherwise triggers anNU1605package-downgrade error.Per-project notes
Microsoft.AspNetCore.SpaProxy6.*-*→8.*-*; removed the unusedMicrosoft.AspNetCore.SpaServices.Extensions(its usages inStartup.csare all commented out andSpaProxyis already present).Microsoft.AspNetCore.SpaServices.Extensions(bumped 6.0.1 → 8.0.8) instead of replacing it withSpaProxy.Startup.csactively usesUseSpa,UseSpaStaticFiles,AddSpaStaticFiles, andReactDevelopmentServer, whichSpaProxydoes not provide — replacing the package would break the build.SpaServices.Extensionsremains supported on .NET 8.Korzh.EasyQuery7.4.0 packages left unchanged (compatible with .NET 8).Transitive security pins
The .NET 8 package versions pull in vulnerable transitive dependencies (e.g.
Microsoft.Data.SqlClient@5.2.0→Azure.Identity@1.10.3/Microsoft.Identity.Client@4.56.0). To keep the dependency closure clean, each project now pins the affected transitives to patched versions (per the NU1605 "reference the package directly" guidance):Azure.IdentityMicrosoft.Identity.ClientMicrosoft.Extensions.Caching.MemorySystem.Runtime.Caching(Blazor, React)System.Formats.Asn1(Vue3)System.Text.JsonAfter these pins, Snyk's CLI (
snyk test) reportsok: true, 0 vulnerable paths for all 3 projects — an improvement overmaster, which already had 2 high-severity issues.CI note
The
security/snykandlicense/snykSCM PR checks remain red. This is a pre-existing, repo-wide condition — every open PR fails them (e.g. #42 "15 tests failed", #40 "17 tests failed"). The SCM scanner parses.csprojwithout runningdotnet restoreand does not honor the direct transitive pins or NuGet lock files, so it reports the original transitive versions regardless. Snyk's own engine (CLI, which resolves the real graph) confirms these 3 projects are clean.Scope is limited to these 3
.csprojfiles; no other projects were touched.Link to Devin session: https://app.devin.ai/sessions/b2a23786f68d4542a3090609bd186bfb
Requested by: @iancmoritz
Devin Review
afb19e3