From acac1dc537bed754ac93413ef45728aa814406fe Mon Sep 17 00:00:00 2001
From: torosent <17064840+torosent@users.noreply.github.com>
Date: Thu, 21 May 2026 10:50:51 -0700
Subject: [PATCH] Modernize sample dependencies, fix Dependabot alerts, drop
EOL SDK installs
Resolves all 5 open Dependabot alerts (all transitive deps in samples/),
modernizes outdated sample dependencies, and removes EOL .NET Core SDK
installs from the public PR validation pipeline.
Dependabot alerts fixed (all in samples/):
- GHSA-cmhx-cq75-c4mj System.Text.RegularExpressions 4.3.0 -> 4.3.1
- GHSA-7jgj-8wvc-jh57 System.Net.Http 4.3.0 -> 4.3.4
- GHSA-8g4q-xg66-9fp4 System.Text.Json 6.0.0 -> 10.0.8
- GHSA-rxg9-xrhp-64gj System.Drawing.Common 4.7.0 -> 6.0.0
(eliminated via WorkerService 2.21 -> 2.23 upgrade; no explicit pin)
Sample dependency modernization (Directory.Packages.props):
- Azure.Identity 1.18.0 -> 1.21.0
- Azure.Monitor.OpenTelemetry.Exporter 1.6.0 -> 1.8.1
- Microsoft.ApplicationInsights.DependencyCollector 2.12.0 -> 2.23.0
- Microsoft.ApplicationInsights.WorkerService 2.21.0 -> 2.23.0
- Microsoft.Extensions.Azure 1.7.4 -> 1.14.0
- Microsoft.Extensions.Configuration 3.1.32 -> 10.0.8
- Microsoft.Extensions.Configuration.Json 3.1.32 -> 10.0.8
- Microsoft.Extensions.Hosting 6.0.1 -> 10.0.8
- OpenTelemetry.Exporter.Console 1.1.0 -> 1.15.3
- OpenTelemetry.Exporter.Zipkin (deprecated) replaced by
OpenTelemetry.Exporter.OpenTelemetryProtocol 1.15.3
- System.Text.Json 10.0.3 -> 10.0.8
- Vio.DurableTask.Hosting 2.2.1 -> 2.2.17
- ncrontab (net48) 1.0.0 -> 3.4.0
Code changes:
- OpenTelemetrySample/Program.cs: migrate deprecated AddZipkinExporter
to AddOtlpExporter.
- Correlation.Samples/TelemetryActivator.cs: migrate from obsolete
TelemetryConfiguration.InstrumentationKey to ConnectionString
(APPLICATIONINSIGHTS_CONNECTION_STRING) with backward-compat fallback
to the legacy APPINSIGHTS_INSTRUMENTATIONKEY env var.
CI fix (eng/templates/build-steps.yml):
- Remove the .NET Core 2.1 and 3.1 SDK install steps. Both runtimes are
long EOL (2021 and 2022); no project in the repo targets netcoreapp2.x
or netcoreapp3.x, and the 2.1 release-index endpoint has become
unreliable, causing intermittent TLS failures that fail the entire PR
validation pipeline (e.g., build #279849 'DTFxCoreValidate Validate 11').
Builds use VSBuild/MSBuild and the only SDK actually required is .NET 8
for the net8.0 test targets.
Intentionally not modernized:
- Microsoft.Azure.DurableTask.AzureStorage 1.17.3 in ManagedIdentity v1.x
(educational pin to demonstrate v1.x usage).
- EnterpriseLibrary.SemanticLogging, CommandLineParser 1.x in
DurableTask.Samples (abandoned / breaking API changes).
- Microsoft.ApplicationInsights 2.x -> 3.x (major version, out of scope).
Verified: all 6 sample projects, all 4 src libraries, and all 3 test
projects build with 0 warnings and 0 errors. 'dotnet list package
--include-transitive' confirms no vulnerable transitive versions remain
in any sample's resolved graph.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---
Directory.Packages.props | 26 +++++++++----------
eng/templates/build-steps.yml | 13 ----------
.../Correlation.Samples.csproj | 2 ++
.../Correlation.Samples/TelemetryActivator.cs | 16 +++++++++++-
.../ApplicationInsightsSample.csproj | 3 ++-
.../OpenTelemetry/OpenTelemetrySample.csproj | 2 +-
.../OpenTelemetry/Program.cs | 2 +-
.../ManagedIdentity.AzStorageV1.csproj | 3 +++
8 files changed, 37 insertions(+), 30 deletions(-)
diff --git a/Directory.Packages.props b/Directory.Packages.props
index 647e09884..f088054dc 100644
--- a/Directory.Packages.props
+++ b/Directory.Packages.props
@@ -48,7 +48,7 @@
-
+
@@ -62,7 +62,7 @@
-
+
@@ -90,17 +90,17 @@
-
-
-
+
+
+
-
-
-
-
-
-
-
+
+
+
+
+
+
+
@@ -118,7 +118,7 @@
-
+
\ No newline at end of file
diff --git a/eng/templates/build-steps.yml b/eng/templates/build-steps.yml
index cb6300182..cdfaea8fe 100644
--- a/eng/templates/build-steps.yml
+++ b/eng/templates/build-steps.yml
@@ -11,19 +11,6 @@ steps:
# Start by restoring all the dependencies. This needs to be its own task
# from what I can tell. We specifically only target DurableTask.AzureStorage
# and its direct dependencies.
-# Configure all the .NET SDK versions we need
-- task: UseDotNet@2
- displayName: 'Use the .NET Core 2.1 SDK (required for build signing)'
- inputs:
- packageType: 'sdk'
- version: '2.1.x'
-
-- task: UseDotNet@2
- displayName: 'Use the .NET Core 3.1 SDK'
- inputs:
- packageType: 'sdk'
- version: '3.1.x'
-
- task: UseDotNet@2
displayName: 'Use the .NET 8 SDK'
inputs:
diff --git a/samples/Correlation.Samples/Correlation.Samples.csproj b/samples/Correlation.Samples/Correlation.Samples.csproj
index 81757ac8b..03d080a03 100644
--- a/samples/Correlation.Samples/Correlation.Samples.csproj
+++ b/samples/Correlation.Samples/Correlation.Samples.csproj
@@ -21,6 +21,8 @@
+
+
Always
diff --git a/samples/Correlation.Samples/TelemetryActivator.cs b/samples/Correlation.Samples/TelemetryActivator.cs
index 176c915d6..a51905da0 100644
--- a/samples/Correlation.Samples/TelemetryActivator.cs
+++ b/samples/Correlation.Samples/TelemetryActivator.cs
@@ -69,7 +69,21 @@ void SetUpTelemetryClient()
telemetryInitializer.ExcludeComponentCorrelationHttpHeadersOnDomains.Add("127.0.0.1");
config.TelemetryInitializers.Add(telemetryInitializer);
- config.InstrumentationKey = Environment.GetEnvironmentVariable("APPINSIGHTS_INSTRUMENTATIONKEY");
+ string connectionString = Environment.GetEnvironmentVariable("APPLICATIONINSIGHTS_CONNECTION_STRING");
+ if (!string.IsNullOrEmpty(connectionString))
+ {
+ config.ConnectionString = connectionString;
+ }
+ else
+ {
+ string instrumentationKey = Environment.GetEnvironmentVariable("APPINSIGHTS_INSTRUMENTATIONKEY");
+ if (!string.IsNullOrEmpty(instrumentationKey))
+ {
+#pragma warning disable CS0618 // InstrumentationKey is obsolete; kept for backward compatibility.
+ config.InstrumentationKey = instrumentationKey;
+#pragma warning restore CS0618
+ }
+ }
module.Initialize(config);
diff --git a/samples/DistributedTraceSample/ApplicationInsights/ApplicationInsightsSample.csproj b/samples/DistributedTraceSample/ApplicationInsights/ApplicationInsightsSample.csproj
index 160690471..ea56695ae 100644
--- a/samples/DistributedTraceSample/ApplicationInsights/ApplicationInsightsSample.csproj
+++ b/samples/DistributedTraceSample/ApplicationInsights/ApplicationInsightsSample.csproj
@@ -9,10 +9,11 @@
-
+
+
diff --git a/samples/DistributedTraceSample/OpenTelemetry/OpenTelemetrySample.csproj b/samples/DistributedTraceSample/OpenTelemetry/OpenTelemetrySample.csproj
index 5a7d3e2f2..5097ce075 100644
--- a/samples/DistributedTraceSample/OpenTelemetry/OpenTelemetrySample.csproj
+++ b/samples/DistributedTraceSample/OpenTelemetry/OpenTelemetrySample.csproj
@@ -9,7 +9,7 @@
-
+
diff --git a/samples/DistributedTraceSample/OpenTelemetry/Program.cs b/samples/DistributedTraceSample/OpenTelemetry/Program.cs
index 2235fb180..d081192dd 100644
--- a/samples/DistributedTraceSample/OpenTelemetry/Program.cs
+++ b/samples/DistributedTraceSample/OpenTelemetry/Program.cs
@@ -31,7 +31,7 @@ static async Task Main(string[] args)
.SetResourceBuilder(ResourceBuilder.CreateDefault().AddService("MySample"))
.AddSource("DurableTask.Core")
.AddConsoleExporter()
- .AddZipkinExporter()
+ .AddOtlpExporter()
.AddAzureMonitorTraceExporter(options =>
{
options.ConnectionString = Environment.GetEnvironmentVariable("AZURE_MONITOR_CONNECTION_STRING");
diff --git a/samples/ManagedIdentitySample/DTFx.AzureStorage v1.x/ManagedIdentity.AzStorageV1.csproj b/samples/ManagedIdentitySample/DTFx.AzureStorage v1.x/ManagedIdentity.AzStorageV1.csproj
index cdb974eb9..9a8d130c2 100644
--- a/samples/ManagedIdentitySample/DTFx.AzureStorage v1.x/ManagedIdentity.AzStorageV1.csproj
+++ b/samples/ManagedIdentitySample/DTFx.AzureStorage v1.x/ManagedIdentity.AzStorageV1.csproj
@@ -14,6 +14,9 @@
+
+
+