You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
While fixing #477 (samples/datasync-server), the sample's build was found to be broken on main due to package version drift: the sample explicitly pinned Microsoft.AspNetCore.OpenApi/Microsoft.EntityFrameworkCore.SqlServer/Microsoft.EntityFrameworkCore.Tools at 10.0.3, while the repo's centrally-managed DotNetVersion (Directory.Packages.props) had since moved to 10.0.9. Resolving that surfaced a further transitive assembly-version conflict on Microsoft.OData.Core/Microsoft.OData.Edm (needed pinning to 8.4.3 to match ODataVersion/the existing Microsoft.Spatial pin in CommunityToolkit.Datasync.Server.Abstractions). See #488 for the fix applied to that one sample.
Since samples/Directory.Packages.props turns off Central Package Management for all samples (ManagePackageVersionsCentrally=false), each sample pins its own package versions independently and can silently drift out of sync with the rest of the repo (and with each other) whenever Directory.Packages.props bumps a shared version like DotNetVersion or ODataVersion. A couple of other examples spotted during a quick pass (not exhaustive):
samples/todoapp-mvc/TodoApp.Service/TodoApp.Service.csproj: CommunityToolkit.Datasync.Server* is pinned at 10.1.0, but Microsoft.EntityFrameworkCore.SqlServer is still pinned at 10.0.3.
samples/todoapp-blazor-wasm/TodoApp.BlazorWasm.Server/TodoApp.BlazorWasm.Server.csproj: still references CommunityToolkit.Datasync.Server(.EntityFrameworkCore)10.0.0 (predates the UnsafeEntityLogging option added in 10.1.0/SECURITY: Add TableOptions flag for unsafe entity logging #446) and pins EF Core / ASP.NET Core packages at 10.0.3.
Ask
Audit every sample project under samples/ (datasync-server, datasync-server-cosmosdb-singlecontainer, todoapp, todoapp-mvc, todoapp-tutorial, todoapp-blazor-wasm, and any client platform samples) for:
Explicit PackageReference versions that have drifted from the repo's centrally-managed versions (DotNetVersion, ODataVersion in root Directory.Packages.props) or from the latest published CommunityToolkit.Datasync.* NuGet versions.
Any sample that fails to restore/build cleanly as a result (dotnet build per sample).
Decide on (and document) a strategy to prevent this drift going forward — e.g. a scheduled CI job that builds every sample on a cadence, re-enabling Central Package Management for samples with an explicit override list, or a lightweight script/CI check that diffs sample package versions against Directory.Packages.props.
Separately, identify and action the NU1903 high-severity vulnerability advisory warnings currently emitted during restore across src/tests (and likely some samples):
Microsoft.OpenApi 2.0.0 — GHSA-v5pm-xwqc-g5wc (pulled in transitively, likely via NSwag/Swashbuckle/OpenApi tooling).
SQLitePCLRaw.lib.e_sqlite3 2.1.11 — GHSA-2m69-gcr7-jv3q (pulled in transitively, likely via the LiteDb/SQLite test dependencies).
For each, determine whether a newer, non-vulnerable version is available and pin/upgrade it (directly or via a transitive pinning override in Directory.Packages.props), or document why the warning is a false positive / acceptable risk for this repo.
Acceptance criteria
Every sample project builds cleanly (dotnet build) against the current Directory.Packages.props versions and the latest published CommunityToolkit.Datasync.* packages.
A documented mechanism (CI check, script, or process) exists to catch future version drift in samples before it reaches main.
The NU1903 advisories for Microsoft.OpenApi and SQLitePCLRaw.lib.e_sqlite3 are resolved (upgraded/pinned) or explicitly triaged and documented as accepted risk.
Summary
While fixing #477 (
samples/datasync-server), the sample's build was found to be broken onmaindue to package version drift: the sample explicitly pinnedMicrosoft.AspNetCore.OpenApi/Microsoft.EntityFrameworkCore.SqlServer/Microsoft.EntityFrameworkCore.Toolsat10.0.3, while the repo's centrally-managedDotNetVersion(Directory.Packages.props) had since moved to10.0.9. Resolving that surfaced a further transitive assembly-version conflict onMicrosoft.OData.Core/Microsoft.OData.Edm(needed pinning to8.4.3to matchODataVersion/the existingMicrosoft.Spatialpin inCommunityToolkit.Datasync.Server.Abstractions). See #488 for the fix applied to that one sample.Since
samples/Directory.Packages.propsturns off Central Package Management for all samples (ManagePackageVersionsCentrally=false), each sample pins its own package versions independently and can silently drift out of sync with the rest of the repo (and with each other) wheneverDirectory.Packages.propsbumps a shared version likeDotNetVersionorODataVersion. A couple of other examples spotted during a quick pass (not exhaustive):samples/todoapp-mvc/TodoApp.Service/TodoApp.Service.csproj:CommunityToolkit.Datasync.Server*is pinned at10.1.0, butMicrosoft.EntityFrameworkCore.SqlServeris still pinned at10.0.3.samples/todoapp-blazor-wasm/TodoApp.BlazorWasm.Server/TodoApp.BlazorWasm.Server.csproj: still referencesCommunityToolkit.Datasync.Server(.EntityFrameworkCore)10.0.0(predates theUnsafeEntityLoggingoption added in 10.1.0/SECURITY: Add TableOptions flag for unsafe entity logging #446) and pins EF Core / ASP.NET Core packages at10.0.3.Ask
samples/(datasync-server,datasync-server-cosmosdb-singlecontainer,todoapp,todoapp-mvc,todoapp-tutorial,todoapp-blazor-wasm, and any client platform samples) for:PackageReferenceversions that have drifted from the repo's centrally-managed versions (DotNetVersion,ODataVersionin rootDirectory.Packages.props) or from the latest publishedCommunityToolkit.Datasync.*NuGet versions.dotnet buildper sample).Directory.Packages.props.NU1903high-severity vulnerability advisory warnings currently emitted during restore acrosssrc/tests(and likely some samples):Microsoft.OpenApi2.0.0 — GHSA-v5pm-xwqc-g5wc (pulled in transitively, likely via NSwag/Swashbuckle/OpenApi tooling).SQLitePCLRaw.lib.e_sqlite32.1.11 — GHSA-2m69-gcr7-jv3q (pulled in transitively, likely via the LiteDb/SQLite test dependencies).For each, determine whether a newer, non-vulnerable version is available and pin/upgrade it (directly or via a transitive pinning override in
Directory.Packages.props), or document why the warning is a false positive / acceptable risk for this repo.Acceptance criteria
dotnet build) against the currentDirectory.Packages.propsversions and the latest publishedCommunityToolkit.Datasync.*packages.main.NU1903advisories forMicrosoft.OpenApiandSQLitePCLRaw.lib.e_sqlite3are resolved (upgraded/pinned) or explicitly triaged and documented as accepted risk.Related
samples/datasync-serverspecifically.UnsafeEntityLogging(SECURITY: Add TableOptions flag for unsafe entity logging #446) that did not touch this broader package-drift problem.