Deprecated package used by System.Security.Cryptography.Cng #93577
Comments
ghost
added
the
|
Tagging subscribers to this area: @dotnet/area-system-security, @bartonjs, @vcsjones Issue DetailsDescriptionThe version of the dependency System.Formats.Asn1 referenced by the latest release of System.Security.Cryptography.Cng is >=5.0.0, which is now deprecated in Nuget. System.Security.Cryptography.Cng is a transitive dependency of Microsoft.EntityFrameworkCore.SqlServer, so whenever the latest version (7.0.12) of EF Core SqlServer is referenced in a project, the deprecated dependency is automatically installed. There is a newer version of Asn1 available If some package ranges in System.Security.Cryptography.Cng could be bumped to include the newer Asn1 package versions that would be much appreciated. Reproduction StepsAdd Expected behaviorNo packages returned as deprecated. Actual behaviorSystem.Formats.Asn1 Version 5.0.0 returned as deprecated. Regression?No response Known WorkaroundsNo response Configurationusing .NET 6.0.413, Windows x64. not specific to this configuration. Other informationNo response
|
|
System.Security.Cryptography.Cng is an end-of-life package, 5.0.0 was its last version. It's a little surprising that it's in EFCore's dependency graph at all, but c'est la vie. @ViktorHofer I feel like you're tracking this sort of meta-problem. |
|
Microsoft.Data.SqlClient brings in these old dependencies: 
Both System.Security.Cryptography.Cng and System.Security.Principal.Windows shouldn't be referenced anymore by TFMs >= net6.0. Submitted dotnet/SqlClient#2186 Talking about the overall problem, we could consider adding an "analyzer" (maybe just an msbuild target) to the SDK that warns when dependencies are declared that are already provided implicitly by the referenced framework and which point to dead-ended packages, i.e. Cng, S.Sec.Principal.Windows, Microsoft.Win32.Registry, System.Net.Http, etc... |
The System.Security.Cryptography.Cng and System.Security.Principal.Windows packages don't ship anymore since .NET 5 and are provided by the .NETCoreApp framework implicitly. Removing dependencies to those for .NETCoreApp TFMs to stop bringing these older versions in transitively. Fixes dotnet/runtime#93577
|
As part of the .NET deprecation effort, (nearly) all 5.0.0 packages were deprecated. For the packages that were dead-ended after .NET 5, we un-deprecated them so that they can continue to be used on .NET Framework and/or .NET Standard. When we un-deprecated packages, we (I) didn't look at the dependency graph. Here's the dependency graph of those dead-ended 5.0.0 packages:
So, we missed the |
Description
The version of the dependency System.Formats.Asn1 referenced by the latest release of System.Security.Cryptography.Cng is >=5.0.0, which is now deprecated in Nuget. System.Security.Cryptography.Cng is a transitive dependency of Microsoft.EntityFrameworkCore.SqlServer, so whenever the latest version (7.0.12) of EF Core SqlServer is referenced in a project, the deprecated dependency is automatically installed.
There is a newer version of Asn1 available
If some package ranges in System.Security.Cryptography.Cng could be bumped to include the newer Asn1 package versions that would be much appreciated.
Reproduction Steps
Add
<PackageReference Include="System.Security.Cryptography.Cng" Version="5.0.0" />(or replace 5.0.0 with latest version) to a project file and rundotnet restore. Then rundotnet list package --deprecated --include-transitiveExpected behavior
No packages returned as deprecated.
Actual behavior
System.Formats.Asn1 Version 5.0.0 returned as deprecated.
Regression?
No response
Known Workarounds
No response
Configuration
using .NET 6.0.413, Windows x64. not specific to this configuration.
Other information
No response
The text was updated successfully, but these errors were encountered: