Simon Croppso much of my friction with MS nuget packages would be greatly mitigated if they just pro-actively updated their transitive refs to avoid CVEs. #dotnet
Rainer Sigwald@simoncropp a policy change to this is very likely coming.
@rainer is it being discussed publicly?
@simoncropp Mostly internal discussion that I know of, but here's a 6.0 servicing fix introducing the “ship every package upstream of this one” change: https://github.com/dotnet/runtime/pull/108797.
Reduce net core app current package dependencies, increase direct update availability by ericstj · Pull Request #108797 · dotnet/runtime
This is a backport of #107161. I also reviewed all packages that ever shipped in 6.0 with a CVE to ensure that we've shipped at least one package version that references that - to ensure folks ...
@rainer hopefully the situation become better before this lands https://learn.microsoft.com/en-us/dotnet/core/whats-new/dotnet-9/sdk#nuget-security-audits
Damselfly - Photo Management 📷@simoncropp Most of my friction with nuget packages would go away if nuget would *just bloody upgrade* when I tell it to. I'm sick of upgrading something and VS or Rider deciding it's wrong, so reverting it - and I then need to battle with manually editing Directory.Build.Props to force it.
In other news, can you tell I upgraded Damselfly to .Net 9 today?
@damselfly yeah i have the same problem
and congrats on net9. any perf improvements?
@simoncropp Nothing significantly noticeable. Maybe quicker startup time but that might be placebo effect...