Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[INTERNAL] Samples: Fixes upgrades to latest versions (vulnerabilities) and also warnings #4693

Merged
merged 16 commits into from
Sep 20, 2024
Merged

[INTERNAL] Samples: Fixes upgrades to latest versions (vulnerabilities) and also warnings #4693

merged 16 commits into from
Sep 20, 2024

Conversation

kirankumarkolli
Copy link
Member

@kirankumarkolli kirankumarkolli commented Sep 14, 2024
edited
Loading

[INTERNAL] Samples: Fixes upgrades to latest versions (vulnerabilities) and also warnings

For Cosmos pinned to latest versions

    <PackageReference Include="Microsoft.Azure.Cosmos" Version="3.43.0" />

Newtonsoft.Json and System.Text.Json: updated to patched versions

    <PackageReference Include="Newtonsoft.Json" Version="13.0.3" />
    <PackageReference Include="System.Text.Json" Version="8.0.4" />

Microsoft.NET.Sdk.Functions: Upgraded to latest

    <PackageReference Include="Microsoft.NET.Sdk.Functions" Version="4.4.1" />

Removed transitive dependencies: Configuration and Configuration.FileExtensions

    <PackageReference Include="Microsoft.Extensions.Configuration" Version="2.2.0" />
    <PackageReference Include="Microsoft.Extensions.Configuration.FileExtensions" Version="2.2.0" />

ChangeFeed project: Its a migration project which has V2 CFP project reference which has vulnerabile dependencies, which are now pinned explicitly to patched version

    <PackageReference Include="System.Net.Http" Version="4.3.4" />
    <PackageReference Include="System.Net.Security" Version="4.3.2" />

Ref: #4674

@Pilchie
Copy link
Member

Pilchie commented Sep 16, 2024

I'm not sure if we want to use * versions. If we expect customers to copy these samples, they may not update them, and then they are exposed to the risks of breaking changes, and the fact that their builds aren't deterministic for these packages.

It might be better to just update them to the latest now, and have a process to check for updates regularly? Ideally if these are building as part of CI, component governance would tell us about packages with vulnerabilities and we could update that way?

@kirankumarkolli kirankumarkolli enabled auto-merge (squash) September 17, 2024 17:16
@kirankumarkolli kirankumarkolli added the auto-merge Enables automation to merge PRs label Sep 17, 2024
Pilchie
Pilchie requested changes Sep 17, 2024
View reviewed changes
Copy link
Member

@Pilchie Pilchie left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Blocking only on the BOM changes. Other than that, just curious, and a note that we should eventually update to .NET 8.0 as well.

...mples/Usage/CFPullModelAllVersionsAndDeletesMode/CFPullModelAllVersionsAndDeletesMode.csproj Show resolved Hide resolved
Microsoft.Azure.Cosmos.Samples/Usage/ChangeFeed/ChangeFeed.csproj Show resolved Hide resolved
Microsoft.Azure.Cosmos.Samples/Usage/PowerShellRestApi/PowerShellRestApi.csproj Outdated Show resolved Hide resolved
Microsoft.Azure.Cosmos.Samples/Usage/ReEncryption/ReEncryption.csproj Outdated Show resolved Hide resolved
Microsoft.Azure.Cosmos.Samples/Usage/ReEncryption/ReEncryption.csproj Outdated Show resolved Hide resolved
Microsoft.Azure.Cosmos.Samples/Usage/ApplicationInsights/ApplicationInsights.csproj Outdated Show resolved Hide resolved
Microsoft.Azure.Cosmos.Samples/Usage/AzureFunctions/AzureFunctions.csproj Outdated Show resolved Hide resolved
Pilchie
Pilchie approved these changes Sep 18, 2024
View reviewed changes
Copy link
Member

@Pilchie Pilchie left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks great - thanks!

@kirankumarkolli kirankumarkolli enabled auto-merge (squash) September 18, 2024 19:11
@microsoft-github-policy-service microsoft-github-policy-service bot merged commit 2cc12dc into master Sep 20, 2024
21 checks passed
@microsoft-github-policy-service microsoft-github-policy-service bot deleted the users/kirankk/samples_package_upgrade branch September 20, 2024 19:23
@kirankumarkolli kirankumarkolli mentioned this pull request Oct 19, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@philipthomas-MSFT philipthomas-MSFT philipthomas-MSFT approved these changes

@adityasa adityasa adityasa approved these changes

@Pilchie Pilchie Pilchie approved these changes

@khdang khdang Awaiting requested review from khdang khdang is a code owner

@sboshra sboshra Awaiting requested review from sboshra sboshra is a code owner

@neildsh neildsh Awaiting requested review from neildsh neildsh is a code owner

@FabianMeiswinkel FabianMeiswinkel Awaiting requested review from FabianMeiswinkel FabianMeiswinkel is a code owner

@kirillg kirillg Awaiting requested review from kirillg kirillg is a code owner

Assignees
No one assigned
Labels
auto-merge Enables automation to merge PRs
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@kirankumarkolli @Pilchie @adityasa @philipthomas-MSFT