Merge pull request #1618 from DuendeSoftware/joe/dotnet9-rc2

Update dependencies to dotnet 9 rc 2

Directory.Build.targets

@@ -1,18 +1,16 @@
 <Project>
     <PropertyGroup Condition=" '$(TargetFramework)' == 'net8.0'">
-        <FrameworkVersion>8.0.3</FrameworkVersion>
-        <ExtensionsVersion>8.0.0</ExtensionsVersion>
-        <EntityFrameworkVersion>8.0.0</EntityFrameworkVersion>
+        <FrameworkVersion>8.0.10</FrameworkVersion>
+        <ExtensionsVersion>8.0.1</ExtensionsVersion>
+        <EntityFrameworkVersion>8.0.10</EntityFrameworkVersion>
         <WilsonVersion>7.1.2</WilsonVersion>
-        <SqlClientVersion>5.1.6</SqlClientVersion>
     </PropertyGroup>
 
     <PropertyGroup Condition=" '$(TargetFramework)' == 'net9.0'">
-        <FrameworkVersion>9.0.0-rc.1.24452.1</FrameworkVersion>
-        <ExtensionsVersion>9.0.0-rc.1.24431.7</ExtensionsVersion>
-        <EntityFrameworkVersion>9.0.0-rc.1.24451.1</EntityFrameworkVersion>
+        <FrameworkVersion>9.0.0-rc.2.24474.3</FrameworkVersion>
+        <ExtensionsVersion>9.0.0-rc.2.24473.5</ExtensionsVersion>
+        <EntityFrameworkVersion>9.0.0-rc.2.24474.1</EntityFrameworkVersion>
         <WilsonVersion>8.0.1</WilsonVersion>
-        <SqlClientVersion>5.2.1</SqlClientVersion>
     </PropertyGroup>
 
     <ItemGroup>
@@ -87,10 +85,11 @@
              that future versions of the intermediate dependencies that don't have this
              problem exist someday). -->
         <PackageReference Update="Azure.Identity" Version="1.11.4" />
-        <PackageReference Update="System.Formats.Asn1" Version="8.0.1" />
-        <PackageReference Update="Microsoft.Data.SqlClient" Version="$(SqlClientVersion)" />
-        <PackageReference Update="System.Text.Json" Version="8.0.4" />
+        <PackageReference Update="System.Formats.Asn1" Version="$(ExtensionsVersion)" />
         <PackageReference Update="System.Drawing.Common" Version="6.0.0" />
+
+        <PackageReference Update="Microsoft.Data.SqlClient" Version="5.2.2" />
+
     </ItemGroup>
 
     <Target Name="SetAssemblyVersion" AfterTargets="MinVer">

hosts/AspNetIdentity/Host.AspNetIdentity.csproj

@@ -24,14 +24,12 @@
     </ItemGroup>
 
     <ItemGroup>
-        <!-- The packages in this ItemGroup are all transitive dependencies that
-             would otherwise resolve to a version with a security vulnerabilitiy. 
-             In future, we would like to update Microsoft.Data.SqlClient and
-             Microsoft.EntityFrameworkCore, and remove these explicit dependencies
-             (assuming that future versions of the intermediate dependencies that
-             don't have this problem exist someday). -->
-        <PackageReference Include="Azure.Identity" />
-        <PackageReference Include="System.Formats.Asn1" />
+<!-- This is a transitive dependency of Microsoft.EntityFrameworkCore.SqlServer.
+Without pinning a version of this package, the sql server package would bring in
+an older version that in turn depends on vulnerable packages. Someday, it would
+be nice if we could update Microsoft.EntityFrameworkCore.SqlServer and remove
+this explicit dependency (assuming that future versions of
+Microsoft.EntityFrameworkCore.SqlServer that don't have this problem exist). -->
         <PackageReference Include="Microsoft.Data.SqlClient" />
     </ItemGroup>
 

hosts/Configuration/Host.Configuration.csproj

@@ -33,21 +33,6 @@
         <PackageReference Include="OpenTelemetry.Instrumentation.SqlClient" />
 
         <PackageReference Include="Serilog.AspNetCore" />
-
-    </ItemGroup>
-
-    <ItemGroup>
-        <!-- The packages in this ItemGroup are all transitive dependencies that
-             would otherwise resolve to a version with a security vulnerabilitiy. 
-             In future, we would like to update Microsoft.Data.SqlClient and
-             Microsoft.EntityFrameworkCore, and remove these explicit dependencies
-             (assuming that future versions of the intermediate dependencies that
-             don't have this problem exist someday). -->
-        <PackageReference Include="Azure.Identity" />
-        <PackageReference Include="System.Formats.Asn1" />
-        <PackageReference Include="Microsoft.Data.SqlClient" />
-        <PackageReference Include="System.Text.Json" />
-        <PackageReference Include="System.Drawing.Common" />
     </ItemGroup>
 
     <ItemGroup>

hosts/main/Host.Main.csproj

@@ -36,15 +36,6 @@
         <PackageReference Include="Serilog.AspNetCore" />
     </ItemGroup>
 
-    <ItemGroup Condition="'$(TargetFramework)' == 'net9.0'">
-        <!-- These two dependencies should hopefully be removed in a future release. 
-             The dotnet 9.0-rc.1 version of some of the EF packages has transitive 
-             dependnecies with vulnerabilites -->
-        <PackageReference Include="System.Text.Json" />
-        <PackageReference Include="System.Drawing.Common" />
-    </ItemGroup>
-
-
     <ItemGroup>
         <ProjectReference Include="..\..\src\IdentityServer\Duende.IdentityServer.csproj" />
         <ProjectReference Include="..\..\src\Configuration\Duende.IdentityServer.Configuration.csproj" />

migrations/IdentityServerDb/IdentityServerDb.csproj

@@ -19,7 +19,6 @@
         <PackageReference Include="Azure.Identity" />
         <PackageReference Include="System.Formats.Asn1" />
         <PackageReference Include="Microsoft.Data.SqlClient" />
-        <PackageReference Include="System.Text.Json" />
     </ItemGroup>
 
     <ItemGroup>

test/EntityFramework.IntegrationTests/EntityFramework.IntegrationTests.csproj

@@ -16,16 +16,13 @@
     </ItemGroup>
 
     <ItemGroup>
-        <!-- The packages in this ItemGroup are all transitive dependencies that
-             would otherwise resolve to a version with a security vulnerabilitiy. 
-             In future, we would like to update Microsoft.Data.SqlClient and
-             Microsoft.EntityFrameworkCore, and remove these explicit dependencies
-             (assuming that future versions of the intermediate dependencies that
-             don't have this problem exist someday). -->
-        <PackageReference Include="Azure.Identity" />
-        <PackageReference Include="System.Formats.Asn1" />
+<!-- This is a transitive dependency of Microsoft.EntityFrameworkCore.SqlServer.
+Without pinning a version of this package, the sql server package would bring in
+an older version that in turn depends on vulnerable packages. Someday, it would
+be nice if we could update Microsoft.EntityFrameworkCore.SqlServer and remove
+this explicit dependency (assuming that future versions of
+Microsoft.EntityFrameworkCore.SqlServer that don't have this problem exist). -->
         <PackageReference Include="Microsoft.Data.SqlClient" />
-        <PackageReference Include="System.Text.Json" />
     </ItemGroup>
 
 

test/EntityFramework.Storage.IntegrationTests/EntityFramework.Storage.IntegrationTests.csproj

@@ -29,7 +29,6 @@
         <PackageReference Include="Azure.Identity" />
         <PackageReference Include="System.Formats.Asn1" />
         <PackageReference Include="Microsoft.Data.SqlClient" />
-        <PackageReference Include="System.Text.Json" />
     </ItemGroup>
 
     <ItemGroup>

test/EntityFramework.Storage.UnitTests/EntityFramework.Storage.UnitTests.csproj

@@ -13,15 +13,6 @@
         <PackageReference Include="Microsoft.EntityFrameworkCore.Sqlite" />
     </ItemGroup>
 
-    <ItemGroup>
-        <!-- This package is a transitive dependency that would otherwise resolve 
-             to a version with a security vulnerabilitiy. 
-             In future, we would like to update Microsoft.EntityFrameworkCore.Sqlite,
-             and remove this explicit dependency (assuming that future versions of 
-             the sqlite package that doesn't have this problem exist someday). -->
-        <PackageReference Include="System.Text.Json" />
-    </ItemGroup>
-
     <ItemGroup>
         <ProjectReference Include="..\..\src\EntityFramework.Storage\Duende.IdentityServer.EntityFramework.Storage.csproj" />
     </ItemGroup>