Update System.Text.Json in packages which use 4.12 Roslyn#80197
Update System.Text.Json in packages which use 4.12 Roslyn#80197RikkiGibson merged 2 commits intodotnet:mainfrom
Conversation
| <PackageReference Include="Microsoft.CodeAnalysis.Workspaces.Common" VersionOverride="$(MicrosoftCodeAnalysisVersionForAnalyzers)" /> | ||
| <PackageReference Include="Microsoft.CodeAnalysis.Workspaces.MSBuild" VersionOverride="$(MicrosoftCodeAnalysisVersionForAnalyzers)" /> | ||
| <PackageReference Include="Microsoft.Build.Tasks.Core" VersionOverride="17.10.29" ExcludeAssets="Runtime" /> | ||
| <PackageReference Include="System.Text.Json" VersionOverride="8.0.5" /> |
There was a problem hiding this comment.
Should we be doing a SystemTextJsonVersionForAnalyzers like the other pattern is above?
There was a problem hiding this comment.
I could see it being in the src/RoslynAnalyzers/Directory.Build.props
There was a problem hiding this comment.
Maybe SystemTextJsonVersionForMetric
jasonmalinowski
left a comment
jasonmalinowski
left a comment
There was a problem hiding this comment.
Signing off on the change, but the comment confuses me a bit. Feel free to merge and update the comment later (or tell me that I'm wrong) since this will resolve the security alert.
| Metrics targets the same older Microsoft.CodeAnalysis version as the RoslynAnalyzers. Analyzers pick up patched versions | ||
| of Roslyn's transtive dependencies from the compiler that is hosting them. Since Metrics is a standalone tool and not an | ||
| Analyzer, it needs to directly reference patched versions of some transitive dependencies. |
There was a problem hiding this comment.
Is this comment correct? Because in the case of these two dependencies (System.Text.Json and Microsoft.Build) there is no compiler host verson it'd be using, right? So it will actually use that version?
There was a problem hiding this comment.
A host's version of those assemblies can still be used even if compiler itself doesn't have a dependency on them. Our assembly loading simply works by first trying to load the assembly in the same ALC that the host compiler is loaded in. If it works, then the search is over, otherwise we will try to load from the sub-ALC which is specific to the directory the analyzer is located in.
That means if ServiceHub, LanguageServer etc. has those dependencies, then they will get used, and not the analyzer's version. It can even mean, IIRC, that an analyzer's version of a dep can be get used in one environment, while a host's version will get used in a different environment.
* upstream/main: (233 commits) Extensions: add SyntaxGenerator support and AssociatedExtensionImplementation API (dotnet#80170) Fix error when hoisting a non-ref call (dotnet#80138) Ensure that refkinds are rewritten for complex methods (dotnet#79916) Revert Do not go through the workspace to access services DefiniteAssignmentPass.MarkFieldsUsed - avoid infinite recursion due to generic substitution (dotnet#80135) Reduce allocations in AnalyzerDriver.TryExecuteSymbolEndActions (dotnet#79855) RefSafetyAnalysis: Fix handling of nested deconstruction utilizing modern extensions (dotnet#80231) Extensions: adjust rewriting of anonymous type property symbols (dotnet#80211) Extensions: Move public APIs into INamedTypeSymbol (dotnet#80230) Extensions: improve error recovery in older language versions (dotnet#80206) Fall back to `dotnet exec` if apphost does not exist (dotnet#80153) Update dependencies from https://github.com/dotnet/dotnet build 282708 (dotnet#80228) Add a workaround for microsoft/vs-mef#620 Revert "FailFast if the MEF composition is clearly broken" switch from windows combobox to visualstudio combobox (dotnet#80219) Update System.Text.Json in packages which use 4.12 Roslyn (dotnet#80197) add flags to unblock CI (dotnet#80222) Move static members to another type - qualifies static member references in the moved members (dotnet#80178) Fix broken link for C# 14 lambda parameter modifiers ...
4 participants
https://dev.azure.com/dnceng/internal/_componentGovernance/dotnet-roslyn?_a=alerts&typeId=6265214&alerts-view-option=active