StrongGrid icon indicating copy to clipboard operation
StrongGrid copied to clipboard
verified publisher icon Jericho

Dependency Hell

Open DanPatten opened this issue 1 year ago • 3 comments

I had to upgrade Microsoft.IO.RecyclableMemoryStream to latest to fix a vulnerable package. However I must now upgrade StrongGrid to a later version.

I am on .net standard 2.0 and one of the dependencies used is HttpMultipartParser which does not support .net standard 2.0.. How do I upgrade Stronggrid while on 2.0

DanPatten avatar Aug 17 '24 05:08 DanPatten

I'm sure you're aware that StrongGrid supports a long list of frameworks but .NET standard 2.0 is not one of them, just like the HTTP multipart parser.

The easiest solution I can think of is to upgrade your project to .NET standard 2.1 which would allow you to reference the latest version of all these dependencies. But I know this is easier said than done and there might be constraints that I'm not privy to preventing you from upgrading the framework targeted by your solution.

Have you considered downgrading StrongGrid to the last version that explicitly supported .NET standard 2.0? I believe version 0.79.0 which was released in the summer of 2021 was the last such release. I have no idea if this would allow you to use the desired version of the RecyclableMemoryStream package though. That's not a scenario I ever tested or even considered, to be honest.

Let me know if any of these suggestions help.

Jericho avatar Aug 17 '24 15:08 Jericho

I wish I could upgrade to 2.1 but I have libraries used by both .net 6 and framework 4.8 so I can't upgrade. I hate the fact that 2.1 standard breaks the whole idea of standard.

I'm already on 0.79 but because of breaking method changes on RecyclableMemoryStream 3.0 it won't work at runtime. Might have to come up with a different creative solution.

DanPatten avatar Aug 17 '24 15:08 DanPatten

I have libraries used by both .net 6 and framework 4.8

Have you considered multi-targeting rather than simply targeting .net standard 2.0? You could target net48, net6 and any other framework you desire or you could follow the convention used by StrongGrid and HttpMultipartParser which is to multi-target net48;netstandard2.1;net6.0;net7.0. I think this would give you the best of both worlds: your libraries can be used by apps targeting framework 4.8, net 6 and other frameworks as well, while upgrading your dependencies to their latest versions.

Jericho avatar Aug 17 '24 15:08 Jericho

@DanPatten do you want to continue this discussion? Have you considered my last suggestion?

Jericho avatar Aug 30 '24 13:08 Jericho

Unfortunately I'm not looking to dual target for now as that would increase build times, I'm working around this issue for now by using sendgrid hooks instead.

DanPatten avatar Aug 30 '24 20:08 DanPatten