PowerToys icon indicating copy to clipboard operation
PowerToys copied to clipboard
Published 20 hours ago verified publisher icon microsoft

Update NuGet packages

Open Jay-o-Way opened this issue 1 year ago • 5 comments

System.Net.Http ⚠️

Image

Update 📈

  • WPF-UI 3.0 (latest) Check changes to see what we can improve in PowerToys.
  • WinUI-EX v2.2.0 --> 2.3.3 Check changes to see what we can improve in PowerToys.
  • System.IO.Abstractions 17.2.3 --> 20.0.15 changes
  • UnitsNet 4.415 --> 5.43 changes

Check for unused 🗑️

  • FZ Editor
    • ModernWpfUI: update 0.9.4 to 0.9.6 (from 6/2022) or change to WPF-UI or to WinUI3?
  • Settings project?? Image

Jay-o-Way avatar Feb 06 '24 14:02 Jay-o-Way

108>Form\frmScreen.resx : warning MSB3825: Resource "imgListIcon.ImageStream" of type "System.String, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" is deserialized via BinaryFormatter at runtime. BinaryFormatter is deprecated due to possible security risks and will be removed with .NET 9. If you wish to continue using it, set property "GenerateResourceWarnOnBinaryFormatterUse" to false.

Jay-o-Way avatar Apr 16 '24 09:04 Jay-o-Way

@jaimecbernardo who can i ping for this?

Jay-o-Way avatar Apr 21 '24 22:04 Jay-o-Way

Ah, looks like we need to fix before .NET 9 hits in November.

jaimecbernardo avatar Apr 22 '24 16:04 jaimecbernardo

Regarding unused extensions, there were some that we needed to make sure dependencies follow the same versions after the flattening.

jaimecbernardo avatar Apr 22 '24 16:04 jaimecbernardo

Nobody mentioning the vulnerability issue?

Jay-o-Way avatar May 09 '24 17:05 Jay-o-Way

@Jay-o-Way: I'm currently looking into the BinaryFormatter deprecation / security issue. Regarding the System.Net.Http issue, could you indicate where you see the dependency? I don't see us taking any NuGet dependency on System.Net.Http in the entire solution.

image

drawbyperpetual avatar May 19 '24 21:05 drawbyperpetual

@drawbyperpetual thanks. System.Net.Http is unused in SvgPreviewHandler (FYI @zanseb) and is used in OobeWhatsNew - seemingly to create a way to link/show release notes. (HttpClient and such) image

CC @jaimecbernardo and @lncubus

Jay-o-Way avatar May 19 '24 23:05 Jay-o-Way

@Jay-o-Way: Yes, System.Net.Http is indeed used there but not via a vulnerable NuGet package, but rather via a framework dependency on .NET Core 8. Where's the vulnerability there?

drawbyperpetual avatar May 20 '24 14:05 drawbyperpetual

@drawbyperpetual I just encountered the warning one day. Not an expert on the usage details 😇

Jay-o-Way avatar May 20 '24 14:05 Jay-o-Way