open-telemetry
[bug] Remove Explicit Dependency on System.Text.Json in OpenTelemetry.Exporter.OneCollector on net8.0
Component
OpenTelemetry.Exporter.OneCollector
Package Version
| Package Name | Version |
|---|---|
| OpenTelemetry.Exporter.OneCollector | 1.10.0 |
Runtime Version
net8.0
Description
On net8.0 and above, an explicit reference to System.Text.Json is not needed. It is included in the Framework. Removing this reference reduces explicit transitive dependencies.
Steps to Reproduce
Include OpenTelemetry.Exporter.OneCollector in a project using net8.0
Expected Result
OpenTelemetry.Exporter.OneCollector uses STJ from the framework and doesn't use an explicit dependency.
Actual Result
OpenTelemetry.Exporter.OneCollector uses STJ from an explicit dependency.
Additional Context
I can submit a fix if this is accepted.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
So the issue here is the 8.0.0 - 8.0.4 versions of STJ were flagged with security issues. Check out the versions listed on NuGet to see what I mean.
The goal was to make sure all users get a safe version regardless of the .NET SDK/Runtime they have installed.
I'm open to ideas to resolve this some other way but I don't know how other than requiring a minimum safe version.
@CodeBlanch It shouldn't be on the package to ensure a minimum safe version of a dependency inbox to the runtime. The runtime should be updated in this case.
My understanding is this is the direction that the .NET 10 SDK will go.
See these:
- https://github.com/NuGet/Home/blob/dev/accepted/2024/prune-package-reference.md
- https://learn.microsoft.com/en-us/nuget/reference/errors-and-warnings/nu1510
Agree with @keegan-caruso if a dependency can be provided by the framework then there is no reason to attempt to patch the CVE via adding explicit dependency. To patch the CVE the end application just needs to update the runtime/sdk
