twilio-csharp icon indicating copy to clipboard operation
twilio-csharp copied to clipboard

Published 20 hours ago verified publisher icon twilio

Add multi-targeting for .NET 8.0 and drop System.Collections.Specialized for .NET 6/8

Open filipw opened this issue 1 year ago • 8 comments

Issue Summary

At the moment the library does not explicitly target .NET 8.0.

This means, that referencing it from a .NET 8.0 application means going over .NET Standard 2.1, which in turn pulls a ton of very old (dating back to 2016) dependencies via System.Collections.Specialized, some of which even have CVEs on them.

Taking this into account, and given that .NET 6.0 reaches end of life in November this year, it would be good to add .NET 8.0 to multi-targeting.

Additionally, the System.Collections.Specialized should also be dropped as explicit Nuget package reference for .NET 6.0 and .NET 8.0 as it's not needed there (the necessary types are already available).

Steps to Reproduce

  1. Reference the library in a .NET 8.0 ASP.NET Core app
  2. Enable Nuget security audit by adding
    <NuGetAuditMode>all</NuGetAuditMode>
  3. Publish for Linux dotnet publish -r linux-x64
  4. Observe CVE-2019-0981 being emitted.

Technical details:

  • twilio-csharp version: 7.2.3

filipw avatar Aug 27 '24 06:08 filipw

Hi @filipw, Thank you for raising this issue. This issue has been reviewed and added to our internal backlog for prioritisation . +1s and pull requests will help this move upward our backlog

Issue for tracking : https://twilio-engineering.atlassian.net/browse/DII-1699

Thanks, Athira

AsabuHere avatar Oct 18 '24 07:10 AsabuHere

Hi team, Can we fix this issue for .NET 8. Is it possible to make a target .NET 8 libraries only as it is the end of 2024 and its time as .NET 9 is coming in a few weeks ...

P.S it affects our prod build as security scans create errors messages.

JBaltika avatar Oct 18 '24 14:10 JBaltika

Hi, Any update as this screwing our production builds ... It is just a simple 10 sec fix by removing from .net6 dependency as this lib comes with .NET6 ... and later decide when to add.NET8 support.

Also, this is not an enchantment, but a bug. The current library build doesn't dependents on that old package at all

image

JBaltika avatar Oct 24 '24 12:10 JBaltika

+1 please prioritize this issue.

go3323 avatar Oct 24 '24 20:10 go3323

Hi guys, how hard is it to remove one line from Twilio.csproj line 43 and build again? Its needs 3 months of scrum meetings with hours of discussions what to do next , I guess :) image

JBaltika avatar Nov 05 '24 03:11 JBaltika

+1

elandref93 avatar Nov 07 '24 07:11 elandref93

I am sorry for the delay in response, I will check this on priority.

sbansla avatar Feb 21 '25 16:02 sbansla

@filipw https://github.com/twilio/twilio-csharp/pull/780 We can made this available in our next biweekly release.

sbansla avatar Feb 21 '25 16:02 sbansla

+1

ReniKIcon17 avatar Sep 04 '25 18:09 ReniKIcon17