System.Net.Http.Json nuget package not receiving service updates

[ankrause]

The System.Net.Http.Json library does not appear to get regular updates, it gets major versions (5 and 6) corresponding with the major framework releases, with 6 being in preview.

NuGet: System.Net.Http.Json
NuGet: System.Text.Json

Conversely, the core underlying library (a dependency) System.Text.Json does get regular patch versions (specifically concerned with fixes for CVEs here) and has 5.0.1 and 5.0.2 as available versions.

Can I ask why this library does not get regular updates corresponding with the core underlying dependency? I would expect there to be a 5.0.1 and 5.0.2 that reference the patched versions of the System.Text.Json library. The purpose of this of course is that I can simply reference the System.Net.Http.Json extension library as my sole reference and be fully up-to-date with security patches by default, rather than having to explicitly reference both this package as well as its underlying dependency in order to stay secure.

It seems like a departure from some other libraries, namely the full tree of Microsoft.Extensions- libraries that all get a patch version whenever fixes are introduced regardless of whether an individual library itself was patched, though I recognize that these are probably considered different classes of packages.

[ghost]

Tagging subscribers to this area: @eiriktsarpalis, @layomia
See info in area-owners.md if you want to be subscribed.

Issue Details

---

The System.Net.Http.Json library does not appear to get regular updates, it gets major versions (5 and 6) corresponding with the major framework releases, with 6 being in preview.

NuGet: System.Net.Http.Json
NuGet: System.Text.Json

Conversely, the core underlying library (a dependency) System.Text.Json does get regular patch versions (specifically concerned with fixes for CVEs here) and has 5.0.1 and 5.0.2 as available versions.

Can I ask why this library does not get regular updates corresponding with the core underlying dependency? I would expect there to be a 5.0.1 and 5.0.2 that reference the patched versions of the System.Text.Json library. The purpose of this of course is that I can simply reference the System.Net.Http.Json extension library as my sole reference and be fully up-to-date with security patches by default, rather than having to explicitly reference both this package as well as its underlying dependency in order to stay secure.

It seems like a departure from some other libraries, namely the full tree of Microsoft.Extensions- libraries that all get a patch version whenever fixes are introduced regardless of whether an individual library itself was patched, though I recognize that these are probably considered different classes of packages.

Author:	ankrause
Assignees:	-
Labels:	area-System.Text.Json, untriaged
Milestone:	-

[eiriktsarpalis]

cc @ViktorHofer @safern

[safern]

@Anipik @ericstj is this some scenario we should support/do in servicing releases at least for security fixes?

[ericstj]

All of dotnet/runtime only ships package updates when the packages themselves require a change. We don't ship all upstack dependencies to reference the change, nor do we expect the entire NuGet ecosystem to churn when a package at the bottom of the stack ships an update. cc @terrajobst @blowdart

[watfordgnf]

Consider the case in #49377. Today, the tooling does not provide a "pit of success" for security. You would be unaware and unable to determine the need for an update given the existing tooling.

You could use Microsoft.AspNetCore.Http.Abstractions 2.2.0 as a similar strawman to System.Net.Http.Json, adding it today to your projects you will be completely unaware that System.Text.Encodings.Web is a problem as automatically installed by NuGet. None of the tooling will help you discover this either.

A bad example based on its age, but great because NuGet.org warns you, is using Microsoft.Data.Services.Client 5.2.0 (known vulnerable transitive ref) in a NET472 project:

PS E:\scratch\ConsoleApp1> dotnet list package --include-transitive
Project 'ConsoleApp1' has the following package references
   [net472]:
   Top-level Package                     Requested   Resolved
   > Microsoft.Data.Services.Client      5.2.0       5.2.0

   Transitive Package          Resolved
   > Microsoft.Data.Edm        5.2.0
   > Microsoft.Data.OData      5.2.0
   > System.Spatial            5.2.0

PS E:\scratch\ConsoleApp1> dotnet list package --vulnerable

The following sources were used:
   https://api.nuget.org/v3/index.json
   C:\Program Files (x86)\Microsoft SDKs\NuGetPackages\

The given project `ConsoleApp1` has no vulnerable packages given the current sources.
PS E:\scratch\ConsoleApp1> dotnet list package --vulnerable --include-transitive

The following sources were used:
   https://api.nuget.org/v3/index.json
   C:\Program Files (x86)\Microsoft SDKs\NuGetPackages\

The given project `ConsoleApp1` has no vulnerable packages given the current sources.

The same is true for inside Visual Studio.

This matters for my org because we'll run our software on air gapped networks for 18-24 months without intervention (ideally). Being able to identify and provide security updates--when applicable--is becoming a lot harder to do as the ecosystem becomes more fragmented and we enjoy an explosion of packages.

If the tooling isn't available to recognize these issues with transitive dependencies delivered by MS, I think this should be addressed at the package owner level (or at least considered) at least as long as the .NET Framework is supported. Our customers will be on that long after ".NET Core" has died and ".NET" has moved onto version 9 or 10 (or 20) thanks to generous extended support contracts.

[ghost]

Tagging subscribers to this area: @dotnet/runtime-infrastructure
See info in area-owners.md if you want to be subscribed.

Issue Details

---

The System.Net.Http.Json library does not appear to get regular updates, it gets major versions (5 and 6) corresponding with the major framework releases, with 6 being in preview.

NuGet: System.Net.Http.Json
NuGet: System.Text.Json

Conversely, the core underlying library (a dependency) System.Text.Json does get regular patch versions (specifically concerned with fixes for CVEs here) and has 5.0.1 and 5.0.2 as available versions.

Can I ask why this library does not get regular updates corresponding with the core underlying dependency? I would expect there to be a 5.0.1 and 5.0.2 that reference the patched versions of the System.Text.Json library. The purpose of this of course is that I can simply reference the System.Net.Http.Json extension library as my sole reference and be fully up-to-date with security patches by default, rather than having to explicitly reference both this package as well as its underlying dependency in order to stay secure.

It seems like a departure from some other libraries, namely the full tree of Microsoft.Extensions- libraries that all get a patch version whenever fixes are introduced regardless of whether an individual library itself was patched, though I recognize that these are probably considered different classes of packages.

Author:	ankrause
Assignees:	-
Labels:	area-Infrastructure, area-System.Text.Json, untriaged
Milestone:	-

[ViktorHofer]

cc @nkolev92 to provide more details on how NuGet skips/promotes transitive dependencies in case of security vulnerabilities.

[nkolev92]

Vulnerability reporting does not affect transitive package resolution in NuGet right now.
Elevating it top level is the recommended approach.

[ericstj]

@nkolev92 will NuGet raise any warning about a vulnerable transitive dependency to let folks know they need to do that? cc @GrabYourPitchforks

[nkolev92]

At this point it's only available in dotnet list package.
Progress can be tracked here: NuGet/Home#8087

[GrabYourPitchforks]

Per discussion at #49377, we're aware of this and are actively working on a solution. There is currently nothing to announce yet because we're still hammering out the rough edges.

[ghost]

Tagging subscribers to this area: @dotnet/area-infrastructure-libraries
See info in area-owners.md if you want to be subscribed.

Issue Details

---

The System.Net.Http.Json library does not appear to get regular updates, it gets major versions (5 and 6) corresponding with the major framework releases, with 6 being in preview.

NuGet: System.Net.Http.Json
NuGet: System.Text.Json

Conversely, the core underlying library (a dependency) System.Text.Json does get regular patch versions (specifically concerned with fixes for CVEs here) and has 5.0.1 and 5.0.2 as available versions.

Can I ask why this library does not get regular updates corresponding with the core underlying dependency? I would expect there to be a 5.0.1 and 5.0.2 that reference the patched versions of the System.Text.Json library. The purpose of this of course is that I can simply reference the System.Net.Http.Json extension library as my sole reference and be fully up-to-date with security patches by default, rather than having to explicitly reference both this package as well as its underlying dependency in order to stay secure.

It seems like a departure from some other libraries, namely the full tree of Microsoft.Extensions- libraries that all get a patch version whenever fixes are introduced regardless of whether an individual library itself was patched, though I recognize that these are probably considered different classes of packages.

Author:	ankrause
Assignees:	-
Labels:	area-Infrastructure-libraries, discussion
Milestone:	7.0.0

[ViktorHofer]

@ericstj you experimented with also require to service transitive package dependencies in dotnet/runtime. What should we do with this issue given that we are approaching .NET 7?

[ericstj]

We raised this issue for reconsideration a few months ago and decided not to change our policy around incremental servicing. We will not release packages just to update their dependencies. Should a package need to be re-released for some other reason it will include updated dependencies. cc @GrabYourPitchforks @blowdart

[ViktorHofer]

Closing as by design.