EventFlow icon indicating copy to clipboard operation
EventFlow copied to clipboard
verified publisher icon eventflow

v0: Maintenance

Open yzhoholiev opened this issue 1 year ago • 10 comments

  • Update dependencies and fix vulnerabilities
  • Deprecate unsupported frameworks

yzhoholiev avatar Apr 01 '24 19:04 yzhoholiev

CLA assistant check
All committers have signed the CLA.

CLAassistant avatar Apr 01 '24 19:04 CLAassistant

A lot of good changes here, quite a lot braking as they are removing old (deprecated) .NET versions. Any specific reason why v1 won't cut it for you?

v0 builds currently aren't running due to the incompatibility with running Linux Docker containers on Windows GHA runners. So, getting something up and running that could actually make v0 releasable again (build and test) would be priority number one.

rasmus avatar Apr 02 '24 13:04 rasmus

I agree, that those changes are considered breaking changes, unfortunately, there is no version available between v0.x and v1.x. For our project, we are waiting for v1.x to be released before planning the upgrade as it also contains breaking changes. At the same time, the main reason for these changes is. actually, to deprecate the netstandard1.6 as it is not supported and remove usage of vulnerable versions of dependencies.

yzhoholiev avatar Apr 02 '24 14:04 yzhoholiev

I agree, that those changes are considered breaking changes, unfortunately, there is no version available between v0.x and v1.x. For our project, we are waiting for v1.x to be released before planning the upgrade as it also contains breaking changes. At the same time, the main reason for these changes is. actually, to deprecate the netstandard1.6 as it is not supported and remove usage of vulnerable versions of dependencies.

As I understand, as long you don't use netstandard1.6 it won't affect versions of libraries in result service. We're using version "0.83.4713" in .net 8 service and all artifact libraries are in correct, updated version, working fine on .net 8 runtime (EventFlow.dll used from package is from netcoreapp3.1 folder). Vulnerabilities tools used on service and final docker image don't show problems.

As for vulnerable dependencies, we managed to get green even in current EventFlow state. "System.Data.SqlClient" in newest version is not a problem, but it lags behind .net releases and is not the best option when working with Azure SQL and for now we only identified this as problem (https://github.com/eventflow/EventFlow/discussions/1022).

janrybka avatar Apr 02 '24 16:04 janrybka

I agree, that those changes are considered breaking changes, unfortunately, there is no version available between v0.x and v1.x. For our project, we are waiting for v1.x to be released before planning the upgrade as it also contains breaking changes. At the same time, the main reason for these changes is. actually, to deprecate the netstandard1.6 as it is not supported and remove usage of vulnerable versions of dependencies.

As I understand, as long you don't use netstandard1.6 it won't affect versions of libraries in result service. We're using version "0.83.4713" in .net 8 service and all artifact libraries are in correct, updated version, working fine on .net 8 runtime (EventFlow.dll used from package is from netcoreapp3.1 folder). Vulnerabilities tools used on service and final docker image don't show problems.

As for vulnerable dependencies, we managed to get green even in current EventFlow state. "System.Data.SqlClient" in newest version is not a problem, but it lags behind .net releases and is not the best option when working with Azure SQL and for now we only identified this as problem (#1022).

The main problem was with the EventFlow.MongoDB as it only uses netstandard1.6 which has vulnerabilities in System.Net.Http (CVE-2018-8292) and System.Text.RegularExpressions (CVE-2019-0820)

yzhoholiev avatar Apr 02 '24 17:04 yzhoholiev

I can roll back some changes to make the PR more lightweight, such as replacing the System.Data.SqlClient, but everything else is worth keeping.

yzhoholiev avatar Apr 02 '24 17:04 yzhoholiev

If it's only about MongoDB then with small step you could add .netstandard2.0 to the list (like in Autofac case) or drop support for 1.6 and replace with new one. Still it'll be a smaller backward incompatibility.

janrybka avatar Apr 02 '24 18:04 janrybka

Hello there!

We hope this message finds you well. We wanted to let you know that we have noticed that there has been no activity on this pull request for the past 90 days, which makes it a stale pull request.

As a result, we will be closing this pull request within the next seven days. If you still think this pull request is necessary or relevant, please feel free to update it or leave a comment within the next seven days.

Thank you for your contributions and understanding.

Best regards, EventFlow

github-actions[bot] avatar Jul 02 '24 09:07 github-actions[bot]

Hello there! I'm a bot and I wanted to let you know that your pull request has been closed due to inactivity after being marked as stale for seven days. If you believe this was done in error, or if you still plan to work on this pull request, please don't hesitate to reopen it and let us know. We're always happy to review and merge high-quality contributions. Thank you for your interest in our project! Best regards, EventFlow

github-actions[bot] avatar Jul 09 '24 09:07 github-actions[bot]