ApplicationInsights-dotnet icon indicating copy to clipboard operation
ApplicationInsights-dotnet copied to clipboard
verified publisher icon microsoft

Microsoft.ApplicationInsights.AspNetCore used deprecated NuGet packages

Open MarcoK80 opened this issue 2 years ago • 8 comments

Dotnet list package --outdated / --deprecated shows for the packages

Microsoft.ApplicationInsights.AspNetCore 2.21.0 Microsoft.ApplicationInsights.Profiler.AspNetCore 2.5.3 Microsoft.ApplicationInsights.Profiler.Core 2.5.3

outdated and if we update them deprecated packages Microsoft.AspNetCore.Hosting Microsoft.AspNetCore.Http

Is there any plan to migrate these packages to full .net core 7 or .net core 8 support?

MarcoK80 avatar Sep 07 '23 11:09 MarcoK80

Taking a dependency on Microsoft.AspNetCore.Hosting v2.2.0 would resolve this issue, but would also break support for NetCore v2.1. Instead I'm taking a direct dependency on the fixed version Microsoft.AspNetCore.Http. We can remove this when NetCore v2.1 reaches EOL on August 21, 2021.

A comment inside Microsoft.ApplicationInsights.AspNetCore.csproj. Seems like the comment was long forgotten.

agehrke avatar Jan 03 '24 13:01 agehrke

It is worth mentioning that there is vulnerability in: Microsoft.AspNetCore.Http.Features 2.1.1 Denial Of Service (DoS)

Workaround is to add explicit dependency on "Microsoft.AspNetCore.Http.Features" Version="5.0.17" which has no vulnerabilities and it fixes SCA scan issues (in my case).

Anyway, I would greatly appreciate an update on this ticket.

Thowk avatar Jan 04 '24 12:01 Thowk

Hi @TimothyMothra

Any updates on this? Any ETA?

because Microsoft.AspNetCore.Http package has vulnerability CVE-2020-1045

https://github.com/microsoft/ApplicationInsights-dotnet/issues/2199

We can remove this when NetCore v2.1 reaches EOL on August 21, 2021.

So any ETA?

patelriki13 avatar Jan 19 '24 13:01 patelriki13

Any update / plans on this @TimothyMothra ? I would expect the library to multi target Net6 and Net8 by now to include the proper AspNetCore framework dependencies instead of totally outdated Nuget refrences.

My team is using App insights in .NET Core for microservices for years now and with the lasted changes how Net6/8 references framework dependencies, it is really painful to include this Nuget package with all the old/outdated dlls which all end up in every service's bin / publish dir... And this is ignoring the fact that those old packages have security vulnerabilities now..

MichaCo avatar Mar 12 '24 14:03 MichaCo

I have proposed changes just for Microsoft.ApplicationInsights.AspNetCore in the linked PR #2860.

I hope that @TimothyMothra will soon have time to review the changes and they will find a way to the main branch.

There is no code change, so no expected behavior change. Just the package references to Microsoft.AspNetCore.* are replaced with framework reference to Microsoft.AspNetCore.App.

ApplicationInsights.AspNetCore is targeted to netcoreapp3.1, although it is not supported anymore, but this way it will still be possible for any legacy applications running on .net 3.1 to use AI.

The test are passing.

antymon4o avatar Mar 29 '24 15:03 antymon4o