Project

Profile

Help

SaxonCS 12.4 and out of date dependent NuGet packages

Added by Dave Dezinski 8 months ago

We are currently using SaxonCS 12.4 in our product and scan all application dependencies using Synopsys Black Duck. According to Black Duck many of the current packages that Saxon 12.4 references are quite old and/or out date and are high operational risk.

Do you have any plans on updating to newer versions of the dependent packages or getting rid of some of these outdated dependencies?

It would be nice if SaxonCS could be compiled to include the necessary dependencies so that these additional NuGet packages were no longer needed.

Thanks


Replies (7)

Please register to reply

RE: SaxonCS 12.4 and out of date dependent NuGet packages - Added by Michael Kay 8 months ago

Could you be more specific about which dependencies you aren't happy with?

Being old, being out of date, and being high risk are quite different things. New things are very often higher risk than old things. We do review the dependencies when we make a new release, but in general, we avoid moving to major releases of dependent packages except in a major release of Saxon. With this kind of thing minimising risk is obviously a matter of judgement.

Automated scanning tools, in my experience, aren't always very knowledgeable.

RE: SaxonCS 12.4 and out of date dependent NuGet packages - Added by Dave Dezinski 8 months ago

Sure, here's what is being reported by Black Duck:

High Operational Risk

AngleSharp 0.17.1 - Released 651 days ago, 60 newer versions available

Medium Operational Risk

Microsoft.Extensions.Configuration 6.0.0 - Released 857 days ago, 36 newer versions available Microsoft.Extensions.Configuration.Json 6.0.0 - Released 857 days ago, 35 newer versions available Microsoft.Extensions.Configuration.Xml 6.0.0 - Released 857 days ago, 35 newer versions available System.Collections.Immutable 6.0.0 - Released 857 days ago, 23 newer versions available System.Text.Encoding.CodePages 6.0.0 - Released 857 days ago, 23 newer versions available

Low Operational Risk

XmlResolver 2.1.0 - Released 406 days ago, 2 newer versions available XmlResolverData 1.2.3 - Released 406 days ago, 3 newer versions available Singulink.Numerics.BigDecimal 2.0.2 - Released 498 days ago, 3 newer versions available

Other issues with packages:

ICU4N.Resources 60.1.0-alpha.402 - Targets .NET Standard 1.6.1 which references a bunch of outdated packages showing up as High Operational Risk Microsoft.AspNetCore.StaticFiles 2.2.0 - According to NuGet.org this package has been deprecated as it is legacy and is no longer maintained. This package also references a bunch of outdated packages showing up as High Operational Risk XmlResolver 2.1.0 - References NLog 4.7.10 which is considered High Operational Risk, released 1035 days ago, 38 newer versions available.

Since .NET 8 has been available since November it would be nice if we could get an updated SaxonCS that targets .NET 8 and updates all of the .NET 6.0 out of date packages.

RE: SaxonCS 12.4 and out of date dependent NuGet packages - Added by Michael Kay 8 months ago

Thanks for the detail. We'll review this when we do our next maintenance release. They seem to be taking the stance that "newer is always better", whereas there's an alternative approach that says "if it ain't broke, don't fix it".

It's worth pointing out that some of the dependencies don't have a major impact. AngleSharp, for example, is used only for the non-standard and experimental parse-html() function.

RE: SaxonCS 12.4 and out of date dependent NuGet packages - Added by Norm Tovey-Walsh 8 months ago

High Operational Risk

AngleSharp 0.17.1 - Released 651 days ago, 60 newer versions available

As Mike said, this library is only used in one experimental function. The assertion that 0.17.1 is a risk simply because it’s been superceded by future versions is one perspective but not the only one.

But we do take security seriously and we’ll review them before the next maintenance release. Unless there are incompatibilities, upgrading to the most recent Microsoft and System extensions at each maintenance release seems reasonable.

Low Operational Risk

XmlResolver 2.1.0 - Released 406 days ago, 2 newer versions available XmlResolverData 1.2.3 -
Released 406 days ago, 3 newer versions available

Since I maintain this one, I can say that the 2 newer versions are very small fixes. More importantly, we’ll probably switch to XmlResolver 6.x for Saxon 13. I’m not sure if we’ll do that for the next 12.x maintenance release or not. (The 6.x release of the resolver has been extensively refactored so there’s more risk that I’ve introduced bugs as well as fixed them!)

ICU4N.Resources 60.1.0-alpha.402 - Targets .NET Standard 1.6.1 which references a bunch of outdated
packages showing up as High Operational Risk Microsoft.AspNetCore.StaticFiles 2.2.0 - According to
NuGet.org this package has been deprecated as it is legacy and is no longer maintained. This package
also references a bunch of outdated packages showing up as High Operational Risk XmlResolver 2.1.0 -
References NLog 4.7.10 which is considered High Operational Risk, released 1035 days ago, 38 newer
versions available.

I will look into upgrading the NLog version in XmlResolver:

https://github.com/xmlresolver/xmlresolvercs/issues/72

Since .NET 8 has been available since November it would be nice if we could get an updated SaxonCS that
targets .NET 8 and updates all of the .NET 6.0 out of date packages.

That requires care and consideration. Historically, we’ve observed that moving our core dependencies forward forces our users to do the same. That can be an expensive proposition. We would want to be sure that the benefits justified the costs before making that change.

At the same time, we recognize that .NET is being actively developed and there is a cost associated with not upgrading as well. It’s a balancing act.

Be seeing you,
norm

--
Norm Tovey-Walsh
Saxonica

RE: SaxonCS 12.4 and out of date dependent NuGet packages - Added by Dave Dezinski 5 months ago

I see that SaxonCS 12.5 is available as of today and all of the package dependencies are still the same as 12.4. In addition a new package NSec.Cryptography was added and its version (22.4.0) is over 2 years old and there is a newer version available (24.4.0).

Are there any plans on addressing the issues I raised with out of date packages, if so when can we expect a new release with these issues addressed?

RE: SaxonCS 12.4 and out of date dependent NuGet packages - Added by Norm Tovey-Walsh 5 months ago

Saxonica Developer Community writes:

I see that SaxonCS 12.5 is available as of today and all of the package dependencies are still the same as 12.4. In addition a new package NSec.Cryptography was added and its version (22.4.0) is over 2 years old and there is a newer version available (24.4.0).

Are there any plans on addressing the issues I raised with out of date packages, if so when can we expect a new release with these issues addressed?

There was a surprising amount of churn getting 12.5 out and this task seems to have been missed. Apologies for that.

I’ve created a proper issue for it so that will be tracked more carefully:

https://saxonica.plan.io/issues/6462

Be seeing you,
norm

--
Norm Tovey-Walsh
Saxonica

RE: SaxonCS 12.4 and out of date dependent NuGet packages - Added by Thomas Persson 4 days ago

Bumping this issue.

Customer has started using SaxonCS 12.5 when these issues was discoverd. We need more attention on this issue regarding updating dependencies and also verify transitive ones.

    (1-7/7)

    Please register to reply