Thanks to visit codestin.com
Credit goes to github.com

Skip to content

[6.0] Dependency Cleanup #3840

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
paulmedynski wants to merge 7 commits into
base: release/6.0
Choose a base branch
from
Open

[6.0] Dependency Cleanup #3840

paulmedynski wants to merge 7 commits into from
+141 −74

Conversation

@paulmedynski
Copy link
Contributor

@paulmedynski paulmedynski commented Dec 10, 2025
edited
Loading

Description

  • Removed unused dependencies across all driver and test projects.
  • Updated some dependencies, avoiding transitive vulnerabilities.
  • Updated nuspec files to remove/update dependencies accordingly.

Details

The tables below list significant changes to dependencies, such as:

  • Direct dependency additions or removals.
  • Transitions from Direct to Transitive, or vice versa.
  • Major version bumps, regardless of Direct or Transitive

Changes to minor or patch versions are not listed, nor are additions or removals of Transitive dependencies.

MDS

Package Target Framework Previous Dependency Type Previous Version Current Dependency Type Current Version
Azure.Core net462, net8.0, net9.0 Transitive 1.46.1 Direct 1.50.0
Microsoft.Bcl.Cryptography net462, net8.0, net9.0 Direct 8.0.0 None
Microsoft.Identity.Client net462, net8.0, net 9.0 Transitive 4.73.1 Direct 4.80.0
Microsoft.IdentityModel.Abstractions net462, net8.0, net 9.0 Transitive 7.5.0 Transitive 8.14.0
System.Memory.Data net462, net8.0, net9.0 Transitive 6.0.1 Transitive 8.0.1
System.Security.Cryptography.Pkcs net462 Direct 8.0.1 None
System.Text.Encodings.Web net462 Direct 8.0.0 Transitive 8.0.0

AKV

Package Target Framework Previous Dependency Type Previous Version Current Dependency Type Current Version
System.Text.Encodings.Web net462 Direct 8.0.0 Transitive 8.0.0
System.Text.Encodings.Web net8.0, net9.0 Direct 8.0.0 None
System.Security.Cryptography.ProtectedData net8.0 Transitive 8.0.0 Transitive 4.5.0
System.Security.Cryptography.ProtectedData net9.0 Transitive 9.0.4 Transitive 4.5.0
System.Text.Json net8.0, net9.0 Transitive 6.0.10 Transitive 8.0.6

Issues

Resolves #3808.

Testing

  • CI will validate the changes.
  • Manually inspected the full package dependency tree for the driver projects to ensure no major version increments.
  • Manuall inspected CI runs to observe that tests are being executed for the expected target frameworks and architectures.

@paulmedynski
- Removed unused dependencies across all driver and test projects.
06268d1 
- Updated some dependencies, avoiding transitive vulnerabilities.
- Updated nuspec files to remove/update dependencies accordingly.
Copilot AI review requested due to automatic review settings December 10, 2025 23:32
@paulmedynski paulmedynski added this to the 6.0.5 milestone Dec 10, 2025
Copilot AI reviewed Dec 10, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This pull request performs a comprehensive dependency cleanup for the 6.0 branch, removing unused dependencies and updating others to address security vulnerabilities. The changes ensure consistency across NuGet package specifications, version property files, and project references for both the main SqlClient driver and the AlwaysEncrypted AzureKeyVaultProvider add-on.

Key changes include:

  • Removal of unused dependencies (Microsoft.Bcl.Cryptography, System.Text.Encodings.Web, and several test-only packages)
  • Updates to identity and security-related packages (Microsoft.IdentityModel.* from 7.5.0 to 7.7.1, Azure.* packages, System.Buffers, System.Text.Json)
  • Addition of an explicit MDS 5.1.8 reference in ExtUtilities to mitigate vulnerable transitive dependencies
  • Change from version ranges to fixed versions for Azure.Core and Azure.Security.KeyVault.Keys in the AKV provider

Reviewed changes

Copilot reviewed 13 out of 13 changed files in this pull request and generated 3 comments.

Show a summary per file
File Description
tools/specs/add-ons/Microsoft.Data.SqlClient.AlwaysEncrypted.AzureKeyVaultProvider.nuspec Updated Azure.Core and Azure.Security.KeyVault.Keys from version ranges to fixed versions; updated Microsoft.Extensions.Caching.Memory for net9.0
tools/specs/Microsoft.Data.SqlClient.nuspec Removed Microsoft.Bcl.Cryptography and System.Text.Encodings.Web; updated Microsoft.IdentityModel.*, System.Buffers, System.Text.Json, and Microsoft.Extensions.Caching.Memory versions
tools/props/VersionsNet9OrLater.props Removed Microsoft.Bcl.Cryptography version property; updated Microsoft.Extensions.Caching.Memory to 9.0.11
tools/props/Versions.props Removed properties for unused dependencies (Microsoft.Bcl.Cryptography, System.Text.Encodings.Web, test dependencies); updated versions for IdentityModel, System.Buffers, System.Text.Json, Azure packages, and test SDKs
src/Microsoft.Data.SqlClient/tests/tools/Microsoft.Data.SqlClient.TestUtilities/Microsoft.Data.SqlClient.TestUtilities.csproj Removed unused System.Formats.Asn1 and System.Security.Cryptography.Cng package references
src/Microsoft.Data.SqlClient/tests/tools/Microsoft.Data.SqlClient.ExtUtilities/Microsoft.Data.SqlClient.ExtUtilities.csproj Added explicit MDS 5.1.8 reference with explanatory comment to avoid vulnerable transitive dependency
src/Microsoft.Data.SqlClient/tests/ManualTests/Microsoft.Data.SqlClient.ManualTesting.Tests.csproj Removed Microsoft.Bcl.Cryptography package reference
src/Microsoft.Data.SqlClient/tests/FunctionalTests/Microsoft.Data.SqlClient.Tests.csproj Removed Microsoft.Bcl.Cryptography package reference
src/Microsoft.Data.SqlClient/netfx/src/Microsoft.Data.SqlClient.csproj Removed System.Text.Encodings.Web and Microsoft.Bcl.Cryptography package references
src/Microsoft.Data.SqlClient/netfx/ref/Microsoft.Data.SqlClient.csproj Removed System.Text.Encodings.Web and Microsoft.Bcl.Cryptography package references
src/Microsoft.Data.SqlClient/netcore/src/Microsoft.Data.SqlClient.csproj Removed Microsoft.Bcl.Cryptography package reference
src/Microsoft.Data.SqlClient/netcore/ref/Microsoft.Data.SqlClient.csproj Removed Microsoft.Bcl.Cryptography package reference
src/Microsoft.Data.SqlClient/add-ons/AzureKeyVaultProvider/Microsoft.Data.SqlClient.AlwaysEncrypted.AzureKeyVaultProvider.csproj Removed System.Text.Encodings.Web package reference

@paulmedynski
Copy link
Contributor Author

paulmedynski commented Dec 11, 2025

/azp run

@azure-pipelines
Copy link

azure-pipelines bot commented Dec 11, 2025

Azure Pipelines successfully started running 2 pipeline(s).

@codecov
Copy link

codecov bot commented Dec 11, 2025
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 63.51%. Comparing base (fd34d5e) to head (1223be0).
⚠️ Report is 1 commits behind head on release/6.0.

Additional details and impacted files 
@@               Coverage Diff               @@
##           release/6.0    #3840      +/-   ##
===============================================
- Coverage        63.68%   63.51%   -0.18%     
===============================================
  Files              285      285              
  Lines            59152    59160       +8     
===============================================
- Hits             37673    37576      -97     
- Misses           21479    21584     +105
Flag Coverage Δ
addons 92.58% <ø> (ø)
netcore 67.96% <ø> (+0.03%) ⬆️
netfx 65.05% <ø> (-0.25%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@paulmedynski paulmedynski linked an issue Dec 11, 2025 that may be closed by this pull request
[6.0] Remove unused dependencies #3808
Open
@paulmedynski paulmedynski marked this pull request as ready for review December 11, 2025 15:27
@paulmedynski paulmedynski requested a review from a team as a code owner December 11, 2025 15:27
mdaigle
mdaigle reviewed Dec 11, 2025
View reviewed changes
tools/props/Versions.props
<MicrosoftExtensionsHosting>8.0.1</MicrosoftExtensionsHosting>
<MicrosoftNETFrameworkReferenceAssembliesVersion>1.0.3</MicrosoftNETFrameworkReferenceAssembliesVersion>
<MicrosoftNETTestSdkVersion>17.11.1</MicrosoftNETTestSdkVersion>
<MicrosoftNETTestSdkVersion>17.12.0</MicrosoftNETTestSdkVersion>
Copy link
Contributor

@mdaigle mdaigle Dec 11, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👀 note to self to double check that tests still run

Copy link
Contributor Author

@paulmedynski paulmedynski Dec 12, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please do - I eyeballed a bunch of the jobs, and tests are running. I didn't do an exhaustive comparison with a previous run.

tools/specs/Microsoft.Data.SqlClient.nuspec Outdated
<dependency id="Microsoft.IdentityModel.JsonWebTokens" version="7.7.1" />
<dependency id="Microsoft.IdentityModel.Protocols.OpenIdConnect" version="7.7.1" />
<dependency id="System.Buffers" version="4.6.1" />
<dependency id="System.Security.Cryptography.Pkcs" version="8.0.1"/>
Copy link
Contributor

@mdaigle mdaigle Dec 11, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we get System.Security.Cryptography.Pkcs for free in net462: https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography.pkcs?view=netframework-4.6.2

@paulmedynski
- Removed Pkcs package from .NET Framework.
a3b7550 
- Cleaned up MSS project and package refs.
Copilot AI review requested due to automatic review settings December 12, 2025 20:02
Copilot AI reviewed Dec 12, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 17 out of 17 changed files in this pull request and generated no new comments.

mdaigle
mdaigle previously approved these changes Dec 15, 2025
View reviewed changes
apoorvdeshmukh
apoorvdeshmukh previously approved these changes Dec 16, 2025
View reviewed changes
cheenamalhotra
cheenamalhotra reviewed Jan 5, 2026
View reviewed changes
tools/specs/Microsoft.Data.SqlClient.nuspec Outdated
<tags>sqlclient microsoft.data.sqlclient</tags>
<dependencies>
<group targetFramework="net462">
<dependency id="Azure.Identity" version="1.14.2" />
Copy link
Member

@cheenamalhotra cheenamalhotra Jan 5, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Aren't we missing a few dependencies here?
Azure.Core, Microsoft.Identity.Client, etc.

cheenamalhotra
cheenamalhotra requested changes Jan 5, 2026
View reviewed changes
Copy link
Member

@cheenamalhotra cheenamalhotra left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please revisit dependencies on this branch. 5.1 and 6.1 look good for comparisons.

@paulmedynski paulmedynski dismissed stale reviews from apoorvdeshmukh and mdaigle via 2bc2049 January 8, 2026 15:00
@paulmedynski
- Added Azure.Core as a direct dependency.
ac4917b 
- Upgraded Azure.Core, Azure.Identity, and Azure.Security.KeyVault.Keys.
Copilot AI review requested due to automatic review settings January 8, 2026 17:16
Copilot AI reviewed Jan 8, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 21 out of 21 changed files in this pull request and generated 8 comments.

Copilot AI review requested due to automatic review settings January 8, 2026 18:44
Copilot AI reviewed Jan 8, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 21 out of 21 changed files in this pull request and generated 2 comments.

mdaigle
mdaigle requested changes Jan 9, 2026
View reviewed changes
src/Microsoft.Data.SqlClient/netfx/ref/Microsoft.Data.SqlClient.csproj
<PackageReference Include="Microsoft.IdentityModel.JsonWebTokens" Version="$(MicrosoftIdentityModelJsonWebTokensVersion)" />
<PackageReference Include="System.Buffers" Version="$(SystemBuffersVersion)" />
<PackageReference Include="System.Text.Json" Version="$(SystemTextJsonVersion)" />
<PackageReference Include="System.Security.Cryptography.Pkcs" Version="$(SystemSecurityCryptographyPkcsVersion)" />
Copy link
Contributor

@mdaigle mdaigle Jan 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This ref should be maintained per this discussion: https://github.com/dotnet/SqlClient/pull/3843/changes#r2621484282

src/Microsoft.Data.SqlClient/netfx/src/Microsoft.Data.SqlClient.csproj
<PackageReference Include="Microsoft.IdentityModel.JsonWebTokens" Version="$(MicrosoftIdentityModelJsonWebTokensVersion)" />
<PackageReference Include="System.Buffers" Version="$(SystemBuffersVersion)" />
<PackageReference Include="System.Text.Json" Version="$(SystemTextJsonVersion)" />
<PackageReference Include="System.Security.Cryptography.Pkcs" Version="$(SystemSecurityCryptographyPkcsVersion)" />
Copy link
Contributor

@mdaigle mdaigle Jan 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

same applies here

tools/props/Versions.props
<MicrosoftIdentityModelJsonWebTokensVersion>7.7.1</MicrosoftIdentityModelJsonWebTokensVersion>
<MicrosoftIdentityModelProtocolsOpenIdConnectVersion>7.7.1</MicrosoftIdentityModelProtocolsOpenIdConnectVersion>
<SystemRuntimeInteropServicesRuntimeInformationVersion>4.3.0</SystemRuntimeInteropServicesRuntimeInformationVersion>
<SystemSecurityCryptographyPkcsVersion>8.0.1</SystemSecurityCryptographyPkcsVersion>
Copy link
Contributor

@mdaigle mdaigle Jan 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

same applies here

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@mdaigle mdaigle mdaigle requested changes

@cheenamalhotra cheenamalhotra cheenamalhotra approved these changes

@samsharma2700 samsharma2700 samsharma2700 approved these changes

@apoorvdeshmukh apoorvdeshmukh apoorvdeshmukh left review comments

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

6.0.5

Development

Successfully merging this pull request may close these issues.

[6.0] Remove unused dependencies

6 participants

@paulmedynski @mdaigle @apoorvdeshmukh @cheenamalhotra @samsharma2700