Skip to content

[CG] Bump Microsoft.IO.Redist to 6.0.1 #106102

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
steveisok wants to merge 2 commits into from
Closed

[CG] Bump Microsoft.IO.Redist to 6.0.1 #106102

steveisok wants to merge 2 commits into from

Conversation

@steveisok
Copy link
Member

@steveisok steveisok commented Aug 7, 2024

CG was flagging ILLink.Tasks and Microsoft.NETCore.Platforms as pulling in an older version of Microsoft.IO.Redist. This change pins the version we use to clear the alert.

@steveisok
Bump Microsoft.IO.Redist to 6.0.1
baab89c 
CG was flagging ILLink.Tasks and Microsoft.NETCore.Platforms as pulling in an older version
of Microsoft.IO.Redist. This change pins the version we use to clear the alert.
@steveisok steveisok requested a review from sbomer as a code owner August 7, 2024 23:57
@steveisok steveisok requested a review from a team August 7, 2024 23:57
@dotnet-policy-service
Copy link
Contributor

dotnet-policy-service bot commented Aug 7, 2024

Tagging subscribers to this area: @dotnet/area-infrastructure-libraries
See info in area-owners.md if you want to be subscribed.

carlossanlop
carlossanlop approved these changes Aug 8, 2024
View reviewed changes
@carlossanlop
Copy link
Contributor

carlossanlop commented Aug 8, 2024

Do we need to backport this change?

sbomer
sbomer reviewed Aug 8, 2024
View reviewed changes
Copy link
Member

@sbomer sbomer left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For ILLink.Tasks, this is pulled in as a transitive dependency of Microsoft.Build.Tasks.Core. Could we fix it by bumping MicrosoftBuildVersion to pick up dotnet/msbuild#10375?

@steveisok
Copy link
Member Author

steveisok commented Aug 8, 2024

For ILLink.Tasks, this is pulled in as a transitive dependency of Microsoft.Build.Tasks.Core. Could we fix it by bumping MicrosoftBuildVersion to pick up dotnet/msbuild#10375?

Has that shipped yet? I didn't think it did.

@agocke
Copy link
Member

agocke commented Aug 8, 2024

Let's wait for MSBuild to move first.

agocke
agocke previously requested changes Aug 8, 2024
View reviewed changes
Copy link
Member

@agocke agocke left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hold until we decide what to do for MSBuild

@carlossanlop carlossanlop added the NO-MERGE The PR is not ready for merge yet (see discussion for detailed reasons) label Aug 8, 2024
@krwq
Copy link
Member

krwq commented Sep 24, 2024
edited
Loading

consider porting fix to 8.0/9.0 branches since it also shows on CG alerts there

@agocke agocke dismissed their stale review October 11, 2024 01:44

This is causing CG errors, need to resolve ASAP

@ViktorHofer
Copy link
Member

ViktorHofer commented Oct 11, 2024

cc @ericstj

@steveisok steveisok removed the NO-MERGE The PR is not ready for merge yet (see discussion for detailed reasons) label Oct 11, 2024
@steveisok
Copy link
Member Author

steveisok commented Oct 11, 2024

We actually do need to push this forward and backport to release/8.0 and release/9.0. It's blocking SDL signoff for 9.0 and it's not clear how when MSBuild is going to bump.

ericstj
ericstj requested changes Oct 11, 2024
View reviewed changes
Copy link
Member

@ericstj ericstj left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We shouldn't need this. We don't reference the Microsoft.IO.Redist package at all in main.

That was fixed with the PackageDownloadAndReference to only reference MSBuild itself.

@steveisok main has no CG alerts for this package. I only see them in 8.0 and 9.0. Perhaps we should consider backporting a portion of the audit change from main so that we don't end up chasing these alerts for build tasks.

@agocke
Copy link
Member

agocke commented Oct 11, 2024

Perhaps we should consider backporting a portion of the audit change from main so that we don't end up chasing these alerts for build tasks.

Which change are you referring to?

@ericstj
Copy link
Member

ericstj commented Oct 16, 2024

This one: #107639 I ported it back to 9.0. We can do something similar for 8.0, though we can't enable audit there.

@steveisok steveisok closed this Nov 11, 2024
@github-actions github-actions bot locked and limited conversation to collaborators Dec 12, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@sbomer sbomer sbomer left review comments

@ericstj ericstj ericstj requested changes

@agocke agocke agocke left review comments

+1 more reviewer

@carlossanlop carlossanlop carlossanlop approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@steveisok steveisok

Labels

area-Infrastructure-libraries

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

7 participants

@steveisok @carlossanlop @agocke @krwq @ViktorHofer @ericstj @sbomer