Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Updated: Dependencies #453

Merged
merged 1 commit into from
Sep 28, 2024
Merged

Updated: Dependencies #453

merged 1 commit into from
Sep 28, 2024

Conversation

dreamsyntax
Copy link
Contributor

@dreamsyntax dreamsyntax commented Sep 27, 2024
edited
Loading

Summary:

  • Upgrades safe-to-upgrade dependencies only (I was careful to look for .NET Standard 2.0 or .NET 5.0 support)
  • Remove an old lingering backup cs file
  • Explicitly define non-vulnerable transitive dependencies for currently pulled vulnerable dependencies

Makes these two PRs obsolete:
#234
#168

--Reloaded.Mod.Installer & Reloaded.Mod.Installer.Cli--
Explicitly Declare transitive dependencies to resolve known vuln:
System.Net.Http to 4.3.4
System.Text.RegularExpressions to 4.3.1

--Reloaded.Mod.Launcher.Lib--
IoC.Container 1.3.7 -> 1.3.8

--Reloaded.Mod.Launcher--
Reloaded.Memory 9.4.0 -> 9.4.2
Delete 'Reloaded - Backup.Mod.Launcher.csproj'

--Reloaded.Mod.Launcher.IO--
Reloaded.Memory 9.4.0 -> 9.4.2
System.Text.Json 7.0.0-rc.2.22472.3 -> 8.0.4

--Reloaded.Mod.Loader.Tests--
Bogus 34.0.2 -> 35.6.1
Microsoft.NET.Test.Sdk 17.2.0 -> 17.11.1
Moq 4.18.1 -> 4.20.72
xunit 2.4.1 -> 2.9.2

--Reloaded.Mod.Loader.Update.Packaging--
Sewer56.Update 4.0.0 -> 4.0.2
Sewer56.Update.Extractors.SevenZipSharp 1.1.2 -> 1.1.4 
Sewer56.Update.Packaging 3.0.0 -> 3.0.1
Sewer56.Update.Resolvers.NuGet 1.4.0 -> 1.4.1
Sewer56.Update.Resolvers.GameBanana 1.4.1 -> 1.4.2

--Reloaded.Mod.Loader.Update--
HtmlAgilityPack 1.11.43 -> 1.11.66
NuGet.Packaging 6.3.0 -> 6.11.0
NuGet.Packaging.Core 6.3.0 -> REMOVED (Deprecated)
NuGet.Protocol 6.3.0 -> 6.7.1
Polly 8.3.1 -> 8.4.2
ReverseMarkdown 3.23.1 -> 4.6.0
Sewer56.Update 4.0.1 -> 4.0.2
Sewer56.Update.Resolvers.GitHub 1.5.1 -> 1.5.2
System.Formats.Asn1 8.0.1 (transitive to explicit vuln patch)
System.Net.Http 4.3.4 (transitive to explicit vuln patch)
System.Text.RegularExpressions 4.3.1 (transitive to explicit vuln patch)

--Reloaded.Mod.Loader--
Microsoft.NET.ILLink.Tasks 8.0.2 -> 8.0.8

@dreamsyntax
Updated: Dependencies
1221395 
--Reloaded.Mod.Installer & Reloaded.Mod.Installer.Cli--
Explicitly Declare transitive dependencies to resolve known vuln:
System.Net.Http to 4.3.4
System.Text.RegularExpressions to 4.3.1

--Reloaded.Mod.Launcher.Lib--
IoC.Container 1.3.7 -> 1.3.8

--Reloaded.Mod.Launcher--
Reloaded.Memory 9.4.0 -> 9.4.2
Delete 'Reloaded - Backup.Mod.Launcher.csproj'

--Reloaded.Mod.Launcher.IO--
Reloaded.Memory 9.4.0 -> 9.4.2
System.Text.Json 7.0.0-rc.2.22472.3 -> 8.0.4

--Reloaded.Mod.Loader.Tests--
Bogus 34.0.2 -> 35.6.1
Microsoft.NET.Test.Sdk 17.2.0 -> 17.11.1
Moq 4.18.1 -> 4.20.72
xunit 2.4.1 -> 2.9.2

--Reloaded.Mod.Loader.Update.Packaging--
Sewer56.Update 4.0.0 -> 4.0.2
Sewer56.Update.Extractors.SevenZipSharp 1.1.2 -> 1.1.4
Sewer56.Update.Packaging 3.0.0 -> 3.0.1
Sewer56.Update.Resolvers.NuGet 1.4.0 -> 1.4.1
Sewer56.Update.Resolvers.GameBanana 1.4.1 -> 1.4.2

--Reloaded.Mod.Loader.Update--
HtmlAgilityPack 1.11.43 -> 1.11.66
NuGet.Packaging 6.3.0 -> 6.11.0
NuGet.Packaging.Core 6.3.0 -> REMOVED (Deprecated)
NuGet.Protocol 6.3.0 -> 6.7.1
Polly 8.3.1 -> 8.4.2
ReverseMarkdown 3.23.1 -> 4.6.0
Sewer56.Update 4.0.1 -> 4.0.2
Sewer56.Update.Resolvers.GitHub 1.5.1 -> 1.5.2
System.Formats.Asn1 8.0.1 (transitive to explicit vuln patch)
System.Net.Http 4.3.4 (transitive to explicit vuln patch)
System.Text.RegularExpressions 4.3.1 (transitive to explicit vuln patch)

--Reloaded.Mod.Loader--
Microsoft.NET.ILLink.Tasks 8.0.2 -> 8.0.8
@Sewer56
Copy link
Member

Sewer56 commented Sep 27, 2024
edited
Loading

Did you test the NuGet code?
From what I remember, a part of the implementation calls an internal field via reflection, because the public API doesn't have the required functionality. I think it had to do with file sizes of downloads.

@dreamsyntax
Copy link
Contributor Author

Did you test the NuGet code? From what I remember, a part of the implementation calls an internal field via reflection, because the public API doesn't have the required functionality. I think it had to do with file sizes of downloads.

Performed test:

Changed the version number to lower
Remove non-nuget upgrade sources
Check for updates (restart launcher)
See if NuGet update works ✔️ 
See if FileSize present ✔️

image

@dreamsyntax
Copy link
Contributor Author

Side note, on first install Reloaded.Hooks is auto downloaded/updated and shows "Unknown Package". This is not related to my PR, happens on current release.
image

@Sewer56 Sewer56 merged commit 3c50ca6 into Reloaded-Project:master Sep 28, 2024
2 checks passed
@dreamsyntax dreamsyntax deleted the dep-patch-updates branch September 29, 2024 04:22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@dreamsyntax @Sewer56