Aspnetcore: Deprecate Microsoft.AspNetCore.All
Earlier this year, we announced the Microsoft.AspNetCore.App metapackage (see https://github.com/aspnet/Announcements/issues/287). That announcement said:
The existing Microsoft.AspNetCore.All meta-package will continue to be made available throughout the 2.x lifecycle, but we recommend customers move to the new Microsoft.AspNetCore.App meta-package and then add individual references to any of the removed packages if their app requires it.
See our documentation for details on how to migrate from Microsoft.AspNetCore.All to .App.
We have begun working on ASP.NET Core 3.0, and as a part of that, we will stop producing the Microsoft.AspNetCore.All metapackage and the matching Microsoft.AspNetCore.All shared framework.
This package will still be available in ASP.NET Core 2.2 and will continue to receive servicing updates in ASP.NET Core 2.1.
natemcmaster
All 8 comments
Could you elaborate on the rationale please?
EDIT: See https://github.com/aspnet/MetaPackages/issues/255#issuecomment-363916530
gldraphael
on 10 Aug 2018
@gldraphael
I think the announcement sums it up pretty well. They want to reduce the number of dependencies of packages not owned or supported by the ASP.NET or .NET teams to just those deemed necessary to ensure the major frameworks features function..
Many people don't need Redis, DataProtection.AzureStorage, ApplicationInsights etc. Not only that, but some of those have transitive dependencies like StackExchange.Redis. If you get enough of those, the core teams have to spend their time managing all sorts of packages they do not own or support.
VictorioBerra
on 10 Aug 2018
Would it be possible to address NuGet/Home#2867鈥攅specially the security aspects鈥攂efore this change goes into the released product? The more dependencies a project has, the more difficult it is to make sure none of them have outstanding security advisories, so not being able to use AspNetCore.All will add to end users' maintenance workloads.
NPM have really raised the bar on this by implementing npm audit, which automates the process of checking for vulnerable dependencies. It would be fantastic to see something similar in Nuget.
PeteX
on 10 Aug 2018
The more dependencies a project has, the more difficult it is to make sure none of them have outstanding security advisories, so not being able to use AspNetCore.All will add to end users' maintenance workloads.
You do realize that using Microsoft.AspNetCore.App instead of Microsoft.AspNetCore.All gives you fewer dependencies, right?
It would be fantastic to see something similar in Nuget.
The feature is being worked on; https://github.com/NuGet/Home/wiki/Deprecate-packages
khellang
on 10 Aug 2018
@PeteX I asked for that tool a year ago, but nothing has really happened so far. Created https://github.com/retirenet/dotnet-retire meanwhile.
johnkors
on 10 Aug 2018
Hi, can we use Microsoft.AspNetCore.App meta-package targeting Full .NET?
means to ha a csprojet look like that:
<Project Sdk="Microsoft.NET.Sdk.Web">
<PropertyGroup>
<TargetFramework>net472</TargetFramework>
<DebugType>full</DebugType>
<UserSecretsId>aspnet-TestApp-4265477E-A059-46D4-5678-E56D6G5J9DCE</UserSecretsId>
</PropertyGroup>
<ItemGroup>
<PackageReference Include="Microsoft.AspNetCore.App" Version="2.1.2" />
<PackageReference Include="Microsoft.VisualStudio.Web.CodeGeneration.Design" Version="2.1.1" PrivateAssets="All" />
</ItemGroup>
</Project>
ikourfaln
on 10 Aug 2018
@ikourfaln No, the meta packages only work with .NET Core. You will have to add all dependencies explicitly with the .NET Framework.
poke
on 10 Aug 2018
It's great news that deprecation in Nuget is being worked on!
@khellang, you're right of course! What I meant was that you get fewer explicit dependencies. I trust Microsoft to make sure the dependencies of Microsoft.AspNetCore.All are sufficiently up to date to be free of known security issues.
PeteX
on 10 Aug 2018
Related issues
snebjorn
路
3Comments
rbanks54
路
3Comments
Pixel-Lord
路
3Comments
TanvirArjel
路
3Comments
aurokk
路
3Comments
Most helpful comment
@gldraphael
I think the announcement sums it up pretty well. They want to reduce the number of dependencies of packages not owned or supported by the ASP.NET or .NET teams to just those deemed necessary to ensure the major frameworks features function..
Many people don't need
Redis,DataProtection.AzureStorage,ApplicationInsightsetc. Not only that, but some of those have transitive dependencies likeStackExchange.Redis. If you get enough of those, the core teams have to spend their time managing all sorts of packages they do not own or support.