Upgrading from Nuget version 0.5.17 to 1.1.17 - what to look out for?

[michaelmmcrae1]

First off thank you for your time and help!

I have an old .NET Core Function App.
It uses the Nuget package "Microsoft.PowerPlatform.Dataverse.Client.Dynamics" version 0.5.17.
I need to update it to a more recent version, presumably latest 1.1.17, due to flagged security vulnerabilities.

FYI from what I can tell the security vulnerabilities were flagged on these sub-dependencies of this package: system.drawing.common (4.7.0) and system.security.cryptography.xml (4.5.0).

I looked at the Change Log/Release Notes here: https://github.com/microsoft/PowerPlatform-DataverseServiceClient/blob/master/src/nuspecs/Microsoft.PowerPlatform.Dataverse.Client.Dynamics.ReleaseNotes.txt

However I noticed no notes for most of the minor/patch changes between 0.5.17 and latest 1.1.17 (why new releases if no changes?)
Probably means nothing to worry about, right? :) but I wanted to double check and ask since it seemed so sparse.

Is there anything I should know going from 0.5.17 to 1.1.17?

Related specific question:
Looks like every version after 1.0.39 does NOT support .NET Core 3.1, correct? We MUST be on .NET 6 to use versions after 1.0.39?

[michaelmmcrae1]

I just updated to the latest Nuget package version (1.1.17) and it appears it still has vulnerable versions as transitive dependencies. Is that right? I still see these getting included:

system.drawing.common (5.0.0)
system.security.cryptography.xml (5.0.0)

[MattB-msft]

@michaelmmcrae1 , thanks for reaching out.

.net 3.x support was dropped with 1.1.x, (underlying .net framework is out of support)
Min supported version was moved to .net6 at that time.
When we move the baseline to .net8, we will bump the version number to 1.2.x

The Client.Dynamics package includes only a set of extensions for the Dataverse Client, it has not changed in a quite a while, though it is built and tested with the Dataverse.Client code which is why its revving.

The DVSC release notes are here: https://github.com/microsoft/PowerPlatform-DataverseServiceClient/blob/master/src/nuspecs/Microsoft.PowerPlatform.Dataverse.Client.ReleaseNotes.txt

We have notes + change log for each release associated with the release itself here: https://github.com/microsoft/PowerPlatform-DataverseServiceClient/releases

Insofar as transitive dependencies showing vulnerabilities. This is something we work to keep up without breaking compatibility.
Our recommendation here is to install the transitive dependencies you need to be compliant with your build process, and then remove them when we have included the updates.
We will do this in the DVSC Client itself when it makes sense.

An example of how that is notated is here:
when added:

PowerPlatform-DataverseServiceClient/src/nuspecs/Microsoft.PowerPlatform.Dataverse.Client.ReleaseNotes.txt

Line 38 in 33b6089

Dependency changes:

When removed:
https://github.com/microsoft/PowerPlatform-DataverseServiceClient/blob/33b6089f0be589dddad774fe748a93813bab4a97/src/nuspecs/Microsoft.PowerPlatform.Dataverse.Client.ReleaseNotes.txt#L21C1-L27C1

Hope that helps.

[michaelmmcrae1]

Than you @MattB-msft Can you elaborate on this?

"Our recommendation here is to install the transitive dependencies you need to be compliant with your build process, and then remove them when we have included the updates."

Do you basically mean:

• Add the problematic library, but at a higher/secure version, as its own explicit top level Nuget package on my project?
• Assuming that would then stop the lower version from coming in, it would work with the higher version I specified as a Nuget package reference?

[MattB-msft]

Yes, that is correct.
if you explicitly add the transient, your build will use that version.
You have to account to for compatibility though.

[michaelmmcrae1]

Sharing, this is what I ended up doing:

• Updated/picked specific Nuget package versions for the 2 packages that I was concerned with.
• So this is what my entire csproj file (including Nuget packages) looked like:
• The 2 System.* packages were not present originally when just referencing the Dataverse Client. They were added after I picked specific versions for them in Nuget manager.
• 

[MattB-msft]

As a recommendation, Unless you're using the Dynamics extensions, you should link to Microsoft.PowerPlatform.Dataverse.Client nuget package.