Which projects and javascript modules are strictly needed in a source-build only scenario?

[omajid]

Is there an existing issue for this?

• I have searched the existing issues

Is your feature request related to a problem? Please describe the problem.

For ASP.NET Core in a source-build context, there are two goals that are generally in tension with each other:

• Ease of development: ASP.NET Core developers want to use the best tools for development, including the best bundling tools, linting tools, and anything else that makes it easier to build, test and release bug-free versions of ASP.NET Core with the least amount of work.
• Ease of packaging: .NET maintainers want to build everything from source, without any binaries. With the javascript/npm ecosystem,that can mean having to include and build thousands of npm packages, which creates extra work.

Describe the solution you'd like

Perhaps we can reduce the pain in the second point by focusing on things that are really needed in a VMR/source-build context?

For example, in a VMR/source-build context, we don't need to:

• Create npm packages (like @microsoft/signalr) for publishing to npmjs.org
• Build Windows-only components in a source-build-only context
• Create nupkgs that are only published to nuget.org
• Run linting tools

Is there a list of packages/projects that are strictly required for creating the .NET SDK in a source-build context? Can we trim down the ASP.NET Core dependency tree (and build system) to focus on just those packages, to make it easier to source-build all of ASP.NET Core?

Additional context

No response

[omajid]

cc @javiercn @mthalman @MichaelSimons @tmds

[wtgodbe]

Thanks for filing this - we'll look into having a good long-term solution for this after our current security wave ends, likely for .NET 10.

[tmds]

@javiercn @wtgodbe we'd like to understand better where the pre-built JavaScript that source-build uses ends up. Does it become part of the distro packages, or is it part of Microsoft nuget.org packages? What types of .NET projects use it? If it is part of nuget.org packages, does the SDK assume specific versions for these packages?

[javiercn]

@tmds We generate JS bundles that get checked in any time we change our Typescript for Blazor Web and Blazor Server and those bundles get embedded in the assembly as part of the build.

From the build point of view, those JS files are source files like if we were using any other JS library (like the ones we ship in our templates)

[tmds]

get embedded in the assembly as part of the build.

Can you be specific as to what the assembly names are? And do they come as part of the .NET installation, or through nuget.org?

The typescript that is in these assemblies is only ever ran in a browser, right?

[javiercn]

@tmds It's JavaScript at that point, not Typescript.

Microsoft.AspNetCore.Components.Server and Microsoft.AspNetCore.Components.Endpoints.Server the JS code only runs on the browser.

[tmds]

Thank you for this information @javiercn!

For us it is important to know that we are including this JS code bundled in our .NET packages, and security issues reported against the JS/TS modules only apply if they are for browsers and not for other environments, like the Node.js runtime.