Open
Description
Is there an existing issue for this?
- I have searched the existing issues
Is your feature request related to a problem? Please describe the problem.
For ASP.NET Core in a source-build context, there are two goals that are generally in tension with each other:
- Ease of development: ASP.NET Core developers want to use the best tools for development, including the best bundling tools, linting tools, and anything else that makes it easier to build, test and release bug-free versions of ASP.NET Core with the least amount of work.
- Ease of packaging: .NET maintainers want to build everything from source, without any binaries. With the javascript/npm ecosystem,that can mean having to include and build thousands of npm packages, which creates extra work.
Describe the solution you'd like
Perhaps we can reduce the pain in the second point by focusing on things that are really needed in a VMR/source-build context?
For example, in a VMR/source-build context, we don't need to:
- Create npm packages (like
@microsoft/signalr) for publishing to npmjs.org - Build Windows-only components in a source-build-only context
- Create nupkgs that are only published to nuget.org
- Run linting tools
Is there a list of packages/projects that are strictly required for creating the .NET SDK in a source-build context? Can we trim down the ASP.NET Core dependency tree (and build system) to focus on just those packages, to make it easier to source-build all of ASP.NET Core?
Additional context
No response
Metadata
Metadata
Assignees
Type
Projects
Milestone
Relationships
Development
No branches or pull requests
Participants
Activity
omajid commentedon Apr 25, 2024
cc @javiercn @mthalman @MichaelSimons @tmds
wtgodbe commentedon Apr 30, 2024
Thanks for filing this - we'll look into having a good long-term solution for this after our current security wave ends, likely for .NET 10.
tmds commentedon Oct 1, 2024
@javiercn @wtgodbe we'd like to understand better where the pre-built JavaScript that source-build uses ends up. Does it become part of the distro packages, or is it part of Microsoft nuget.org packages? What types of .NET projects use it? If it is part of nuget.org packages, does the SDK assume specific versions for these packages?
javiercn commentedon Oct 9, 2024
@tmds We generate JS bundles that get checked in any time we change our Typescript for Blazor Web and Blazor Server and those bundles get embedded in the assembly as part of the build.
From the build point of view, those JS files are source files like if we were using any other JS library (like the ones we ship in our templates)
tmds commentedon Oct 9, 2024
Can you be specific as to what the assembly names are? And do they come as part of the .NET installation, or through nuget.org?
The typescript that is in these assemblies is only ever ran in a browser, right?
javiercn commentedon Oct 9, 2024
@tmds It's JavaScript at that point, not Typescript.
Microsoft.AspNetCore.Components.ServerandMicrosoft.AspNetCore.Components.Endpoints.Serverthe JS code only runs on the browser.tmds commentedon Oct 23, 2024
Thank you for this information @javiercn!
For us it is important to know that we are including this JS code bundled in our .NET packages, and security issues reported against the JS/TS modules only apply if they are for browsers and not for other environments, like the Node.js runtime.