- Rolled back some packages to the newest versions that don't include major version bumps for transitive packages.

- Left breadcrumbs indicating why we're including Azure.Core explicitly.

Author: paulmedynski

src/Microsoft.Data.SqlClient/netcore/ref/Microsoft.Data.SqlClient.csproj

@@ -55,8 +55,12 @@
     <!-- Enable the project reference for debugging purposes. -->
     <!-- <ProjectReference Include="$(SqlServerSourceCode)\Microsoft.SqlServer.Server.csproj" /> -->
     <PackageReference Include="Microsoft.SqlServer.Server" Version="$(MicrosoftSqlServerServerVersion)" />
-    <PackageReference Include="Azure.Identity" Version="$(AzureIdentityVersion)" />
+    <!--
+      Azure.Core is explicitly referenced to avoid a transitive dependency on
+      a vulnerable version via Azure.Identity.
+    -->
     <PackageReference Include="Azure.Core" Version="$(AzureCoreVersion)" />
+    <PackageReference Include="Azure.Identity" Version="$(AzureIdentityVersion)" />
     <PackageReference Include="Microsoft.Identity.Client" Version="$(MicrosoftIdentityClientVersion)" />
     <PackageReference Include="Microsoft.IdentityModel.Protocols.OpenIdConnect" Version="$(MicrosoftIdentityModelProtocolsOpenIdConnectVersion)" />
     <PackageReference Include="Microsoft.IdentityModel.JsonWebTokens" Version="$(MicrosoftIdentityModelJsonWebTokensVersion)" />

src/Microsoft.Data.SqlClient/netcore/src/Microsoft.Data.SqlClient.csproj

@@ -969,8 +969,12 @@
     <!-- <ProjectReference Include="$(SqlServerSourceCode)\Microsoft.SqlServer.Server.csproj" /> -->
     <PackageReference Include="Microsoft.SqlServer.Server" Version="$(MicrosoftSqlServerServerVersion)" />
     <PackageReference Condition="$(TargetGroup) == 'netcoreapp' " Include="System.Diagnostics.DiagnosticSource" Version="$(SystemDiagnosticsDiagnosticSourceVersion)" />
-    <PackageReference Include="Azure.Identity" Version="$(AzureIdentityVersion)" />
+    <!--
+      Azure.Core is explicitly referenced to avoid a transitive dependency on
+      a vulnerable version via Azure.Identity.
+    -->
     <PackageReference Include="Azure.Core" Version="$(AzureCoreVersion)" />
+    <PackageReference Include="Azure.Identity" Version="$(AzureIdentityVersion)" />
     <PackageReference Include="Microsoft.Identity.Client" Version="$(MicrosoftIdentityClientVersion)" />
     <PackageReference Include="Microsoft.IdentityModel.Protocols.OpenIdConnect" Version="$(MicrosoftIdentityModelProtocolsOpenIdConnectVersion)" />
     <PackageReference Include="Microsoft.IdentityModel.JsonWebTokens" Version="$(MicrosoftIdentityModelJsonWebTokensVersion)" />

src/Microsoft.Data.SqlClient/netfx/ref/Microsoft.Data.SqlClient.csproj

@@ -38,8 +38,12 @@
     </PackageReference>
   </ItemGroup>
   <ItemGroup>
-    <PackageReference Include="Azure.Identity" Version="$(AzureIdentityVersion)" />
+    <!--
+      Azure.Core is explicitly referenced to avoid a transitive dependency on
+      a vulnerable version via Azure.Identity.
+    -->
     <PackageReference Include="Azure.Core" Version="$(AzureCoreVersion)" />
+    <PackageReference Include="Azure.Identity" Version="$(AzureIdentityVersion)" />
     <PackageReference Include="Microsoft.Identity.Client" Version="$(MicrosoftIdentityClientVersion)" />
     <PackageReference Include="Microsoft.IdentityModel.JsonWebTokens" Version="$(MicrosoftIdentityModelJsonWebTokensVersion)" />
     <PackageReference Include="Microsoft.IdentityModel.Protocols.OpenIdConnect" Version="$(MicrosoftIdentityModelProtocolsOpenIdConnectVersion)" />

src/Microsoft.Data.SqlClient/netfx/src/Microsoft.Data.SqlClient.csproj

@@ -713,8 +713,12 @@
     </PackageReference>
   </ItemGroup>
   <ItemGroup>
-    <PackageReference Include="Azure.Identity" Version="$(AzureIdentityVersion)" />
+    <!--
+      Azure.Core is explicitly referenced to avoid a transitive dependency on
+      a vulnerable version via Azure.Identity.
+    -->
     <PackageReference Include="Azure.Core" Version="$(AzureCoreVersion)" />
+    <PackageReference Include="Azure.Identity" Version="$(AzureIdentityVersion)" />
     <PackageReference Include="Microsoft.Identity.Client" Version="$(MicrosoftIdentityClientVersion)" />
     <PackageReference Include="Microsoft.IdentityModel.JsonWebTokens" Version="$(MicrosoftIdentityModelJsonWebTokensVersion)" />
     <PackageReference Include="Microsoft.IdentityModel.Protocols.OpenIdConnect" Version="$(MicrosoftIdentityModelProtocolsOpenIdConnectVersion)" />

src/Microsoft.Data.SqlClient/tests/FunctionalTests/Microsoft.Data.SqlClient.Tests.csproj

@@ -86,6 +86,7 @@
     <PackageReference Include="Microsoft.Extensions.Hosting" Version="$(MicrosoftExtensionsHostingVersion)" />
     <PackageReference Include="Microsoft.NET.Test.Sdk" Version="$(MicrosoftNETTestSdkVersion)" />
     <PackageReference Include="System.Diagnostics.DiagnosticSource" Version="$(SystemDiagnosticsDiagnosticSourceVersion)" />
+    <PackageReference Include="System.Text.Json" Version="$(SystemTextJsonVersion)" />
     <PackageReference Include="Newtonsoft.Json" Version="$(NewtonsoftJsonVersion)" />
     <Reference Condition="'$(TargetGroup)'=='netfx'" Include="System.Transactions" />
     <PackageReference Include="System.Private.Uri" Version="$(SystemPrivateUriVersion)" />

src/Microsoft.Data.SqlClient/tests/ManualTests/SQL/ExceptionTest/ConnectionExceptionTest.cs

@@ -144,7 +144,13 @@ public void NamedPipeInvalidConnStringTest()
         }
 
         [Fact]
-        [SkipOnTargetFramework(~(TargetFrameworkMonikers)0x4)]
+        [SkipOnTargetFramework(
+            // We had defined Uap to be 0x4 in our fork/copy of XUnitExtensions.
+            // Now that we're using the NuGet package, I can't add enum members,
+            // so I kept the functionality here by casting from the old raw
+            // value.  XUnitExtensions's TargetFrameworkMonikers currently only
+            // includes enum values up to 0x2, so this is safe - for now.
+            ~(TargetFrameworkMonikers)0x4)]
         public static void LocalDBNotSupportedOnUapTest()
         {
             SqlConnectionStringBuilder builder = new SqlConnectionStringBuilder(@$"server=(localdb)\{DataTestUtility.LocalDbAppName}")

src/Microsoft.Data.SqlClient/tests/ManualTests/SQL/LocalDBTest/LocalDBTest.cs

@@ -27,7 +27,13 @@ private enum InfoType
         private static readonly string s_localDbNamedPipeConnectionString = @$"server={GetLocalDbNamedPipe()}";
 
         #region LocalDbTests
-        [SkipOnTargetFramework((TargetFrameworkMonikers)0x4)] // No Registry support on UAP
+        [SkipOnTargetFramework(
+            // We had defined Uap to be 0x4 in our fork/copy of XUnitExtensions.
+            // Now that we're using the NuGet package, I can't add enum members,
+            // so I kept the functionality here by casting from the old raw
+            // value.  XUnitExtensions's TargetFrameworkMonikers currently only
+            // includes enum values up to 0x2, so this is safe - for now.
+            (TargetFrameworkMonikers)0x4)] // No Registry support on UAP
         [ConditionalFact(nameof(IsLocalDBEnvironmentSet))]
         public static void SqlLocalDbConnectionTest()
         {

src/Microsoft.Data.SqlClient/tests/tools/Microsoft.Data.SqlClient.TestUtilities/Microsoft.Data.SqlClient.TestUtilities.csproj

@@ -14,8 +14,9 @@
     <None Update="config.json">
       <CopyToOutputDirectory>PreserveNewest</CopyToOutputDirectory>
     </None>
+    <PackageReference Include="Azure.Core" Version="$(AzureCoreVersion)" />
     <PackageReference Include="Azure.Identity" Version="$(AzureIdentityVersion)" />
     <PackageReference Include="Azure.Security.KeyVault.Keys" Version="$(AzureSecurityKeyVaultKeysVersion)" />
     <PackageReference Include="Newtonsoft.Json" Version="$(NewtonsoftJsonVersion)" />
   </ItemGroup>
-</Project>
+</Project>

tools/props/Versions.props

@@ -28,7 +28,7 @@
   <!-- NetFx and NetCore project dependencies -->
   <PropertyGroup>
     <AzureIdentityVersion>1.12.1</AzureIdentityVersion>
-    <MicrosoftIdentityClientVersion>4.78.0</MicrosoftIdentityClientVersion>
+    <MicrosoftIdentityClientVersion>4.76.0</MicrosoftIdentityClientVersion>
     <MicrosoftIdentityModelProtocolsOpenIdConnectVersion>6.35.0</MicrosoftIdentityModelProtocolsOpenIdConnectVersion>
     <MicrosoftIdentityModelJsonWebTokensVersion>6.35.0</MicrosoftIdentityModelJsonWebTokensVersion>
     <SystemBuffersVersion>4.5.1</SystemBuffersVersion>
@@ -55,8 +55,8 @@
   </PropertyGroup>
   <!-- AKV Provider project dependencies -->
   <PropertyGroup>
-    <AzureCoreVersion>1.45.0</AzureCoreVersion>
-    <AzureSecurityKeyVaultKeysVersion>4.7.0</AzureSecurityKeyVaultKeysVersion>
+    <AzureCoreVersion>1.41.0</AzureCoreVersion>
+    <AzureSecurityKeyVaultKeysVersion>4.6.0</AzureSecurityKeyVaultKeysVersion>
     <MicrosoftExtensionsCachingMemoryVersion>6.0.3</MicrosoftExtensionsCachingMemoryVersion>
     <SystemPrivateUriVersion>4.3.2</SystemPrivateUriVersion>
   </PropertyGroup>

tools/specs/Microsoft.Data.SqlClient.nuspec

@@ -29,6 +29,10 @@ When using NuGet 3.x this package requires at least version 3.4.</description>
     <dependencies>
       <group targetFramework="net462">
         <dependency id="Microsoft.Data.SqlClient.SNI" version="5.1.2" />
+        <!--
+          Azure.Core is explicitly referenced to avoid a transitive dependency
+          on a vulnerable version via Azure.Identity.
+        -->
         <dependency id="Azure.Core" version="1.45.0" />
         <dependency id="Azure.Identity" version="1.12.1" />
         <dependency id="Microsoft.Identity.Client" version="4.78.0" />
@@ -42,6 +46,10 @@ When using NuGet 3.x this package requires at least version 3.4.</description>
       </group>
       <group targetFramework="net6.0">
         <dependency id="Microsoft.Data.SqlClient.SNI.runtime" version="5.1.2" exclude="Compile" />
+        <!--
+          Azure.Core is explicitly referenced to avoid a transitive dependency
+          on a vulnerable version via Azure.Identity.
+        -->
         <dependency id="Azure.Core" version="1.45.0" />
         <dependency id="Azure.Identity" version="1.12.1" />
         <dependency id="Microsoft.Identity.Client" version="4.78.0" exclude="Compile"/>
@@ -58,6 +66,10 @@ When using NuGet 3.x this package requires at least version 3.4.</description>
       </group>
       <group targetFramework="netstandard2.0">
         <dependency id="Microsoft.Data.SqlClient.SNI.runtime" version="5.1.2" exclude="Compile" />
+        <!--
+          Azure.Core is explicitly referenced to avoid a transitive dependency
+          on a vulnerable version via Azure.Identity.
+        -->
         <dependency id="Azure.Core" version="1.45.0" />
         <dependency id="Azure.Identity" version="1.12.1" />
         <dependency id="Microsoft.Identity.Client" version="4.78.0" exclude="Compile"/>
@@ -76,6 +88,10 @@ When using NuGet 3.x this package requires at least version 3.4.</description>
       </group>
       <group targetFramework="netstandard2.1">
         <dependency id="Microsoft.Data.SqlClient.SNI.runtime" version="5.1.2" exclude="Compile" />
+        <!--
+          Azure.Core is explicitly referenced to avoid a transitive dependency
+          on a vulnerable version via Azure.Identity.
+        -->
         <dependency id="Azure.Core" version="1.45.0" />
         <dependency id="Azure.Identity" version="1.12.1" />
         <dependency id="Microsoft.Identity.Client" version="4.78.0" exclude="Compile"/>