Dependency warnings with Google.Apis.Auth 1.63.0 or higher

[jskeet]

Consider a simple project:

<Project Sdk="Microsoft.NET.Sdk">

  <PropertyGroup>
    <OutputType>Exe</OutputType>
    <TargetFramework>net462</TargetFramework>
  </PropertyGroup>

  <ItemGroup>
    <PackageReference Include="Google.Apis.Auth" Version="1.63.0" />
  </ItemGroup>

</Project>

This generates different warnings depending on the target framework:

• .NET 4.6.1: System.CodeDom 7.0.0 doesn't support net461 and has not been tested with it.
• .NET 4.6.2: Conflicts for System.Net.Http (4.0.0.0 vs 4.2.0.0)

(I thought I saw it when targeting net6.0 as well, but I can't reproduce that now.)

The System.CodeDom warning is because of the System.Management dependency introduced in 1.63.0 for ComputeCredential. It's not clear how/whether we can disable it for end users.

It looks like the System.Net.Http warning may be longstanding - again, I don't know how to resolve it.

[amanda-tarafa]

I'll take a look later this week.

[amanda-tarafa]

The warning for System.CodeDom System.CodeDom 7.0.0 doesn't support net461 and has not been tested with it. dissapears for .NET 4.6.2 upwards for .NET Framework and I haven't been able to reproduce it in .NET Core or .NET targets. Given #2561 I think we should be fine here.

[jskeet]

That's good to know. We should look into the System.Net.Http warning at some point, although it's not clear what we'll be able to do about it.

[amanda-tarafa]

The warning for System.Net.Http in .NET 4.6.2 is a weird one.

Consider the following code:

using System;
using System.Linq;
using System.Net.Http;
using System.Reflection;
using System.Runtime.Versioning;

namespace TestSystemManagementDependencyWarnings
{
    internal class Program
    {
        static void Main(string[] args)
        {
            var thisAssembly = Assembly.GetExecutingAssembly();
            var dependencies = thisAssembly.GetReferencedAssemblies();
            var targetFramework = thisAssembly.GetCustomAttributes(typeof(TargetFrameworkAttribute), false).Cast<TargetFrameworkAttribute>().First();

            Console.WriteLine($"Targetting {targetFramework.FrameworkDisplayName}");
            Console.WriteLine($"Dependencies:");
            foreach (var dependency in dependencies)
            {
                Console.WriteLine(dependency.FullName);
            }

            try
            {
                Console.WriteLine("Attempting to load System.Net.Http and fetch its information.");
                var systemNetHttpAssembly = typeof(HttpClient).Assembly;
                Console.WriteLine($"{systemNetHttpAssembly.FullName}.");
                Console.WriteLine($"{systemNetHttpAssembly.Location}");
            }
            catch (Exception ex)
            {
                Console.WriteLine(ex);
            }
        }
    }
}

And now, running the code in the 3 following projects we get the following output:

Project 1, .NET 4.6.1, Dependency on Google.Apis.Auth 1.63.0

<Project Sdk="Microsoft.NET.Sdk">

  <PropertyGroup>
    <OutputType>Exe</OutputType>
    <TargetFramework>net461</TargetFramework>
  </PropertyGroup>

  <ItemGroup>
    <PackageReference Include="Google.Apis.Auth" Version="1.63.0" />
  </ItemGroup>

</Project>

Output:

Targetting .NET Framework 4.6.1
Dependencies:
mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089
System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089
System.Net.Http, Version=4.2.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
Attempting to load System.Net.Http and fetch its information.
System.Net.Http, Version=4.2.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a.
C:\Users\<REDACTED>\source\repos\TestSolution\TestSystemManagementDependencyWarnings\bin\Debug\net461\System.Net.Http.dll

The System.Net.Http dependency is 4.2.0 and the loaded assembly is also 4.2.0 from the bin folder.

Project 2, .NET 4.6.2, Dependency on Google.Apis.Auth 1.63.0

<Project Sdk="Microsoft.NET.Sdk">

  <PropertyGroup>
    <OutputType>Exe</OutputType>
    <TargetFramework>net462</TargetFramework>
  </PropertyGroup>

  <ItemGroup>
    <PackageReference Include="Google.Apis.Auth" Version="1.63.0" />
  </ItemGroup>

</Project>

Output:

Targetting .NET Framework 4.6.2
Dependencies:
mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089
System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089
System.Net.Http, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
Attempting to load System.Net.Http and fetch its information.
System.Net.Http, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a.
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Net.Http\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Net.Http.dll

The System.Net.Http dependency is 4.0.0 and the loaded assembly is also 4.0.0 from GAC. Here's where we get a warning as Google.Apis.Auth depends on System.Net.Http 4.2.0

Project 3 .NET 4.8, Dependency on Google.Apis.Auth 1.63.0

<Project Sdk="Microsoft.NET.Sdk">

  <PropertyGroup>
    <OutputType>Exe</OutputType>
    <TargetFramework>net48</TargetFramework>
  </PropertyGroup>

  <ItemGroup>
    <PackageReference Include="Google.Apis.Auth" Version="1.63.0" />
  </ItemGroup>

</Project>

Output

Targetting .NET Framework 4.8
Dependencies:
mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089
System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089
System.Net.Http, Version=4.2.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
Attempting to load System.Net.Http and fetch its information.
System.Net.Http, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a.
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Net.Http\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Net.Http.dll

The System.Net.Http dependency is 4.2.0 but the loaded assembly is 4.0.0 from GAC. We don't get a warning here, both Google.Apis.Auth and this project depend on the same version of System.Net.Http.

@jskeet I'm not really certain what's happening here, in particular why the console app resolves correctly to System.Net.Http 4.2.0 dependency for target .NET 4.6.1 but incorrectly to System.Net.Http 4.0.0 for target .NET 4.6.2.
Any ideas?

[jskeet]

Nope, no ideas I'm afraid. Really, really odd. It may resolve itself when we change our targets... probably something to look into more at that point.
https://stackoverflow.com/questions/48866419 suggests that moving to the package reference for System.Net.Http could be worth doing. But it's not urgent.

[amanda-tarafa]

Yes, I thought about moving to the package reference, but then I found this tini-tiny comment from MS discouraging that.

I'm downgrading this to P3, and leave open so we remember to check when we change our targets. Or at least figuring it out may get simpler.

[jskeet]

Interestingly, we're getting the System.Net.Http warning when building Google.Cloud.Storage.V1 now - I'm sure we didn't get that before. This may well be an SDK change though, rather than a library change...

[jskeet]

Just as a thought, might the newness of the warning in 1.63.0 be related to the introduction of a System.Management dependency for the BIOS bit?

[amanda-tarafa]

Just as a thought, might the newness of the warning in 1.63.0 be related to the introduction of a System.Management dependency for the BIOS bit?

Yes, and you even said so when you created the issue :) "The System.CodeDom warning is because of the System.Management dependency introduced in 1.63.0 for ComputeCredential. It's not clear how/whether we can disable it for end users."

When I tested with .NET 4.6.2, the warning disappeared, so I think we are fine on this front. Referencing just the project has never produced the warning, but I'll see if I have time to generate a .Nuget package later from #2608 and confirm that the warning are gone.

The System.Net.Http warning is the one that is a little but more puzzling.

[jskeet]

The System.Net.Http warning is the one that is a little but more puzzling.

Sorry, yes, that's the one I meant. Not sure if that's somehow related to System.Management in a weird way.

[amanda-tarafa]

From the two warnings that this issue covers:

.NET 4.6.1: System.CodeDom 7.0.0 doesn't support net461 and has not been tested with it.

• We did introduced an indirect dependency on System.CodeDom 7.0.0 when we added the System.Management dependency in v1.63.0 for ComputeCredential. This warning happens when the dependant application targets .NET 4.6.1 (and possibly lower, untested) and .NET Core 3.0, .Net Core 3.1 and .NET 5. This means that:
  • In our Google.Apis projects it only happens in Google.Apis.Auth.AspNetCore3, which is unavoidable. I'm keeping the warning suppression from chore: Suppress warning for System.CodeDom on older frameworks #2598 in Google.Apis.Auth.AspNetCore3 only.
  • For users, it will only happen if their projects are targetting .NET 4.6.1 or lower or .NET 5 or lower. These targets have been out of MS support since 2022 so users themselves can either surpress the warning or target a newer version.

.NET 4.6.2: Conflicts for System.Net.Http (4.0.0.0 vs 4.2.0.0)

• We never understood why this was happening in the first place (see previous comments on this thread) but, after we have updated to newer targets, it has gone away from both our Google.Apis and from dependant applications targetting .NET 4.6.2.

I'll send a PR for removing the warning suppressions and after I propose we close this issue.

@jskeet any thoughts?

[jskeet]

I've got an old project which I'm sure used to generate the warning - and now doesn't, even with the old dependencies. So I suspect this is actually a .NET SDK issue that's been resolved. So yes, I agree :)

[amanda-tarafa]

I've got an old project which I'm sure used to generate the warning - and now doesn't, even with the old dependencies. So I suspect this is actually a .NET SDK issue that's been resolved. So yes, I agree :)

Yep, this is how I tested it as well, I had a console project that I used to see the warnings and investigate, and now I can't (except as described in this comment).