Add .NET Standard 2.0 target to SimpleInjector.Packaging

[coenm]

As of today, I noticed a security warning using the "SimpleInjector.Packaging" Version="5.0.0" package in a net6.0 project.

Message: Transitive dependency System.Net.Http 4.1.0 contains vurnabilities according to Checkmarx

NuGet also mentions a security risk (See https://www.nuget.org/packages/System.Net.Http/4.1.0. )
Message: This package has at least one vulnerability with high severity. It may lead to specific problems in your project. Try updating the package version.

When investigating, I notice the folowing dependencies:

SimpleInjector.Packaging 5.0.0 -> NetStandard 1.6.0 -> System.Net.Http 4.1.0.

The SimpleInjector.Packaging page at Nuget shows me that only .netframework 4.5 and netstandard1.0 are targeted and netstandard1.0 is the reason of this transitive depenency.

Directly referencing a newer version of NETStandard.Library (ie. Version="2.0.3") would probably solve this matter but I think this should also be addressed in the source package, which is in this case SimpleInjector.Packaging.

[dotnetjunkie]

Upgrading the reference to .NET Standard 2.0 is a breaking change, which is why I won't fix this.

For more details about the reasoning of not updating, please read this.

[coenm]

Hi Steven,

Thank you for your quick and clear response. I fixed my code the same way by directly referencing a newer package as you also suggested in your stackoverflow reply.

I understand you don't want to introduce a breaking change by upgrading from netstandard 1.3 to netstandard2.0. Do you concider adding netstandard2.0 as an extra target next aside netstandard1.3 also as a breaking change?

I'm asking this because this is suggested in the microsoft guidelines about targeting.
Especially the first red cross point (AVOID including a netstandard1.x target.) and the third check mark (DO include a netstandard2.0 target if you require a netstandard1.x target).

Just curious how you look at this.

Thanks

[dotnetjunkie]

Do you concider adding netstandard2.0 as an extra target next aside netstandard1.3 also as a breaking change?

No, that should not be breaking, and that's certainly an option. That doesn't change things from a security perspective because, as I explained on Stack Overflow, end the end it's up to the application developer to manage the packages, as otherwise package owners would be forced in updating their packages constantly, which caused a new set of issues.

But considering the Microsoft guidance on .NET Standard 1.x, it would be a good idea to add a .NET Standard 2.0 target.

[dotnetjunkie]

I reopened this issue and updated the title to reflect this. Will try to add this to the next minor release.