Skip to content

Remove obsolete transitive NuGet overrides from typespec-vs#10824

Open
Copilot wants to merge 5 commits into
mainfrom
copilot/remove-unnecessary-nuget-package
Open

Remove obsolete transitive NuGet overrides from typespec-vs#10824
Copilot wants to merge 5 commits into
mainfrom
copilot/remove-unnecessary-nuget-package

Conversation

Copy link
Copy Markdown
Contributor

Copilot AI commented May 28, 2026
edited
Loading

The Visual Studio extension was carrying explicit NuGet references that were only needed to suppress older transitive vulnerability and NU1603 issues. Those overrides are no longer necessary with the currently resolved Visual Studio package set.

  • Dependency cleanup

    • Remove explicit PackageReferences for:
      • MessagePack
      • Microsoft.VisualStudio.Composition
      • Microsoft.VisualStudio.Shell.15.0

  • Project file simplification

    • Drop the associated explanatory/TODO comments tied to those temporary overrides.
    • Keep the direct Visual Studio SDK/workspace dependencies unchanged so the extension continues to pick up these packages transitively.

  • Result

    • typespec-vs now relies on the Visual Studio packages to supply these dependencies instead of pinning them redundantly in the project file.
<!-- removed -->
<PackageReference Include="MessagePack" Version="2.5.192" />
<PackageReference Include="Microsoft.VisualStudio.Composition" Version="17.13.41" />
<PackageReference Include="Microsoft.VisualStudio.Shell.15.0" Version="17.14.40264" />

Copilot AI linked an issue May 28, 2026 that may be closed by this pull request
Remove unnecessary nuget package in vs-extension #5368
Open
@timotheeguerin
Remove obsolete vs-extension package overrides
39440b9 
Co-authored-by: timotheeguerin <1031227+timotheeguerin@users.noreply.github.com>
@microsoft-github-policy-service microsoft-github-policy-service Bot added the ide Issues for VS, VSCode, Monaco, etc. label May 28, 2026
Copilot AI changed the title [WIP] Remove unnecessary nuget package in vs-extension Remove obsolete transitive NuGet overrides from typespec-vs May 28, 2026
Copilot AI requested a review from timotheeguerin May 28, 2026 12:36
@pkg-pr-new
Copy link
Copy Markdown

pkg-pr-new Bot commented May 28, 2026
edited
Loading

Open in StackBlitz

npm i https://pkg.pr.new/typespec-vs@10824

commit: fc0d818

@timotheeguerin
Copy link
Copy Markdown
Member

timotheeguerin commented May 28, 2026

@copilot add changelog

@timotheeguerin
Add typespec-vs changelog entry
4d6e325 
Co-authored-by: timotheeguerin <1031227+timotheeguerin@users.noreply.github.com>
Copy link
Copy Markdown
Contributor Author

Copilot AI commented May 28, 2026

@copilot add changelog

Addressed in 4d6e325.

timotheeguerin
timotheeguerin reviewed May 28, 2026
View reviewed changes
Comment thread packages/typespec-vs/CHANGELOG.md Outdated
@timotheeguerin
Use Chronus change file for typespec-vs
776ad89 
Co-authored-by: timotheeguerin <1031227+timotheeguerin@users.noreply.github.com>
Copilot AI requested a review from timotheeguerin May 28, 2026 13:01
@timotheeguerin timotheeguerin marked this pull request as ready for review May 28, 2026 15:42
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented May 28, 2026

All changed packages have been documented.

  • typespec-vs
Show changes

typespec-vs - fix ✏️

Remove obsolete explicit Visual Studio transitive NuGet package overrides.

RodgeFu
RodgeFu reviewed May 29, 2026
View reviewed changes
Comment thread packages/typespec-vs/src/Microsoft.TypeSpec.VS.csproj
Link="TextMate/typespec.tmLanguage" />
<Content Update="@(Content)" IncludeInVSIX="true" CopyToOutputDirectory="PreserveNewest" />
<Reference Include="System.ComponentModel.Composition" />
<!-- The 'MessagePack' is not used directly but referenced by nuget package 'Microsoft.VisualStudio.SDK', 'Microsoft.VisualStudio.Workspace' and 'Microsoft.VisualStudio.VSIntegration' -->
Copy link
Copy Markdown
Contributor

@RodgeFu RodgeFu May 29, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

but I don't see change to these nuget packages using the removed ones. They should be upgrade to a new version to use a security issue free dependency, shouldn't it?

Copy link
Copy Markdown
Member

@timotheeguerin timotheeguerin May 29, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

wouldn't that fail the CI if it did? did we maybe upgrade those version separately but never cleaned up?
@copilot can you investigate and check if that is the case, do we also need to upgrade the other packages?

Copy link
Copy Markdown
Member

@timotheeguerin timotheeguerin May 29, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@copilot can you answer the question

Copy link
Copy Markdown
Contributor Author

Copilot AI May 29, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I checked the resolved graph with dotnet restore Microsoft.TypeSpec.VS.sln, dotnet list src/Microsoft.TypeSpec.VS.csproj package --include-transitive, and --vulnerable. The removed packages are still brought in transitively at the same resolved versions (MessagePack 2.5.192, Microsoft.VisualStudio.Composition 17.13.41, Microsoft.VisualStudio.Shell.15.0 17.14.40264), and NuGet reports no vulnerable packages for this project. So this looks like a cleanup of old explicit overrides after the upstream Visual Studio package set had already been updated, not a missing upgrade in this PR.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@RodgeFu RodgeFu RodgeFu left review comments

@timotheeguerin timotheeguerin Awaiting requested review from timotheeguerin timotheeguerin is a code owner

@lirenhe lirenhe Awaiting requested review from lirenhe lirenhe is a code owner

@bterlson bterlson Awaiting requested review from bterlson bterlson is a code owner

@markcowl markcowl Awaiting requested review from markcowl markcowl is a code owner

@witemple-msft witemple-msft Awaiting requested review from witemple-msft witemple-msft is a code owner

@chrisradek chrisradek Awaiting requested review from chrisradek

@AlitzelMendez AlitzelMendez Awaiting requested review from AlitzelMendez

At least 1 approving review is required to merge this pull request.

Assignees

@timotheeguerin timotheeguerin

Copilot code review Copilot

Labels

ide Issues for VS, VSCode, Monaco, etc.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Remove unnecessary nuget package in vs-extension

3 participants

@timotheeguerin @RodgeFu