Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Microsoft.JavaScript.UnitTest references a vulnerable NewtonSoft.Json package #2513

Open
lennybacon opened this issue Nov 28, 2024 · 5 comments

Comments

@lennybacon
Copy link

I use the package Microsoft.JavaScript.UnitTest 1.5.10610.1 is a C# project (ASP.NET) to run typescript tests.

The build and Visual Studio warn me about a vulnerable NewtonSoft.Json package.

NU1903	Package 'Newtonsoft.Json' 12.0.2 has a known high severity vulnerability, https://github.com/advisories/GHSA-5crp-9r3c-p9vr	

As a workaround i installed Newtonsoft.Json 13.0.3 but I do my serialization using System.Text.Json.

So it would be nice to have a dependency update and a newly published package of Microsoft.JavaScript.UnitTest.

@joj
Copy link
Member

joj commented Dec 2, 2024

Hi! I would like to understand your scenario. That package shouldn't be needed anymore, was always in beta and hasn't been updated in years. Also, you can install 13.0.3 manually, that should fix the issue.

@lennybacon
Copy link
Author

I have been following this guide from 11/23/2023 to write unit tests for ASP.NET Core.

In the Browse tab, search for the following packages and install each one:

Microsoft.TypeScript.MSBuild
Npm
Microsoft.JavaScript.UnitTest

This is how the dependency came in.

After your message I removed both dependencies. Reopened VS, built and tested. Then an Issue came up. Every 2nd build (reproducable) there is an error that pops up and none of the TypeScript files get compiled and copied to wwwroot/js:

8>C:\Program Files\dotnet\sdk\9.0.100\Sdks\Microsoft.NET.Sdk.StaticWebAssets\targets\Microsoft.NET.Sdk.StaticWebAssets.targets(662,5): error : System.InvalidOperationException: No file exists for the asset at either location 'wwwroot\js\Colors.js' or 'wwwroot\js\Colors.js'.
8>C:\Program Files\dotnet\sdk\9.0.100\Sdks\Microsoft.NET.Sdk.StaticWebAssets\targets\Microsoft.NET.Sdk.StaticWebAssets.targets(662,5): error :    at Microsoft.AspNetCore.StaticWebAssets.Tasks.StaticWebAsset.ComputeFingerprintAndIntegrity(String identity, String originalItemSpec)
8>C:\Program Files\dotnet\sdk\9.0.100\Sdks\Microsoft.NET.Sdk.StaticWebAssets\targets\Microsoft.NET.Sdk.StaticWebAssets.targets(662,5): error :    at Microsoft.AspNetCore.StaticWebAssets.Tasks.DefineStaticWebAssets.Execute()

A rebuild makes it good again. Another rebuild after fails. And so on.

The successful build produces files in CompileTypeScriptWithTSConfig, while the failed one calls TypeScriptBuildModeClean.

A deterministic build would be great.

How do I add TypeScript with unit tests to a C# Project?

@joj
Copy link
Member

joj commented Dec 4, 2024

You do need the TypeScript nuget. You shouldn't need the test nuget. If you're getting an error in CompileTypeScriptWithTSConfig I'm assuming you have that one, though. The issue in the error seems to be that file (colos.js) either not compiled or not copied to the right location before it runs.

@lennybacon
Copy link
Author

You do need the TypeScript nuget. You shouldn't need the test nuget. If you're getting an error in CompileTypeScriptWithTSConfig I'm assuming you have that one, though. The issue in the error seems to be that file (colos.js) either not compiled or not copied to the right location before it runs.

As I‘ve written, every 2nd Build fails as soon as the dependency is removed. If Ir re-add it ever build is successful. This is reproducible.

The successful build has a target called CompileTypeScriptWithTSConfig, that produces the js-files. This target is not called in the second/failing build.

The failing build instead has a target named TypeScriptBuildModeClean which calls tsc --clean --build. Calling this on the command line results in no output. When dropping the clean argument, I get an info, that a file is missing (buildinfo or smth - I’m not on the machine atm) and then the files are created.

There is seriously smth weird going on…

so the question remains: what’s the how-to, to have TS with unit tests in an cs aspnet core 9 project?

@safacero
Copy link
Member

Hi Lenny, we're finding it odd because it should work out of the box, may I ask you for binlogs so we can take a closer look at your situation? You can look here https://learn.microsoft.com/en-us/visualstudio/ide/msbuild-logs?view=vs-2022#capture-binary-logs-for-command-line-builds for more information on how to collect it. After that, please send us the '.binlog'.

Let me know if you have any problems with the steps above.
Thank you so much for your time and patience! 😄

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants