Skip to content

Avoid unused StreamJsonRpc dependencies#135

Merged
AsafMah merged 1 commit into
mainfrom
maintenance/avoid-unused-streamjsonrpc-dependencies
Jul 13, 2026
Merged

Avoid unused StreamJsonRpc dependencies#135
AsafMah merged 1 commit into
mainfrom
maintenance/avoid-unused-streamjsonrpc-dependencies

Conversation

@AsafMah

@AsafMah AsafMah commented Jul 13, 2026

Copy link
Copy Markdown
Collaborator

Summary

  • use StreamJsonRpc 2.22.23 with an explicit MessagePack 2.5.302 security pin
  • avoid shipping the unused Nerdbank.MessagePack and PolyType runtime assemblies introduced by newer StreamJsonRpc's optional formatter
  • clean the server output directory before debug and release publishes so stale assemblies cannot leak into the VSIX or create a mismatched runtime graph

Why

Kusto Explorer uses JsonMessageFormatter, not NerdbankMessagePackFormatter. StreamJsonRpc 2.25.29 nevertheless declares Nerdbank.MessagePack and PolyType unconditionally. Both DLLs were copied into the VSIX, were unsigned, and caused the external signing pipeline's Guardian post-analysis to fail.

Keeping StreamJsonRpc 2.22.23 while pinning MessagePack 2.5.302 removes those unused assemblies without restoring the MessagePack vulnerability that originally motivated the upgrade.

Validation

  • dotnet list src/Server/Server.csproj package --vulnerable --include-transitive — no vulnerable packages
  • dotnet run --project src/ServerTests/ServerTests.csproj -c Release — 200 passed
  • clean published-server startup smoke test
  • npm run test:integration — 46 passed
  • npm run package — 112-file VSIX, 24.71 MB
  • verified Nerdbank.MessagePack.dll and PolyType.dll are absent from the VSIX
  • verified StreamJsonRpc.dll and patched MessagePack.dll remain present

@AsafMah AsafMah marked this pull request as ready for review July 13, 2026 07:49
Copilot AI review requested due to automatic review settings July 13, 2026 07:49
@AsafMah AsafMah merged commit 11911f4 into main Jul 13, 2026
5 checks passed
@AsafMah AsafMah deleted the maintenance/avoid-unused-streamjsonrpc-dependencies branch July 13, 2026 07:49
Copilot stopped reviewing on behalf of AsafMah due to an error July 13, 2026 07:49

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Note

Copilot was unable to run its full agentic suite in this review.

Updates server/client build dependencies and build scripts to improve packaging reliability and align .NET RPC serialization dependencies.

Changes:

  • Downgrade StreamJsonRpc and add an explicit MessagePack dependency in the server project.
  • Add a clean-server npm script and run it before dotnet publish for debug/release builds.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

File Description
src/Server/Server.csproj Adjusts RPC/serialization package references (StreamJsonRpc, MessagePack).
src/Client/package.json Ensures the server output folder is cleaned before publishing to avoid stale artifacts.

Comment thread src/Server/Server.csproj
Comment on lines 12 to +16
<PackageReference Include="Microsoft.Azure.Kusto.Language" Version="12.4.0" />
<PackageReference Include="Microsoft.VisualStudio.LanguageServer.Protocol" Version="17.2.8" />
<PackageReference Include="Newtonsoft.Json" Version="13.0.4" />
<PackageReference Include="StreamJsonRpc" Version="2.25.29" />
<PackageReference Include="StreamJsonRpc" Version="2.22.23" />
<PackageReference Include="MessagePack" Version="2.5.302" />
Comment thread src/Client/package.json
Comment on lines +41 to +43
"clean-server": "node -e \"require('fs').rmSync('./server', { recursive: true, force: true })\"",
"build-release-server": "npm run clean-server && dotnet publish ../Server/Server.csproj -c Release -o ./server",
"build-debug-server": "npm run clean-server && dotnet publish ../Server/Server.csproj -c Debug -o ./server",
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants