[Bug]: Unable to use `Polly.Core` in a plugin project in combination with `System.Text.Json` because of `Microsoft.Bcl.AsyncInterfaces` version mismatch

Question

[Bug]: Unable to use `Polly.Core` in a plugin project in combination with `System.Text.Json` because of `Microsoft.Bcl.AsyncInterfaces` version mismatch

peterhirn opened this issue 4 months ago · 2 comments

Describe the bug

I'm trying to use Polly.Core in a plugin project where I have no control over bindingRedirect (managed by the program authors, proprietary). Additionally I have a dependency on System.Text.Json 8.0.4.

Because of the pinned dependency on Microsoft.Bcl.AsyncInterfaces 6.0.0 I'm unable to use Polly.Core.

dotnet add package Polly.Core

error: NU1605: Warning As Error: Detected package downgrade: Microsoft.Bcl.AsyncInterfaces from 8.0.0 to 6.0.0. Reference the package directly from the project to select a different version. 
error:  Project -> System.Text.Json 8.0.4 -> Microsoft.Bcl.AsyncInterfaces (>= 8.0.0) 
error:  Project -> Microsoft.Bcl.AsyncInterfaces (>= 6.0.0)

Trying to load the plugin throws

Could not load file or assembly 'Microsoft.Bcl.AsyncInterfaces, Version=6.0.0.0 ...

Would it be possible to update Microsoft.Bcl.AsyncInterfaces to v8.x?

Expected behavior

No response

Actual behavior

No response

Steps to reproduce

No response

Exception(s) (if any)

No response

Polly version

8.4.1

.NET Version

net48

Anything else?

No response

Answer 1 · 2024-08-30T08:06:31.000Z

I don't think this is a bug, as pinning the dependency was a conscious decision, but I can see how it could cause you difficulties.

For the libraries we publish to NuGet.org, we target the minimum possible version we can to make the range of versions we're compatible with as large as possible. This also prevents us from forcing consuming applications to use newer versions of libraries that they might want otherwise for whatever reason (compatibility, a bug they're avoiding, whatever).

Have you tried doing what the error message suggests, and explicitly add Microsoft.Bcl.AsyncInterfaces 8.0.0 to your .csproj file? This might hoist the version and avoid the NU1605 warning.

We could maybe consider increasing the version in a future release to 8.0.0 just for the net4x targets. This would make most sense to me to do after November when .NET 6 goes out of support. There's a fairly good chance we'll ship a new version in November anyway as part of the .NET 9 release (see #2003). I realise that's no good to you now though.

As a workaround, do you need to depend on S.T.J 8.0.4? Does it have functionality that you depend on, are you just "using latest"? If there's nothing specific in the implementation for 8 you need, a potential workaround could just be to follow the same "wider compatibility" approach and downgrade to 6.0.0 and defer to the host's 6.0.x(?) version at runtime (i.e. if your concern is GHSA-hh2w-p6rv-4g7w and that's why you're using 8.0.4, then that's on the host to patch and worry about, not you).

Answer 2 · 2024-08-30T08:35:20.000Z

Thanks for your response 🙏

I agree with your reasoning to target the minimum possible version of dependencies and that this is not a bug.

Generally I think this is a very niche use-case as most of the time devs have control over bindingRedirect.

I tried to explicitly add Microsoft.Bcl.AsyncInterfaces 8.0.0 but loading my plugin still failed. Downgrading STJ is something I'll explore.

My current workaround is using the legacy Polly package with IAsyncPolicy.

Another option to circumvent the bindingRedirect problem is to use ILRepack to merge the output into a single .dll.