Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Proposal] Remove SkiaSharp.Views Dependency #1424

Closed
8 tasks
TheCodeTraveler opened this issue Sep 22, 2023 · 7 comments · Fixed by dotnet/maui#18442 or #1547
Closed
8 tasks

[Proposal] Remove SkiaSharp.Views Dependency #1424

TheCodeTraveler opened this issue Sep 22, 2023 · 7 comments · Fixed by dotnet/maui#18442 or #1547
Assignees
@TheCodeTraveler
Labels
approved This Proposal has been approved and is ready to be added to the Toolkit champion A member of the .NET MAUI Toolkit core team has chosen to champion this feature documentation approved proposal A fully fleshed out proposal describing a new feature in syntactic and semantic detail

Comments

@TheCodeTraveler
Copy link
Collaborator

TheCodeTraveler commented Sep 22, 2023
edited
Loading

Feature name

Remove SkiaSharp.Views Dependency

Link to discussion

(Discord) https://discord.com/channels/1136756209475661914/1136757631550238781/1154823859766308906

Progress tracker

  • Android Implementation
  • iOS Implementation
  • MacCatalyst Implementation
  • Windows Implementation
  • Tizen Implementation
  • Unit Tests
  • Samples
  • Documentation

Summary

A direct reference to SkiaSharp.Views v2.88.6 was added to CommunityToolkit.Maui.Core for net7.0-tizen after a security vulnerability was reported on SkiaSharp; the vulnerability is patched in SkiaSharp v2.88.6:

Maui/src/CommunityToolkit.Maui.Core/CommunityToolkit.Maui.Core.csproj

Lines 53 to 55 in bf9d66d

<ItemGroup Condition="$(TargetFramework.Contains('-tizen'))">
<PackageReference Include="SkiaSharp.Views" Version="[2.88.6,)" />
</ItemGroup>

The tizen-net7.0 library has a transitive dependency to SkiaSharp via net7.0-tizen -> Tizen.UIExtensions.NUI -> Microsoft.Maui.Graphics.Skia -> SkiaSharp.

We should remove this direct package reference once Microsoft.Maui.Graphics.Skia has been updated to use SkiaSharp v2.88.6 and then Tizen.UIExtensions.NUI has subsequently been updated to use the latest version of Microsoft.Maui.Graphics.Skia.

We are blocked until Tizen.UIExtensions.NUI is updated.

Motivation

The .NET MAUI Community Toolkit strives to avoid adding direct dependencies to external libraries. I created this Issue to ensure that our temporary dependency to SkiaSharp to avoid the security vulnerability does not become a permanent dependency in our library.

Detailed Design

To remove the direct dependency, we must remove following lines of code from CommunityToolkit.Maui.Core:

Maui/src/CommunityToolkit.Maui.Core/CommunityToolkit.Maui.Core.csproj

Lines 53 to 55 in bf9d66d

<ItemGroup Condition="$(TargetFramework.Contains('-tizen'))">
<PackageReference Include="SkiaSharp.Views" Version="[2.88.6,)" />
</ItemGroup>

Usage Syntax

(None)

Drawbacks

(None)

Alternatives

(None)

Unresolved Questions

(None)
@TheCodeTraveler TheCodeTraveler added new blocked proposal A fully fleshed out proposal describing a new feature in syntactic and semantic detail labels Sep 22, 2023
@TheCodeTraveler TheCodeTraveler self-assigned this Sep 22, 2023
@ghost ghost added champion A member of the .NET MAUI Toolkit core team has chosen to champion this feature and removed new labels Sep 22, 2023
@TheCodeTraveler TheCodeTraveler changed the title [Proposal] Remove SkiaSharp.Vies Dependency [Proposal] Remove SkiaSharp.Views Dependency Sep 22, 2023
@TheCodeTraveler TheCodeTraveler mentioned this issue Sep 22, 2023
Merged
6 tasks
@vhugogarcia
Copy link
Contributor

The .NET MAUI team is bumping up the version now on the .NET MAUI repository: dotnet/maui@c37907a

Hopefully, it will be approved and merged soon.
🙂🙂

@TheCodeTraveler TheCodeTraveler mentioned this issue Sep 24, 2023
Merged
@TheCodeTraveler TheCodeTraveler added the needs discussion Discuss it on the next Monthly standup label Oct 5, 2023
@JoonghyunCho JoonghyunCho mentioned this issue Oct 31, 2023
Merged
@TheCodeTraveler
Copy link
Collaborator Author

TheCodeTraveler commented Oct 31, 2023
edited
Loading

Update

The Microsoft.Maui.Graphics.Skia v7.0.100 NuGet Package has been updated to SkiaSharp v2.88.6: dotnet/maui@199adf7

We are still blocked until Tizen.UIExtensions.NUI is updated. We will monitor the progress on their PR here (Thanks Jay!!): dotnet/maui#18442

@ghost ghost added approved This Proposal has been approved and is ready to be added to the Toolkit help wanted This proposal has been approved and is ready to be implemented labels Nov 2, 2023
@TheCodeTraveler TheCodeTraveler removed help wanted This proposal has been approved and is ready to be implemented needs discussion Discuss it on the next Monthly standup labels Nov 2, 2023
@ghost ghost reopened this Nov 9, 2023
@ghost
Copy link

ghost commented Nov 9, 2023

Reopening Proposal.

Only Proposals moved to the Closed Project Column and Completed Project Column can be closed.

@ghost ghost closed this as completed Nov 9, 2023
@jfversluis
Copy link
Member

Oooh well actually, I think we still got work to do here on our side now? @JoonghyunCho?

@jfversluis jfversluis reopened this Nov 9, 2023
@ghost ghost added the help wanted This proposal has been approved and is ready to be implemented label Nov 9, 2023
@jfversluis jfversluis removed help wanted This proposal has been approved and is ready to be implemented blocked documentation approved labels Nov 9, 2023
@JoonghyunCho
Copy link
Member

Oooh well actually, I think we still got work to do here on our side now? @JoonghyunCho?

Thanks for merging dotnet/maui#18442 ! I expect this will be resolved when the new maui version releases?

@TheCodeTraveler
Copy link
Collaborator Author

Awesome!!

Yup - once the net7.0-tizen workload (or the net8.0-tizen workload) is updated to use Tizen.UIExtensions.NUI v9.2.0, we can remove our dependency to SkipSharp.Views.

We'll keep this Proposal open until the PR to remove the SkiaSharp.Views dependency is closed:

Maui/src/CommunityToolkit.Maui.Core/CommunityToolkit.Maui.Core.csproj

Lines 53 to 55 in bf9d66d

<ItemGroup Condition="$(TargetFramework.Contains('-tizen'))">
<PackageReference Include="SkiaSharp.Views" Version="[2.88.6,)" />
</ItemGroup>

@JoonghyunCho JoonghyunCho mentioned this issue Nov 21, 2023
Merged
6 tasks
@ghost ghost reopened this Nov 21, 2023
@ghost
Copy link

ghost commented Nov 21, 2023

Reopening Proposal.

Only Proposals moved to the Closed Project Column and Completed Project Column can be closed.

@ghost ghost closed this as completed Nov 21, 2023
@github-actions github-actions bot locked and limited conversation to collaborators Nov 22, 2024
This issue was closed.
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@TheCodeTraveler TheCodeTraveler

Labels
approved This Proposal has been approved and is ready to be added to the Toolkit champion A member of the .NET MAUI Toolkit core team has chosen to champion this feature documentation approved proposal A fully fleshed out proposal describing a new feature in syntactic and semantic detail
Projects
`CommunityToolkit.Maui` New Feature Proposals
Status: Completed
Milestone
No milestone
4 participants
@jfversluis @vhugogarcia @TheCodeTraveler @JoonghyunCho