With the release of .NET Core 2.0 comes a large “meta package” with the name Microsoft.AspNetCore.All. It’s a sort of god mode package that contains all you need to get up and running on ASP.net Core without having to figure out which nuget package does what. But it does have some massive pitfalls in my opinion.

Why Have A Meta Package At All?

When ASP.net Core is split into multiple smaller packages, the “versions” of these packages start to get all out of sync over time. This is especially true if you have ever tried to upgrade a project between .NET core versions, you end up having to go through all your smaller AspNetCore packages and work out which ones you should be version bumping. Take the following for example :

Here you have many aspnetcore and EntityFramework packages that all have slightly off versions. In ASP.net Core 2.0, using the “Microsoft.AspNetCore.All” meta package, your package references instead look like this :

What this should mean is that by updating a single package, you will be able to run on the latest ASP.net Core version. It also makes your csproj a bit easier on the eye with a single package being your “framework”, and any other package references being ones you have added explicitly.

What’s Inside The Microsoft.AspNetCore.All package

The meta package contains :

  • Every single AspNetCore package published by Microsoft
  • Every EntityFrameworkCore package published by Microsoft
  • Any supporting packages required for the framework to run (For example Json.Net)

Now, that probably sounds huge and you will probably ask yourself,  won’t the resulting deployment be out of control? You would essentially be “shipping” the entire framework right? Well..

Deployment and Runtime Store

Microsoft have gone back to something called the “Runtime Store“. I say the words “gone back” because this functions almost the same as the GAC on .net Full Framework projects. That is, your target machine would have to have the .NET Core runtime installed on it for you to be able to use the aspnetcore meta package. When you deploy, you won’t actually deploy any of the framework packages, your code will instead utilize the ones already on the machine.

And if the machine doesn’t have the runtime installed? Well, that’s where things start to fall down. If you are looking to do self contained deployments (Which was a massive selling point of .NET Core), then you cannot use the meta package. You would need to reference packages manually. I can see how this could turn into a headache down the road because it makes the creation of the project and whether you use the meta package so important. Imagine getting to the point you are ready to deploy, and your dev ops team prefers going down a self contained deployment route. Now you will have to go back and work out which packages you are using from the meta and add them all in manually. Painful!

Getting Started

By default, when you create any project using ASP.net Core 2.0, you will be using the meta package. If you know you won’t be using self contained deployments any time soon, then it’s safe to go ahead and use, and really, it does alleviate some headaches of knowing which packages have what. I can’t tell you how many times I start a new project and I have to go back and manually add in the packages for authentication, entityframework, staticfiles etc. Give it a go and let me know what you think below!

The web has been going ballistic over a proposed ASP.net Core change.

Exhibit A : https://github.com/aspnet/Home/issues/2022

ASP.net Core was now going to run solely on…. .net core. Sounds confusing? Keep reading.

It’s been interesting to read reaction on message boards such as Reddit and HN. Mostly because people take the opportunity to lay the smack down on Microsoft without full understanding the situation. Certainly if you don’t use .net core on a daily basis, it just looks like Microsoft doing whatever it wants developers be damned.

But here’s the thing. I actually agree with Microsoft on this one to a certain degree. And I actually think their eventual decision to not press forward with the changes could actually hurt ASP.net core in the long run. This post is a bit of a riff off a Reddit comment I also made so it may be a bit over the place.

Let me explain.

There is currently 3 (main) ways to write a web application in the .net ecosystem

  • ASP.net Core
  • ASP.net Full Framework
  • ASP.net Core running on Full Framework

That last one is probably the eye brow raiser and the one that sounds the most “cobbled together”. And it’s actually the one that everyone is fighting over.

You see you can actually run ASP.net Core on the full framework. You get all the benefits that the ASP.net Core team gives you (Kestrel etc), but you still have the ability to use full framework libraries. Sounds like a win win right? Kinda.

The reason this works is because ASP.net Core is written against .net standard. That means any classes/methods it calls will also be available in full framework. But it also limits the ability for ASP.net Core to innovate. They are restricting their own platform to keep the ability of running on the full framework.

So how does the .net standard work? There is another article on this site talking about the standard in general over here, but I’ll do my best to explain it in the context of the ASP.net Core 2.0 debacle.

.net standard is essentially an agreement between the various .net platforms (UWP, .net Full Framework, .net Core, Mono etc), that they will all implement the same functionality. Think of it like an interface where a class can write an implementation of a method however they like, but the important thing is that they implement it in the first place. The issue with the standard as it is today is that everyone has to move together. If the .net core team says “OK, we would like this new thing in the standard please”, they have to wait for agreement from another platform to put it into the standard and implement on their end too (Usually this is going to be from the full framework team).

The problem that the ASP.net core team is facing right now is that they have almost zero baggage and can move at an extreme pace. They are able to innovate and throw things into their platform as fast as a developer can code really. That’s why people are using ASP.net core running on full framework, because they are enjoying the performance improvements that ASP.net core offers. But for them to keep improving AND for ASP.net core to keep supporting the ability to run on full framework, they need the full framework to add things almost as fast so that new versions of the .net standard can be released.

That’s not happening.

And what that means is that if ASP.net Core writes a new feature that utilizes something that is NOT in the .net standard at that point, they cannot actually release it until the .net framework catches up. The ASP.net Core team has basically said that for them to keep moving at the same pace, they are going to have to make their libraries work on .net core only so that their only limitation to releasing new features is their own ability to write them.

To me that’s understandable. They probably need some sort of pathway for those that have been caught in the middle of this hybrid approach. But we can’t have a web framework that everyone loves for it’s ability to innovate be tied down by a legacy frameworks ability to do the same.

Microsoft has backtracked and said that they will continue supporting ASP.net core running on the full .net framework. I think it will be interesting a year from now to see how this pans out. Giving something like another years support seems look a good plan, but I don’t like the open ended support “we will see in a year” type approach.

What’s your thoughts?

Microsoft has released an urgent patch to various packages in .net core. If you are using any of the following packages directly, or any packages you use are also dependent on these packages you should update them immediately. You can read the full advisory on Github here.

Package Affected Versions Fixed Versions
System.Text.Encodings.Web 4.0.0
System.Net.Http 4.1.1
System.Net.Http.WinHttpHandler 4.0.1
System.Net.Security 4.0.0
System.Net.WebSockets.Client 4.0.0
Microsoft.AspNetCore.Mvc 1.0.0, 1.0.1, 1.0.2, 1.0.3
1.1.0, 1.1.1, 1.1.2
Microsoft.AspNetCore.Mvc.Core 1.0.0, 1.0.1, 1.0.2, 1.0.3
1.1.0, 1.1.1, 1.1.2
Microsoft.AspNetCore.Mvc.Abstractions 1.0.0, 1.0.1, 1.0.2, 1.0.3
1.1.0, 1.1.1, 1.1.2
Microsoft.AspNetCore.Mvc.ApiExplorer 1.0.0, 1.0.1, 1.0.2, 1.0.3
1.1.0, 1.1.1, 1.1.2
Microsoft.AspNetCore.Mvc.Cors 1.0.0, 1.0.1, 1.0.2, 1.0.3
1.1.0, 1.1.1, 1.1.2
Microsoft.AspNetCore.Mvc.DataAnnotations 1.0.0, 1.0.1, 1.0.2, 1.0.3
1.1.0, 1.1.1, 1.1.2
Microsoft.AspNetCore.Mvc.Formatters.Json 1.0.0, 1.0.1, 1.0.2, 1.0.3
1.1.0, 1.1.1, 1.1.2
Microsoft.AspNetCore.Mvc.Formatters.Xml 1.0.0, 1.0.1, 1.0.2, 1.0.3
1.1.0, 1.1.1, 1.1.2
Microsoft.AspNetCore.Mvc.Localization 1.0.0, 1.0.1, 1.0.2, 1.0.3
1.1.0, 1.1.1, 1.1.2
Microsoft.AspNetCore.Mvc.Razor.Host 1.0.0, 1.0.1, 1.0.2, 1.0.3
1.1.0, 1.1.1, 1.1.2
Microsoft.AspNetCore.Mvc.Razor 1.0.0, 1.0.1, 1.0.2, 1.0.3
1.1.0, 1.1.1, 1.1.2
Microsoft.AspNetCore.Mvc.TagHelpers 1.0.0, 1.0.1, 1.0.2, 1.0.3
1.1.0, 1.1.1, 1.1.2
Microsoft.AspNetCore.Mvc.ViewFeatures 1.0.0, 1.0.1, 1.0.2, 1.0.3
1.1.0, 1.1.1, 1.1.2
Microsoft.AspNetCore.Mvc.WebApiCompatShim 1.0.0, 1.0.1, 1.0.2, 1.0.3
1.1.0, 1.1.1, 1.1.2

Fixing Direct Dependencies

To fix direct dependencies, you should simply open your csproj file for your project and check package references for the ones above. If you find any, then you should update to the fixed package version and redeploy immediately if your project is in production.

For example if you had the following csproj file :

The package for Microsoft.AspNetCore version 1.0.3 is vulnerable. Update the version to 1.0.4.

Fixing Transitive Dependencies

Transitive dependencies are dependencies of libraries that you are directly using. These are harder to track down but still simple to fix.

Open your project.assets.json file for your project (Should be in your project folder). Search inside this file for any dependencies that match the vulnerable package list above. If you find a vulnerable package, you need to manually add a reference to the fixed package in your csproj. The csproj version will override any transitive dependencies from other libraries (think of it like version forwarding in web.configs).

Fixing Project.Json (Legacy .net Core Apps)

If you have a .net core web app that is still on project.json, the process is much the same. For more info read the full advisory on Github here.

Straight into the important links.

Download here
Release Notes here

There are a tonne of blogs out there talking about the release, so let’s just jump straight into the 5 features that I think developers will be most excited about. There is a tonne of new stuff coming out, but I think these are the features that will impact developers lives on an almost daily basis.

Inbuilt Unit Testing On The Fly

There has been addons for years that run unit tests as you type and let you know if your unit tests are falling apart, well now Microsoft has added the support to Visual Studio natively! Again Microsoft have outdone themselves by supporting not only MSTest, but XUnit and NUnit are also supported.

Run To Click

A new feature in the debugger, when stopped at a breakpoint in your code, you can now continue execution to a “point” where your mouse clicks rather than having to place a breakpoint every few lines and step through.

Redgate SQL Search

Built into every version of Visual Studio (Including the free Community version), is Redgate’s SQL Search product. How many times have you wanted to know whether a column is referenced anywhere, and you are faced with the daunting task of searching through a massive lump of Stored Procedures? Redgate SQL search takes care of this by allowing you to do a text search across every database object. It really is an awesome product and it’s great that it’s now part of Visual Studio.

Intellisense Filter

Intellisense now has a tray that allows you to filter the member list by type. This means that when you are working with an unfamiliar library (Or a new code base), and you know that “there should be a method that does XYZ”, you can now filter to only methods and ignore all properties. This feature alone makes upgrading to Visual Studio 2017 worth it. Note that the feature is not enabled by default, to do so : go to Tools > Options > Text Editor > [C# / Basic] > IntelliSense and check the options for filtering and highlighting.


Use Of Git.exe

Up until Visual Studio 2017, the Git implementation in VS was built using Github’s libgit2. For most people this was fine, but there were a few features available to you on the command line that weren’t available to you inside Visual Studio. Most notably, the use of SSH keys. While most people who already use Visual Studio’s GIT tools are probably happy with existing functionality, it’s always good to have the tools on parity with what’s already out there.

What Else?

Something else you are excited about? Drop a comment below and let us know!

Microsoft have released a security advisory warning that there is a vulnerability in ASP.net core 1.1 MVC Core package that could allow a Denial Of Service attack. Exactly how to use the vulnerability is not being disclosed by Microsoft at this stage. Understandably so as it seems any .net core app that is on 1.1 will be affected. Note that any ASP.net core version below 1.1 is not affected.

Further info/discussion :

Github Announcement
Redhat Announcement
Reddit Discussion
HN Discussion

The issue is in a package named “Microsoft.AspNetCore.Mvc.Core”, but most people will find that they have a direct reference to the “parent” package named “Microsoft.AspNetCore.Mvc”. Either way, you need to do the below and patch.

How To Patch (project.json)

This is how to fix the vulnerability if you are using project.json (e.g. ASP.net Core 1.1 Preview 2). If you are using csproj (Preview 4), then check the section below.

First open up your project.json file and do a search for “Microsoft.AspNetCore.Mvc*”. So that includes any reference to sub packages such as “Microsoft.AspNetCore.Mvc.Core”. Let’s say you have a project.json similar to the below.

You need to bump the version of the MVC dependency. So change it to 1.1.1 like so :

Open a console inside your project folder and run “dotnet restore” and you should be now on the patched version of the library. Deploy your updated application as soon as possible.

If you cannot find a reference to “Microsoft.AspNetCore.Mvc*” in your project.json it does not mean you are immune.

Open your project.lock.json file, and search for “Microsoft.AspNetCore.Mvc.Core”. If you find it inside this file, it means that a package you are using has a dependency on the package. In this case, you need to manually add the full line to your project.json dependencies.

How To Patch (.csproj)

Patching your csproj file is almost identical, but in lovely XML form.

Search for a reference to “Microsoft.AspNetCore.Mvc*”. It will look something like below :

Bump the version number by 1 :

Open a command prompt in your project folder and run “dotnet restore”. Deploy your updated application as soon as possible.

If you cannot find a reference to “Microsoft.AspNetCore.Mvc*” in your project.json it does not mean you are immune.

You should find a file named project.assets.json in your project folder. Open this and search for “Microsoft.AspNetCore.Mvc.Core”. If you find it, it means that a package you are directly using has a reference itself to the MVC Core package. You need to open up your .csproj, and add in the following line :

Open up a command prompt in your project folder and run “dotnet restore” and you are done. Deploy your updated application as soon as possible.

It’s hard to read an intro to .net core without someone also introducing .net standard and then quickly moving on, leaving you to wonder just what is the .net standard. I’ve seen the same questions come up over and over again.  Is it another framework I have to learn? Is it the old .net? Is .net standard and .net core the same? Hopefully we can answer all those questions today!

.net Standard Is Exactly That. A standard.

.net standard is for lack of a better word, a standard. It’s a description of the core interfaces that every .net platform should implement if they wish to say “I support .net Standard 2.0” for example.

An easy way to see what exactly the standard defines is actually the nuget package here : https://www.nuget.org/packages/NETStandard.Library . If you scroll down you will see descriptions of what each standard defines. So for example, .net Standard 1.1 introduces System.Linq. If you would like to use System.Linq, you will need to use a platform that implements .net Standard 1.1.

That brings us to the next point….

What Is A Platform?

It’s may be also good to take a step back and look at what exactly is a platform. At the moment the Microsoft .net platform list looks like .net Framework (Old .net), .net Core, Xamarin, Universal Windows Platform (UWP), Windows Phone and now also Mono.

Each platform version will implement a specific .net standard version. So for example, .net Framework Version 4.6 implements the .net Standard 1.3, whereas .net Core Version 1.0 implements .net Standard 1.6. If I were to write a library that I wanted a developer to use in both .net Framework Version 4.6 and .net Core Version 1.0, then I would have to target the lowest .net Standard that these platforms implement. That being .net Standard 1.3 in this case.

Microsoft have released an easy to view “chart” that tells you which version of each platform implements each version of the standard. You can see it here.

It’s important to note that each platform can implement it’s own features. Windows Phone for example may implement phone specific classes and interfaces, but it will also expose a classes and interfaces of it’s corresponding .net standard.

When Do You Have To Worry About It?

If you are writing for a particular platform, you usually don’t have to worry about .net standard at all. You may at times wish to look up the standard to see what would be coming to your platform next release, but that’s about it.

If you are developing your own library that you wish to be used across multiple platforms, that’s when the .net standard comes in handy. If you write a library that you want working on .net Core, UWP, Windows Phone and .net Framework, you will need to only use classes that are available on all of those platforms. How do you know what classes are available on all platforms? The .net Standard!

What we will likely see in the future from library developers is the requirements changing from “You need .net Framework version 4.6” to, “This is built on top of .net standard 1.6”. And from there you can go and look up what platforms use that standard.

A Web Analogy

Let’s try and think about this in a web sense. It’s not a direct analogy, but we’ll try. Let’s take ECMAScript or Javascript as an example. ECMAScript is a standard. It’s defined in a way that browsers then have to implement. Each browser implements ECMAScript, but they can also do their own things on top (In terms of favourites, addons, plugins etc). This is similar to how a .net platform would work, they implement the standard, but then they can add their own platform specific items on top.

Now if you are writing a website and you wish to use a certain feature of javascript, you have to look at what browsers have implemented that feature. Then you make the decision, either you support “old” browsers, or you only outlay your support for certain modern browsers. This is similar to how it would work if you were writing a .net library. You look at what platforms you wish to support, but if they are old, crusty and are only implementing an old version of the .net Standard, then you can forgo supporting that platform and target a higher standard.

There is one big difference however. Unlike ECMAScript (And other web technologies like CSS), it’s hoped that platforms implement an all or nothing approach when it comes to moving up the .net standard ladder. Either you implement .net Standard 1.5 or 1.6, but you don’t release a platform version that implements 1.5 and a few features from 1.6. Remember, .net Standard is supposed to make it “easy” to determine what classes and interfaces you have available.


I’ll admit, I’m still wrapping my head around how .net standard works. But it’s early days yet. You can go to the Microsoft Github and see people still discussing how things should work long term, so it’s not just your everyday developer trying to work it out. If you have any questions feel free to comment below and I’ll do my best to answer.

It’s not like the war of Pascalcase vs Camelcase hasn’t been going on for a very long time, but in ASP.net core it flared up again with a breaking change in ASP.net core 1.0. You can read the actual change request here on Github, and then the subsequent announcement with some unhappy campers here.

To be clear.

In earlier versions of Web API and indeed early versions of ASP.net core, the default serialization of an object to JSON results in Pascalcase names. When a C# app is talking to another C# app, the casing actually doesn’t matter. You can send JSON data with mYVaRiAbLE and it will still be deserialized into MyVariable in C#.

The issue usually reared it’s head when you were using javascript to consume your Web API. Afterall, when Mozilla, Google, jQuery, WordPress and countless others cite camelCase as the standard for Javascript naming, it’s probably what most people expect to see. If you are binding a model using Angular or similar from a Web API, you probably want to keep with the same naming format. Not have properties that came from your API suddenly be in Pascal Case.

It mostly comes down to the 80/20 rule. I would say a large majority of people using ASP.net core are also using some sort of javascript framework to bind models. And for that, camelCase is best.

So, what are your options if you are still #TeamPascalCase?

Change To PascalCase In ASP.net Core 1.0+

Probably the most annoying thing about this change is that you need to change the ContractResolver for the Json Serializer. The thing that gets people’s goat is that the resolver that makes things PascalCase is actually called the “DefaultContractResolver”…. Even though in version 1.0 and onwards it isn’t the default at all…..

In anycase, in your startup.cs file, find your ConfigureServices method. You should already have an AddMVC call, and tack onto it like so :

Change To camelCase In ASP.net Core <1.0

Just incase you are behind with the times in ASP.net Core versions and you want to move to camelCase by default (Possibly in preparation for upgrading), you can do so by doing similar to the above, but instead making the contract resolver camel case like so :

So you’ve heard about ASP.net Core and you’re considering the move, but you want to know if it’s really worth it. You will always have to weigh up the pros and cons, especially if you are intending to move an existing app into .net core. But here’s 5 reasons you should definitely consider ASP.net core for your next project.

It’s A Small Learning Curve

Yes it’s true that there is a learning curve when learning .net core, even if you’re a seasoned ASP.net developer, but it’s not as big as you might think. For example, the language is still C#, namespaces are often the same or have been lifted and shifted to an easy location, and many classes/pieces of code you already have are usually able to be moved without too much hassle.

With that being said, there are a few notable exceptions. Things like cryptography services have either been severely changed. In some cases classes like the FTPWebRequest have been completely removed, much to the annoyance of some (Although should be added back in the future). If you are doing a small test application in .net core or have full embraced microservices, you will quickly be able to validate if .net core has everything you need. If you are attempting to port a massive monolith, it might be worthwhile researching into the few things .net core is currently lacking before setting off.

Multi Platform

Usually seen as the number one reason to make the switch. ASP.net Core is able to be run (And developed) on Windows, Mac and Linux. While Visual Studio is still Windows only, VS Code and Jetbrains Rider are available on all OS to develop .net core solutions. Your devops team will no doubt love you with the ability to now deploy the code on cheaper (And to some people, more reliable) Linux machines too!

It’s not like you are left on your own to work it out either. Microsoft has published documentation on getting ASP.net core running on Ubuntu, documentation on getting ASP.net core running on Apache with CentOS, and even how to get everything up and running on Docker. Imagine that happening just 5 years ago!

One Web Framework To Learn

In previous versions of ASP.net you had a difference between MVC controllers and API controllers. It seemed simple enough, but you then ended up with different ways to configure your web app. You could be half way through a ModelBinding tutorial before you realized it was for MVC only and you had to do something slightly different to get it working in the API. It was super frustrating! But in .net Core, It is all one and the same. One action can return JSON data, one can return an ActionResult, all in the same controller!

It’s Light

Previously you had to have the .net framework installed on your target machine when deploying. Not anymore! When deploying .net applications you can package up everything your app needs into a single zip and deploy only that. That means that your only shifting exactly what you need, as well as reducing the complexity of a machine setup if you are doing horizontal scaling.

It’s Fast

While the results are somewhat disputed on how “useful” and “real world” they are. The current benchmarks of ASP.net core’s web server (Kestrel), can currently serve over 1.2 million requests per second. For comparison in that benchmark, standard IIS can server around around 60k per second. These are plaintext benchmarks so it’s not running actual .net core code, but it’s still interesting to see the huge improvement in web server performance.