There is a current proposal that’s getting traction (By some) to make it into C# 8. That’s “default interface methods”. Because at the time of writing, C# 8 is not out, nor has this new language feature even “definitely” made it into that release, this will be more about the proposal and my two cents on it rather than any specific tutorial on using them.

What Are Default Interface Methods?

Before I start, it’s probably worth reading the summary of the proposal on Github here : https://github.com/dotnet/csharplang/issues/288. It’s important to remember is that this is just a proposal so not everything described will actually be implemented (Or implemented in the way it’s initially being described). Take everything with a grain of salt.

The general idea is that an interface can provide a method body. So :

A class that implements this interface does not have to implement methods where a body has been provided. So for example :

The interesting thing is that the class itself does not have the ability to run methods that have been defined and implemented on an interface. So :

The general idea is that this will now allow you to do some sort of multiple inheritance of behaviour/methods (Which was previously unavailable in C#).

There are a few other things that then are required (Or need to become viable) when opening this up. For example allowing private level methods with a body inside an interface (To share code between default implementations).

Abstract Classes vs Default Interface Methods

While it does start to blur the lines a bit, there are still some pretty solid differences. The best quote I heard about it was :

Interfaces define behaviour, classes define state.

And that does make some sense. Interfaces still can’t define a constructor, so if you want to share constructor logic, you will need to use an abstract/base class. An interface also cannot define class level variables/fields.

Classes also have the ability to define accessibility of it’s members (For example making a method protected), whereas with an interface everything is public. Although part of the proposal is extending interfaces with things like the static keyword and protected, internal etc (I really don’t agree with this).

Because the methods themselves are only available when you cast back to the interface, I can’t really see it being a drop in replacement for abstract classes (yet), but it does blur the lines just enough to ask the question.

My Two Cents

This feels like one of those things that just “feels” wrong. And that’s always a hard place to start because it’s never going to be black and white. I feel like interfaces are a very “simple” concept in C# and this complicates things in ways which I don’t see a huge benefit. It reminds me a bit of the proposal of “Primary Constructors” that was going to make it into C# 6 (See more here : http://www.alteridem.net/2014/09/08/c-6-0-primary-constructors/). Thankfully that got dumped but it was bolting on a feature that I’m not sure anyone was really clamoring for.

But then again, there are some merits to the conversation. One “problem” with interfaces is that you have to implement every single member. This can at times lock down any ability to extend the interface because you will immediately blow up any class that has already inherited that interface (Or it means your class becomes littered with throw new NotImplementedException() ).

There’s even times when you implement an interface for the first time, and you have to pump out 20 or so method implementations that are almost boilerplate in content. A good example given in the proposal is that of IEnumerable. Each time you implement this you are required to get RSI on your fingers by implementing every detail. Where if there was default implementations, there might be only a couple of methods that you truly want to make your own, and the default implementations do the job just fine for everything else.

All in all, I feel like the proposal should be broken down and simplified. It’s almost like an American political bill in that there seems to be a lot in there that’s causing a bit of noise (allowing static, protected members on interfaces etc). It needs to be simplified down and just keep the conversation on method bodies in interfaces and see how it works out because it’s probably a conversation worth having.

What do you think? Drop a comment below.

I’ve recently been playing around with all of the new features packaged into C# 7.2. One such feature that piqued my interest because of it’s simplicity was the “in” keyword. It’s one of those things that you can get away with never using in your day to day work, but makes complete sense when looking at language design from a high level.

In simple terms, the in  keyword specifies that you are passing a parameter by reference, but also that you will not modify the value inside a method. For example :

In this example we pass in two parameters essentially by reference, but we also specify that they will not be modified within the method. If we try and do something like the following :

We get a compile time error:

Accessing C# 7.2 Features

I think I should just quickly note how to actually access C# 7.2 features as they may not be immediately available on your machine. The first step is to ensure that Visual Studio is up to date on your machine. If you are able to compile C# 7.2 code, but intellisense is acting up and not recognizing new features, 99% of the time you just need to update Visual Studio.

Once updated, inside the csproj of your project, add in the following :

And you are done!

Performance

When passing value types into a method, normally this would be copied to a new memory location and you would have a clone of the value passed into a method. When using the in  keyword, you will be passing the same reference into a method instead of having to create a copy. While the performance benefit may be small in simple business applications, in a tight loop this could easily add up.

But just how much performance gain are we going to see? I could take some really smart people’s word for it, or I could do a little bit of benchmarking. I’m going to use BenchmarkDotNet (Guide here) to compare performance when passing a value type into a method normally, or as an in  parameter.

The benchmarking code is :

And the results :

We can definitely see the speed difference here. This makes sense because really all we are doing is passing in a variable and doing nothing else. It has to be said that I can’t see the in  keyword being used to optimize code in everyday business applications, but there is definitely something there for time critical applications such as large scale number crunchers.

Explicit In Design

While the performance benefits are OK something else that comes to mind is that when you use in  is that you are being explicit in your design. By that I mean that you are laying out exactly how you intend the application to function. “If I pass this a variable into this method, I don’t expect the variable to change”. I can see this being a bigger benefit to large business applications than any small performance gain.

A way to look at it is how we use things like private  and readonly . Our code will generally work if we just make everything public  and move on, but it’s not seen as “good” programming habits. We use things like readonly  to explicitly say how we expect things to run (We don’t expect this variable to be modified outside of the constructor etc). And I can definitely see in  being used in a similar sort of way.

Comparisons To “ref” (and “out”)

A comparison could be made to the ref keyword in C# (And possibly to a lesser extend the out keyword). The main differences are :

in  – Passes a variable in to a method by reference. Cannot be set inside the method.
ref  – Passes a variable into a method by reference. Can be set/changed inside the method.
out  – Only used for output from a method. Can (and must) be set inside the method.

So it certainly looks like the ref keyword is almost the same as in, except that it allows a variable to change it’s value. But to check that, let’s run our performance test from earlier but instead add in a ref scenario.

So it’s close when it comes to performance benchmarking. However again, in  is still more explicit than ref because it tells the developer that while it’s allowing a variable to be passed in by reference, it’s not going to change the value at all.

Important Performance Notes For In

While writing the performance tests for this post, I kept running into instances where using in  gave absolutely no performance benefit whatsoever compared to passing by value. I was pulling my hair out trying to understand exactly what was going on.

It wasn’t until I took a step back and thought about how in  could work under the hood, coupled with a stackoverflow question or two later that I had the nut cracked. Consider the following code :

What will the output be? If you guessed 1. You would be correct! So what’s going on here? We definitely told our struct to set it’s value to 1, then we passed it by reference via the in keyword to another method, and that told the struct to update it’s value to 5. And everything compiled and ran happily so we should be good right? We should see the output as 5 surely?

The problem is, C# has no way of knowing when it calls a method (or a getter) on a struct whether that will also modify the values/state of it. What it instead does is create what’s called a “defensive copy”. When you run a method/getter on a struct, it creates a clone of the struct that was passed in and runs the method instead on the clone. This means that the original copy stays exactly the same as it was passed in, and the caller can still count on the value it passed in not being modified.

Now where this creates a bit of a jam is that if we are cloning the struct (Even as a defensive copy), then the performance gain is lost. We still get the design time niceness of knowing that what we pass in won’t be modified, but at the end of the day we may aswell passed in by value when it comes to performance. You’ll see in my tests, I used plain old variables to avoid this issue. If you are not using structs at all and instead using plain value types, you avoid this issue altogether.

To me I think this could crop up in the future as a bit of a problem. A method may inadvertently run a method that modifies the structs state, and now it’s running off “different” data than what the caller is expecting. I also question how this will work in multi-threaded scenarios. What if the caller goes away and modified the struct, expecting the method to get the updated value, but it’s created a defensive clone? Plenty to ponder (And code out to test in the future).

Summary

So will there be a huge awakening of using the in keyword in C#? I’m not sure. When Expression-bodied Members (EBD) came along I didn’t think too much of them but they are used in almost every piece of C# code these days. But unlike EBD, the in  keyword doesn’t save typing or having to type cruft, so it could just be resigned to one of those “best practices” lists. Most of all I’m interested in how in  transforms over future versions of C# (Because I really think it has to).   What do you think?

I recently had the opportunity to log a bug against Entity Framework Core on Github with the Microsoft team. Before I sent it through, I took a look at other issues listed against the project to see the best way to describe my problem in such a public forum. While some reports were really detailed and got right to the heart of the issue, others were really weak and were likely better off being StackOverflow questions. Sometimes the reports actually did sound like they could be bugs, but just had absolutely no detail in them to take any further. Sometimes the user just didn’t quite know how to articulate the issue, and instead of outlaying the problem via code (We are developers after all), they just gave a wall of text to try and describe the problem they were having.

With that in mind, I thought I would jot down my top 3 things I noticed these poor bug reports were lacking. While I used the EF Core project on Github as examples, I didn’t

Debug It Yourself

A simple thing, but something that didn’t look like it was happening as much as it should. The amount of code that I use in day to day work that is open source is actually astounding to think about when compared to just a few years ago. With that in mind, everytime I start getting weird exceptions that I think could be a bug, I immediately go and check if I am able to get my hands on the source code to have a look.

I think sometimes people have a fear that the code will be way over their heads and difficult to understand. But it can be as simple as searching an open source project for the exception message or error code you are getting.

Let’s take my bug for example. It related to an exception being thrown from Automapper with very specific wording. Literally all I did was try and do a search on Github for the exact error message  and what do you know!

Digging deeper we can see the following lines of code :

OK so that’s given us a pretty good idea that the configuration is being set twice for some reason. It sets our brain in motion for different ways we could test theories about why this would be happening. As it turned out, it’s because a particular method in .NET Core runs twice when it should only be running once. And the reason it only happened in particular with Automapper was because the variable itself is static in the Automapper code (Another thing we learned by taking a look at the source ourselves).

We may not be able to completely code a fix, but will atleast help us to better articulate the issue and come up with simple repo steps when we log our bug report.

Don’t forget to explain what you’ve already looked into or done when logging the issue too. I saw a couple of bugs logged that had quite a bit of back and forth along the lines of “Can you try doing this?”, and the reply being “Yes, I have already tried that”. Well then put it in the report!

Create A Complete Solution Repository

Many reports start off with “Create a web project, then add this nuget package with this particular version, and then write code that does XYZ, then …”. It quickly becomes hard to follow and actually ends up with some sort of miscommunication issue anyway.

Creating a minimal code solution in it’s repository serves two purposes. The first is that you no longer have to explain exactly how someone can replicate the issue. The second is that it actually helps you remove any possible issues with your own code. Isolating the bug to it’s simplest possible form in a nice stand alone application is one of the biggest things you can do to help move a bug report along quickly.

And remember, it doesn’t have to be some amazing engineering feat. The Github repository I submitted with my bug report can be found here. It’s literally the Web API standard project template (Complete with the default routes and controllers), with a couple of extra lines in my startup file to replicate the bug. It may seem like going to this effort to upload what is almost a default project is a big hassle, but if you don’t, then the developer looking into your bug will have to do it anyway.

Simplify The Issue To As Few Code Lines As Possible

And finally, while you may have created a repository replicating the issue, it’s still a good idea to be able to reduce the bug down to as few lines of code as possible and have this code sitting in the bug report itself. Even pseudocode is better than nothing.

Let’s try something. I’ll explain a fictitious bug first in words, then in code.

Bug explanation in words :
When I run a select on a list that contains a cast, then call first on the return list, I get an error. If I don’t cast in the select (But still run the select) on the list, then call First, I don’t get an error.

Bug explanation in code :

Which one is easier to follow for you? If you’re a developer, I can almost guarantee that looking at code is easier for you. When we’ve spent years looking at lines of code on our screen, it just *clicks* in our brain when we see it there.

Now that doesn’t mean that you shouldn’t also write a concise description of your bug too! That’s still important. And the same can be said for creating an entire solution to replicate your issue. Pasting lines of code into a bug report supplements your reproducible solution, it doesn’t replace it.

Summary

There’s a tonne of nuances around logging bugs for open source projects. Especially when the projects are as big as some of the Microsoft ones are. I could go on and on with other smaller issues that seemed to stall bug reports, but to me these were the big 3 that almost all bugs that got thrown back over the fence were lacking. What’s your tips for a good bug report? Drop a comment below and let us know.

With the release of .NET Core 2.0 comes a large “meta package” with the name Microsoft.AspNetCore.All. It’s a sort of god mode package that contains all you need to get up and running on ASP.net Core without having to figure out which nuget package does what. But it does have some massive pitfalls in my opinion.

Why Have A Meta Package At All?

When ASP.net Core is split into multiple smaller packages, the “versions” of these packages start to get all out of sync over time. This is especially true if you have ever tried to upgrade a project between .NET core versions, you end up having to go through all your smaller AspNetCore packages and work out which ones you should be version bumping. Take the following for example :

Here you have many aspnetcore and EntityFramework packages that all have slightly off versions. In ASP.net Core 2.0, using the “Microsoft.AspNetCore.All” meta package, your package references instead look like this :

What this should mean is that by updating a single package, you will be able to run on the latest ASP.net Core version. It also makes your csproj a bit easier on the eye with a single package being your “framework”, and any other package references being ones you have added explicitly.

What’s Inside The Microsoft.AspNetCore.All package

The meta package contains :

  • Every single AspNetCore package published by Microsoft
  • Every EntityFrameworkCore package published by Microsoft
  • Any supporting packages required for the framework to run (For example Json.Net)

Now, that probably sounds huge and you will probably ask yourself,  won’t the resulting deployment be out of control? You would essentially be “shipping” the entire framework right? Well..

Deployment and Runtime Store

Microsoft have gone back to something called the “Runtime Store“. I say the words “gone back” because this functions almost the same as the GAC on .net Full Framework projects. That is, your target machine would have to have the .NET Core runtime installed on it for you to be able to use the aspnetcore meta package. When you deploy, you won’t actually deploy any of the framework packages, your code will instead utilize the ones already on the machine.

And if the machine doesn’t have the runtime installed? Well, that’s where things start to fall down. If you are looking to do self contained deployments (Which was a massive selling point of .NET Core), then you cannot use the meta package. You would need to reference packages manually. I can see how this could turn into a headache down the road because it makes the creation of the project and whether you use the meta package so important. Imagine getting to the point you are ready to deploy, and your dev ops team prefers going down a self contained deployment route. Now you will have to go back and work out which packages you are using from the meta and add them all in manually. Painful!

Getting Started

By default, when you create any project using ASP.net Core 2.0, you will be using the meta package. If you know you won’t be using self contained deployments any time soon, then it’s safe to go ahead and use, and really, it does alleviate some headaches of knowing which packages have what. I can’t tell you how many times I start a new project and I have to go back and manually add in the packages for authentication, entityframework, staticfiles etc. Give it a go and let me know what you think below!

The web has been going ballistic over a proposed ASP.net Core change.

Exhibit A : https://github.com/aspnet/Home/issues/2022

ASP.net Core was now going to run solely on…. .net core. Sounds confusing? Keep reading.

It’s been interesting to read reaction on message boards such as Reddit and HN. Mostly because people take the opportunity to lay the smack down on Microsoft without full understanding the situation. Certainly if you don’t use .net core on a daily basis, it just looks like Microsoft doing whatever it wants developers be damned.

But here’s the thing. I actually agree with Microsoft on this one to a certain degree. And I actually think their eventual decision to not press forward with the changes could actually hurt ASP.net core in the long run. This post is a bit of a riff off a Reddit comment I also made so it may be a bit over the place.

Let me explain.

There is currently 3 (main) ways to write a web application in the .net ecosystem

  • ASP.net Core
  • ASP.net Full Framework
  • ASP.net Core running on Full Framework

That last one is probably the eye brow raiser and the one that sounds the most “cobbled together”. And it’s actually the one that everyone is fighting over.

You see you can actually run ASP.net Core on the full framework. You get all the benefits that the ASP.net Core team gives you (Kestrel etc), but you still have the ability to use full framework libraries. Sounds like a win win right? Kinda.

The reason this works is because ASP.net Core is written against .net standard. That means any classes/methods it calls will also be available in full framework. But it also limits the ability for ASP.net Core to innovate. They are restricting their own platform to keep the ability of running on the full framework.

So how does the .net standard work? There is another article on this site talking about the standard in general over here, but I’ll do my best to explain it in the context of the ASP.net Core 2.0 debacle.

.net standard is essentially an agreement between the various .net platforms (UWP, .net Full Framework, .net Core, Mono etc), that they will all implement the same functionality. Think of it like an interface where a class can write an implementation of a method however they like, but the important thing is that they implement it in the first place. The issue with the standard as it is today is that everyone has to move together. If the .net core team says “OK, we would like this new thing in the standard please”, they have to wait for agreement from another platform to put it into the standard and implement on their end too (Usually this is going to be from the full framework team).

The problem that the ASP.net core team is facing right now is that they have almost zero baggage and can move at an extreme pace. They are able to innovate and throw things into their platform as fast as a developer can code really. That’s why people are using ASP.net core running on full framework, because they are enjoying the performance improvements that ASP.net core offers. But for them to keep improving AND for ASP.net core to keep supporting the ability to run on full framework, they need the full framework to add things almost as fast so that new versions of the .net standard can be released.

That’s not happening.

And what that means is that if ASP.net Core writes a new feature that utilizes something that is NOT in the .net standard at that point, they cannot actually release it until the .net framework catches up. The ASP.net Core team has basically said that for them to keep moving at the same pace, they are going to have to make their libraries work on .net core only so that their only limitation to releasing new features is their own ability to write them.

To me that’s understandable. They probably need some sort of pathway for those that have been caught in the middle of this hybrid approach. But we can’t have a web framework that everyone loves for it’s ability to innovate be tied down by a legacy frameworks ability to do the same.

Microsoft has backtracked and said that they will continue supporting ASP.net core running on the full .net framework. I think it will be interesting a year from now to see how this pans out. Giving something like another years support seems look a good plan, but I don’t like the open ended support “we will see in a year” type approach.

What’s your thoughts?

Microsoft has released an urgent patch to various packages in .net core. If you are using any of the following packages directly, or any packages you use are also dependent on these packages you should update them immediately. You can read the full advisory on Github here.

Package Affected Versions Fixed Versions
System.Text.Encodings.Web 4.0.0
4.3.0
4.0.1
4.3.1
System.Net.Http 4.1.1
4.3.1
4.1.2
4.3.2
System.Net.Http.WinHttpHandler 4.0.1
4.3.0
4.0.2
4.3.1
System.Net.Security 4.0.0
4.3.0
4.0.1
4.3.1
System.Net.WebSockets.Client 4.0.0
4.3.0
4.0.1
4.3.1
Microsoft.AspNetCore.Mvc 1.0.0, 1.0.1, 1.0.2, 1.0.3
1.1.0, 1.1.1, 1.1.2
1.0.4
1.1.3
Microsoft.AspNetCore.Mvc.Core 1.0.0, 1.0.1, 1.0.2, 1.0.3
1.1.0, 1.1.1, 1.1.2
1.0.4
1.1.3
Microsoft.AspNetCore.Mvc.Abstractions 1.0.0, 1.0.1, 1.0.2, 1.0.3
1.1.0, 1.1.1, 1.1.2
1.0.4
1.1.3
Microsoft.AspNetCore.Mvc.ApiExplorer 1.0.0, 1.0.1, 1.0.2, 1.0.3
1.1.0, 1.1.1, 1.1.2
1.0.4
1.1.3
Microsoft.AspNetCore.Mvc.Cors 1.0.0, 1.0.1, 1.0.2, 1.0.3
1.1.0, 1.1.1, 1.1.2
1.0.4
1.1.3
Microsoft.AspNetCore.Mvc.DataAnnotations 1.0.0, 1.0.1, 1.0.2, 1.0.3
1.1.0, 1.1.1, 1.1.2
1.0.4
1.1.3
Microsoft.AspNetCore.Mvc.Formatters.Json 1.0.0, 1.0.1, 1.0.2, 1.0.3
1.1.0, 1.1.1, 1.1.2
1.0.4
1.1.3
Microsoft.AspNetCore.Mvc.Formatters.Xml 1.0.0, 1.0.1, 1.0.2, 1.0.3
1.1.0, 1.1.1, 1.1.2
1.0.4
1.1.3
Microsoft.AspNetCore.Mvc.Localization 1.0.0, 1.0.1, 1.0.2, 1.0.3
1.1.0, 1.1.1, 1.1.2
1.0.4
1.1.3
Microsoft.AspNetCore.Mvc.Razor.Host 1.0.0, 1.0.1, 1.0.2, 1.0.3
1.1.0, 1.1.1, 1.1.2
1.0.4
1.1.3
Microsoft.AspNetCore.Mvc.Razor 1.0.0, 1.0.1, 1.0.2, 1.0.3
1.1.0, 1.1.1, 1.1.2
1.0.4
1.1.3
Microsoft.AspNetCore.Mvc.TagHelpers 1.0.0, 1.0.1, 1.0.2, 1.0.3
1.1.0, 1.1.1, 1.1.2
1.0.4
1.1.3
Microsoft.AspNetCore.Mvc.ViewFeatures 1.0.0, 1.0.1, 1.0.2, 1.0.3
1.1.0, 1.1.1, 1.1.2
1.0.4
1.1.3
Microsoft.AspNetCore.Mvc.WebApiCompatShim 1.0.0, 1.0.1, 1.0.2, 1.0.3
1.1.0, 1.1.1, 1.1.2
1.0.4
1.1.3

Fixing Direct Dependencies

To fix direct dependencies, you should simply open your csproj file for your project and check package references for the ones above. If you find any, then you should update to the fixed package version and redeploy immediately if your project is in production.

For example if you had the following csproj file :

The package for Microsoft.AspNetCore version 1.0.3 is vulnerable. Update the version to 1.0.4.

Fixing Transitive Dependencies

Transitive dependencies are dependencies of libraries that you are directly using. These are harder to track down but still simple to fix.

Open your project.assets.json file for your project (Should be in your project folder). Search inside this file for any dependencies that match the vulnerable package list above. If you find a vulnerable package, you need to manually add a reference to the fixed package in your csproj. The csproj version will override any transitive dependencies from other libraries (think of it like version forwarding in web.configs).

Fixing Project.Json (Legacy .net Core Apps)

If you have a .net core web app that is still on project.json, the process is much the same. For more info read the full advisory on Github here.

Straight into the important links.

Download here
Release Notes here

There are a tonne of blogs out there talking about the release, so let’s just jump straight into the 5 features that I think developers will be most excited about. There is a tonne of new stuff coming out, but I think these are the features that will impact developers lives on an almost daily basis.

Inbuilt Unit Testing On The Fly

There has been addons for years that run unit tests as you type and let you know if your unit tests are falling apart, well now Microsoft has added the support to Visual Studio natively! Again Microsoft have outdone themselves by supporting not only MSTest, but XUnit and NUnit are also supported.

Run To Click

A new feature in the debugger, when stopped at a breakpoint in your code, you can now continue execution to a “point” where your mouse clicks rather than having to place a breakpoint every few lines and step through.

Redgate SQL Search

Built into every version of Visual Studio (Including the free Community version), is Redgate’s SQL Search product. How many times have you wanted to know whether a column is referenced anywhere, and you are faced with the daunting task of searching through a massive lump of Stored Procedures? Redgate SQL search takes care of this by allowing you to do a text search across every database object. It really is an awesome product and it’s great that it’s now part of Visual Studio.

Intellisense Filter

Intellisense now has a tray that allows you to filter the member list by type. This means that when you are working with an unfamiliar library (Or a new code base), and you know that “there should be a method that does XYZ”, you can now filter to only methods and ignore all properties. This feature alone makes upgrading to Visual Studio 2017 worth it. Note that the feature is not enabled by default, to do so : go to Tools > Options > Text Editor > [C# / Basic] > IntelliSense and check the options for filtering and highlighting.

 

Use Of Git.exe

Up until Visual Studio 2017, the Git implementation in VS was built using Github’s libgit2. For most people this was fine, but there were a few features available to you on the command line that weren’t available to you inside Visual Studio. Most notably, the use of SSH keys. While most people who already use Visual Studio’s GIT tools are probably happy with existing functionality, it’s always good to have the tools on parity with what’s already out there.

What Else?

Something else you are excited about? Drop a comment below and let us know!

Microsoft have released a security advisory warning that there is a vulnerability in ASP.net core 1.1 MVC Core package that could allow a Denial Of Service attack. Exactly how to use the vulnerability is not being disclosed by Microsoft at this stage. Understandably so as it seems any .net core app that is on 1.1 will be affected. Note that any ASP.net core version below 1.1 is not affected.

Further info/discussion :

Github Announcement
Redhat Announcement
Reddit Discussion
HN Discussion

The issue is in a package named “Microsoft.AspNetCore.Mvc.Core”, but most people will find that they have a direct reference to the “parent” package named “Microsoft.AspNetCore.Mvc”. Either way, you need to do the below and patch.

How To Patch (project.json)

This is how to fix the vulnerability if you are using project.json (e.g. ASP.net Core 1.1 Preview 2). If you are using csproj (Preview 4), then check the section below.

First open up your project.json file and do a search for “Microsoft.AspNetCore.Mvc*”. So that includes any reference to sub packages such as “Microsoft.AspNetCore.Mvc.Core”. Let’s say you have a project.json similar to the below.

You need to bump the version of the MVC dependency. So change it to 1.1.1 like so :

Open a console inside your project folder and run “dotnet restore” and you should be now on the patched version of the library. Deploy your updated application as soon as possible.

If you cannot find a reference to “Microsoft.AspNetCore.Mvc*” in your project.json it does not mean you are immune.

Open your project.lock.json file, and search for “Microsoft.AspNetCore.Mvc.Core”. If you find it inside this file, it means that a package you are using has a dependency on the package. In this case, you need to manually add the full line to your project.json dependencies.

How To Patch (.csproj)

Patching your csproj file is almost identical, but in lovely XML form.

Search for a reference to “Microsoft.AspNetCore.Mvc*”. It will look something like below :

Bump the version number by 1 :

Open a command prompt in your project folder and run “dotnet restore”. Deploy your updated application as soon as possible.

If you cannot find a reference to “Microsoft.AspNetCore.Mvc*” in your project.json it does not mean you are immune.

You should find a file named project.assets.json in your project folder. Open this and search for “Microsoft.AspNetCore.Mvc.Core”. If you find it, it means that a package you are directly using has a reference itself to the MVC Core package. You need to open up your .csproj, and add in the following line :

Open up a command prompt in your project folder and run “dotnet restore” and you are done. Deploy your updated application as soon as possible.

It’s hard to read an intro to .net core without someone also introducing .net standard and then quickly moving on, leaving you to wonder just what is the .net standard. I’ve seen the same questions come up over and over again.  Is it another framework I have to learn? Is it the old .net? Is .net standard and .net core the same? Hopefully we can answer all those questions today!

.net Standard Is Exactly That. A standard.

.net standard is for lack of a better word, a standard. It’s a description of the core interfaces that every .net platform should implement if they wish to say “I support .net Standard 2.0” for example.

An easy way to see what exactly the standard defines is actually the nuget package here : https://www.nuget.org/packages/NETStandard.Library . If you scroll down you will see descriptions of what each standard defines. So for example, .net Standard 1.1 introduces System.Linq. If you would like to use System.Linq, you will need to use a platform that implements .net Standard 1.1.

That brings us to the next point….

What Is A Platform?

It’s may be also good to take a step back and look at what exactly is a platform. At the moment the Microsoft .net platform list looks like .net Framework (Old .net), .net Core, Xamarin, Universal Windows Platform (UWP), Windows Phone and now also Mono.

Each platform version will implement a specific .net standard version. So for example, .net Framework Version 4.6 implements the .net Standard 1.3, whereas .net Core Version 1.0 implements .net Standard 1.6. If I were to write a library that I wanted a developer to use in both .net Framework Version 4.6 and .net Core Version 1.0, then I would have to target the lowest .net Standard that these platforms implement. That being .net Standard 1.3 in this case.

Microsoft have released an easy to view “chart” that tells you which version of each platform implements each version of the standard. You can see it here.

It’s important to note that each platform can implement it’s own features. Windows Phone for example may implement phone specific classes and interfaces, but it will also expose a classes and interfaces of it’s corresponding .net standard.

When Do You Have To Worry About It?

If you are writing for a particular platform, you usually don’t have to worry about .net standard at all. You may at times wish to look up the standard to see what would be coming to your platform next release, but that’s about it.

If you are developing your own library that you wish to be used across multiple platforms, that’s when the .net standard comes in handy. If you write a library that you want working on .net Core, UWP, Windows Phone and .net Framework, you will need to only use classes that are available on all of those platforms. How do you know what classes are available on all platforms? The .net Standard!

What we will likely see in the future from library developers is the requirements changing from “You need .net Framework version 4.6” to, “This is built on top of .net standard 1.6”. And from there you can go and look up what platforms use that standard.

A Web Analogy

Let’s try and think about this in a web sense. It’s not a direct analogy, but we’ll try. Let’s take ECMAScript or Javascript as an example. ECMAScript is a standard. It’s defined in a way that browsers then have to implement. Each browser implements ECMAScript, but they can also do their own things on top (In terms of favourites, addons, plugins etc). This is similar to how a .net platform would work, they implement the standard, but then they can add their own platform specific items on top.

Now if you are writing a website and you wish to use a certain feature of javascript, you have to look at what browsers have implemented that feature. Then you make the decision, either you support “old” browsers, or you only outlay your support for certain modern browsers. This is similar to how it would work if you were writing a .net library. You look at what platforms you wish to support, but if they are old, crusty and are only implementing an old version of the .net Standard, then you can forgo supporting that platform and target a higher standard.

There is one big difference however. Unlike ECMAScript (And other web technologies like CSS), it’s hoped that platforms implement an all or nothing approach when it comes to moving up the .net standard ladder. Either you implement .net Standard 1.5 or 1.6, but you don’t release a platform version that implements 1.5 and a few features from 1.6. Remember, .net Standard is supposed to make it “easy” to determine what classes and interfaces you have available.

Questions?

I’ll admit, I’m still wrapping my head around how .net standard works. But it’s early days yet. You can go to the Microsoft Github and see people still discussing how things should work long term, so it’s not just your everyday developer trying to work it out. If you have any questions feel free to comment below and I’ll do my best to answer.

It’s not like the war of Pascalcase vs Camelcase hasn’t been going on for a very long time, but in ASP.net core it flared up again with a breaking change in ASP.net core 1.0. You can read the actual change request here on Github, and then the subsequent announcement with some unhappy campers here.

To be clear.

In earlier versions of Web API and indeed early versions of ASP.net core, the default serialization of an object to JSON results in Pascalcase names. When a C# app is talking to another C# app, the casing actually doesn’t matter. You can send JSON data with mYVaRiAbLE and it will still be deserialized into MyVariable in C#.

The issue usually reared it’s head when you were using javascript to consume your Web API. Afterall, when Mozilla, Google, jQuery, WordPress and countless others cite camelCase as the standard for Javascript naming, it’s probably what most people expect to see. If you are binding a model using Angular or similar from a Web API, you probably want to keep with the same naming format. Not have properties that came from your API suddenly be in Pascal Case.

It mostly comes down to the 80/20 rule. I would say a large majority of people using ASP.net core are also using some sort of javascript framework to bind models. And for that, camelCase is best.

So, what are your options if you are still #TeamPascalCase?

Change To PascalCase In ASP.net Core 1.0+

Probably the most annoying thing about this change is that you need to change the ContractResolver for the Json Serializer. The thing that gets people’s goat is that the resolver that makes things PascalCase is actually called the “DefaultContractResolver”…. Even though in version 1.0 and onwards it isn’t the default at all…..

In anycase, in your startup.cs file, find your ConfigureServices method. You should already have an AddMVC call, and tack onto it like so :

Change To camelCase In ASP.net Core <1.0

Just incase you are behind with the times in ASP.net Core versions and you want to move to camelCase by default (Possibly in preparation for upgrading), you can do so by doing similar to the above, but instead making the contract resolver camel case like so :