[5.1] Dependency Cleanup

[paulmedynski]

Description

• Removed unused dependencies across all driver and test projects.
• Updated some dependencies, avoiding transitive vulnerabilities.
• Updated nuspec files to remove/update dependencies accordingly.

NOTE: Some packages have DOWNGRADED major versions due to migrating from Direct dependencies to Transitive dependencies. This will have no effect on downstream apps, since the intermediate packages were already compatible with the previous Direct dependency versions. If apps were directly using those packages at-or-above the previous versions, NuGet will automatically resolve the transitive dependencies as it was doing before.

Details

MDS

Package	Target Framework	Previous Dependency Type	Previous Version	Current Dependency Type	Current Version
Microsoft.Bcl.AsyncInterfaces	net462	Transitive	6.0.0	Transitive	1.1.1
System.Buffers	net462	Direct	4.5.1	Direct	4.6.1
System.Buffers	netstandard2.0	Direct	4.5.1	Direct	4.6.1
System.Diagnostics.DiagnosticSource	net6.0	Direct	6.0.1	Transitive	6.0.1
System.Text.Encodings.Web	net462	Direct	6.0.1	Transitive	4.7.2
System.Text.Encodings.Web	net6.0	Direct	6.0.1	Transitive	4.7.2
System.Text.Encodings.Web	netstandard2.0	Direct	6.0.1	Transitive	4.7.2
System.Text.Encodings.Web	netstandard2.1	Direct	6.0.1	Transitive	4.7.2
System.Text.Json	net462	Direct	6.0.11	Transitive	4.7.2

AKV

Package	Target Framework	Previous Dependency Type	Previous Version	Current Dependency Type	Current Version
System.Buffers	net462	Direct	4.5.1	Direct	4.6.1
System.Buffers	netstandard2.0	Direct	4.5.1	Direct	4.6.1
System.Text.Encodings.Web	net462	Direct	6.0.1	Transitive	4.7.2
System.Text.Encodings.Web	net6.0	Direct	6.0.1	Transitive	4.7.2
System.Text.Encodings.Web	netstandard2.0	Direct	6.0.1	Transitive	4.7.2

Issues

Resolves #3809.

Testing

• CI will validate the changes.
• Manually inspected the full package dependency tree for the driver projects to ensure no major version increments.
• Manuall inspected CI runs to observe that tests are being executed for the expected target frameworks and architectures.

[Copilot]

Pull request overview

This PR removes unused dependencies and updates some dependency versions across the Microsoft.Data.SqlClient driver and test projects to eliminate transitive vulnerabilities without introducing breaking changes.

Key Changes:

• Removed unused dependencies (System.Text.Encodings.Web, System.Text.Json, System.Diagnostics.DiagnosticSource, System.Private.Uri, Microsoft.Win32.Registry)
• Updated test and common dependency versions (e.g., Microsoft.NET.Test.Sdk, Newtonsoft.Json, System.Buffers, Microsoft.Extensions.Hosting)
• Reorganized and improved comments in Versions.props for better clarity

Reviewed changes

Copilot reviewed 10 out of 10 changed files in this pull request and generated no comments.

Show a summary per file

File	Description
tools/specs/add-ons/Microsoft.Data.SqlClient.AlwaysEncrypted.AzureKeyVaultProvider.nuspec	Removed System.Text.Encodings.Web dependency from all target frameworks
tools/specs/Microsoft.Data.SqlClient.nuspec	Removed multiple unused dependencies across all target frameworks
tools/props/Versions.props	Updated dependency versions, removed obsolete version properties, and reorganized comments for clarity
src/Microsoft.Data.SqlClient/tests/ManualTests/Microsoft.Data.SqlClient.ManualTesting.Tests.csproj	Removed unused package references
src/Microsoft.Data.SqlClient/tests/FunctionalTests/Microsoft.Data.SqlClient.Tests.csproj	Removed unused package references
src/Microsoft.Data.SqlClient/netfx/src/Microsoft.Data.SqlClient.csproj	Removed unused package references
src/Microsoft.Data.SqlClient/netfx/ref/Microsoft.Data.SqlClient.csproj	Removed unused package references
src/Microsoft.Data.SqlClient/netcore/src/Microsoft.Data.SqlClient.csproj	Removed unused package references
src/Microsoft.Data.SqlClient/netcore/ref/Microsoft.Data.SqlClient.csproj	Removed unused package references and conditional ItemGroup
src/Microsoft.Data.SqlClient/add-ons/AzureKeyVaultProvider/Microsoft.Data.SqlClient.AlwaysEncrypted.AzureKeyVaultProvider.csproj	Removed unused package reference

[paulmedynski]

Commentary for reviewers.

[paulmedynski]

Updated from 4.5.1 -> 4.6.1

[paulmedynski]

Moved from line 26 unchanged.

[paulmedynski]

Moved from line 32 unchanged.

[paulmedynski]

Moved from line 40 unchanged.

[paulmedynski]

Moved from line 47 unchanged.

[paulmedynski]

Moved from line 42 unchanged.

[paulmedynski]

Moved from line 58 unchanged.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 70.23%. Comparing base (cc5c81a) to head (945a69a).
⚠️ Report is 1 commits behind head on release/5.1.

Additional details and impacted files

@@               Coverage Diff               @@
##           release/5.1    #3838      +/-   ##
===============================================
- Coverage        71.51%   70.23%   -1.29%     
===============================================
  Files              293      293              
  Lines            61928    61931       +3     
===============================================
- Hits             44289    43498     -791     
- Misses           17639    18433     +794     

Flag	Coverage Δ
addons	92.38% <ø> (ø)
netcore	74.37% <ø> (-0.66%)	⬇️
netfx	68.55% <ø> (-1.36%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[Copilot]

Pull request overview

Copilot reviewed 10 out of 10 changed files in this pull request and generated no new comments.

[mdaigle]

It seems like System.Text.Json and System.Text.Encodings.Web were included to override vulnerable versions that were coming in transitively. If we make that type of change in the future, I feel we should add a comment and make the reference TF specific so that it's not accidentally carried forward to other targets. That's most applicable for .NET Framework because most things we need are now included in .NET.

[Copilot]

Pull request overview

Copilot reviewed 18 out of 21 changed files in this pull request and generated 1 comment.

[paulmedynski]

/azp run

[azure-pipelines]

Azure Pipelines successfully started running 1 pipeline(s).

[paulmedynski]

I brought this over from the newer branches to satisfy our GitHub ruleset config.

[paulmedynski]

A few case-sensitivity changes so the CodeQL workflow can build and scan on Ubuntu.

[paulmedynski]

More changes for CodeQL on Ubuntu. The GitHub Actions runners have pwsh installed by default.

[paulmedynski]

The .NET 6 SDK is EOL and difficult to install locally for devs, so I chose the nearest supported one. Note that some parts of the CI pipeline are already using .NET 10 SDK to build, so this is actually closer to .NET 6 than some of our existing jobs.

[paulmedynski]

/azp run

[azure-pipelines]

Azure Pipelines successfully started running 1 pipeline(s).

[paulmedynski]

/azp run

[azure-pipelines]

Azure Pipelines successfully started running 1 pipeline(s).

[Copilot]

Pull request overview

Copilot reviewed 23 out of 26 changed files in this pull request and generated 3 comments.

[Copilot]

The XPath reference uses 'SqlDebugging' but the XML documentation file defines the members with name='SQLDebugging' (all caps SQL). The path should be docs/members[@name="SQLDebugging"]/SQLDebugging/* to match the actual element name in the XML file.

[Copilot]

The XPath reference uses 'SqlDebugging' but the XML documentation file defines the members with name='SQLDebugging' (all caps SQL). The path should be docs/members[@name="SQLDebugging"]/ctor/* to match the actual element name in the XML file.

[Copilot]

The XPath reference uses 'SqlDebugging' but the XML documentation file defines the members with name='SQLDebugging' (all caps SQL). The path should be docs/members[@name="SQLDebugging"]/SQLDebugging/* to match the actual element name in the XML file.