August 9

Moq phoning home with/to SponsorLink? What to do about it.

Hopefully you've heard about the latest changes to a popular Open Source Software Project used by the .NET ecosystem. No? Well here is some reading material:

Does Moq in it's latest version extract and send my email to the cloud via SponsorLink?
byu/DinglDanglBob indotnet

This issue in Moq's GitHub repo has more information as well.

https://github.com/moq/moq/issues/1372

Ok...so how do you handle this? I'm sure most of us out there in the world have other projects in flight and don't want to end up accidently pulling in this problematic NuGet package. Most clients/project managers/projects don't respond well to having to stop active development on a dime just to refactor a bunch of test code. So what do we do? Microsoft has us covered in this scenario. In this case we only want to allow Moq v4.18.4. We will come back later on when we have time to refactor/replace Moq. Let's consult the docs shall we?

In the beginning we see that we have Moq v4.18.4 installed and there is an update to v4.20.2.

We need to go through our solution and replace each PackageReference for Moq in each project that uses it. So we're going from this:

<PackageReference Include="Moq" Version="4.18.4" />

to this:

<PackageReference Include="Moq" Version="[4.18.4]" />
After changing all the PackageReferences for Moq in the solution, you'll notice that the package is no longer showing up in the Updates tab.

Is this foolproof? No, you can still update the Moq package. By removing the option in the Updates tab, you will have removed the temptation to update it.

Tags:
Copyright 2023. All rights reserved.

Posted August 9, 2023 by codegorilla in category ".NET", "unit testing