Microsoft.JavaScript.UnitTest references a vulnerable NewtonSoft.Json package

[lennybacon]

I use the package Microsoft.JavaScript.UnitTest 1.5.10610.1 is a C# project (ASP.NET) to run typescript tests.

The build and Visual Studio warn me about a vulnerable NewtonSoft.Json package.

NU1903	Package 'Newtonsoft.Json' 12.0.2 has a known high severity vulnerability, https://github.com/advisories/GHSA-5crp-9r3c-p9vr	

As a workaround i installed Newtonsoft.Json 13.0.3 but I do my serialization using System.Text.Json.

So it would be nice to have a dependency update and a newly published package of Microsoft.JavaScript.UnitTest.

[joj]

Hi! I would like to understand your scenario. That package shouldn't be needed anymore, was always in beta and hasn't been updated in years. Also, you can install 13.0.3 manually, that should fix the issue.

[lennybacon]

I have been following this guide from 11/23/2023 to write unit tests for ASP.NET Core.

In the Browse tab, search for the following packages and install each one:

Microsoft.TypeScript.MSBuild
Npm
Microsoft.JavaScript.UnitTest

This is how the dependency came in.

After your message I removed both dependencies. Reopened VS, built and tested. Then an Issue came up. Every 2nd build (reproducable) there is an error that pops up and none of the TypeScript files get compiled and copied to wwwroot/js:

8>C:\Program Files\dotnet\sdk\9.0.100\Sdks\Microsoft.NET.Sdk.StaticWebAssets\targets\Microsoft.NET.Sdk.StaticWebAssets.targets(662,5): error : System.InvalidOperationException: No file exists for the asset at either location 'wwwroot\js\Colors.js' or 'wwwroot\js\Colors.js'.
8>C:\Program Files\dotnet\sdk\9.0.100\Sdks\Microsoft.NET.Sdk.StaticWebAssets\targets\Microsoft.NET.Sdk.StaticWebAssets.targets(662,5): error :    at Microsoft.AspNetCore.StaticWebAssets.Tasks.StaticWebAsset.ComputeFingerprintAndIntegrity(String identity, String originalItemSpec)
8>C:\Program Files\dotnet\sdk\9.0.100\Sdks\Microsoft.NET.Sdk.StaticWebAssets\targets\Microsoft.NET.Sdk.StaticWebAssets.targets(662,5): error :    at Microsoft.AspNetCore.StaticWebAssets.Tasks.DefineStaticWebAssets.Execute()

A rebuild makes it good again. Another rebuild after fails. And so on.

The successful build produces files in CompileTypeScriptWithTSConfig, while the failed one calls TypeScriptBuildModeClean.

A deterministic build would be great.

How do I add TypeScript with unit tests to a C# Project?

[joj]

You do need the TypeScript nuget. You shouldn't need the test nuget. If you're getting an error in CompileTypeScriptWithTSConfig I'm assuming you have that one, though. The issue in the error seems to be that file (colos.js) either not compiled or not copied to the right location before it runs.

[lennybacon]

You do need the TypeScript nuget. You shouldn't need the test nuget. If you're getting an error in CompileTypeScriptWithTSConfig I'm assuming you have that one, though. The issue in the error seems to be that file (colos.js) either not compiled or not copied to the right location before it runs.

As I‘ve written, every 2nd Build fails as soon as the dependency is removed. If Ir re-add it ever build is successful. This is reproducible.

The successful build has a target called CompileTypeScriptWithTSConfig, that produces the js-files. This target is not called in the second/failing build.

The failing build instead has a target named TypeScriptBuildModeClean which calls tsc --clean --build. Calling this on the command line results in no output. When dropping the clean argument, I get an info, that a file is missing (buildinfo or smth - I’m not on the machine atm) and then the files are created.

There is seriously smth weird going on…

so the question remains: what’s the how-to, to have TS with unit tests in an cs aspnet core 9 project?

[safacero]

Hi Lenny, we're finding it odd because it should work out of the box, may I ask you for binlogs so we can take a closer look at your situation? You can look here https://learn.microsoft.com/en-us/visualstudio/ide/msbuild-logs?view=vs-2022#capture-binary-logs-for-command-line-builds for more information on how to collect it. After that, please send us the '.binlog'.

Let me know if you have any problems with the steps above.
Thank you so much for your time and patience! 😄