[FEATURE REQ] Document which azure-identity dependencies are optional #18733
Labels
Azure.Identity
Client
This issue points to a problem in the data-plane of the library.
customer-reported
Issues that are reported by GitHub users external to the Azure organization.
Docs
question
The issue doesn't require a change to the product in order to be resolved. Most issues start as that
Milestone
Is your feature request related to a problem? Please describe.
The current
azure-identity
artifact has some dependencies which will typically only be used at build time. For instance there is a dependency onorg.linguafranca.pwdb:KeePassJava2
which is used by theIntelliJCredential
implementation. For our production deployment we don't want to pull in this dependency. One reason being is that it transitively depends onorg.simpleframework:simple-xml:jar:2.7.1
which has a CVE (see https://nvd.nist.gov/vuln/detail/CVE-2017-1000190). But it also pulls in some other heavy-weight dependencies.The same may be true for other implementations like
VisualStudioCodeCredential
.Describe the solution you'd like
At the very least I would like the documentation to describe which dependencies are only tied to specific non-essential features (like for example
IntelliJCredential
) and that it is safe to exclude them if this feature is not required. Also it should be documented how to exclude the dependencies.Describe alternatives you've considered
Alternatives would be to declare the dependencies as optional and document that they must be provided by the client application.
Yet another possibility would be to provide separate Maven artifacts for the various use cases.
Information Checklist
Kindly make sure that you have added all the following information above and checkoff the required fields otherwise we will treat the issuer as an incomplete report
The text was updated successfully, but these errors were encountered: