Twilio.AspNet.Core needs updating

[brckelly]

Twilio.AspNet.Core is out of date in a few different ways:

1. Targets unsupported .NET versions (6 and 7). Please update to 8 and 9.
2. References package with vulnerabilities indirectly. Twilio references System.IdentityModel.Tokens.Jwt (v6.19.0). This should be updated to the latest.

[MostHostLA]

@dprothero @Swimburger
Any considerations on this - particularly for core 9 distribution.
It'll probably work as things stand, but there are KNOWN vulnerabilities that have never been addressed (in months).

[Swimburger]

There are no active maintainers for this repo. I no longer have write access to this repo as I don't work for Twilio anymore.
@dprothero assuming you're still working for Twilio, can we find someone to maintain this, or give me write access?

[dprothero]

I can approve any PRs that look reasonable. I will shop this around inside Twilio to see if someone wants to look into maintaining it.

[sgobiraj]

If Twilio is not willing to support it then they should stop using this project in their examples like here: https://www.twilio.com/docs/messaging/tutorials/how-to-receive-and-reply/csharp

[MostHostLA]

It's worse than that;
This is used by paying clients on a paid service, and it has gotten 0 support or updates in ages, making it a risk due to known vulnerabilities and a literal waste of money paid to them to use the service.
I for one will not be paying my bill anymore...

[dprothero]

Thanks for the feedback @sgobiraj and @MostHostLA. I found some .NET folks here that are willing to look at this specific issue to try to address it. As for the larger support issue, I am opening a risk ticket internally so that leadership is aware. You're right that we need to do a better job of supporting you, even if it's supplying "stock" ASP.NET code examples as opposed to relying on an unsupported library.

[MostHostLA]

I would love not having to rely on the baked in library if at all possible.
Unfortunately I don't think the twilio 2fa sms system takes regular SOAP like posts (then again I never did look up what the code does internally, and I probably should to extricate my self from the unmaintained code)...

[ltctech]

Dependency injection is also broken with the main Twilio library:
twilio/twilio-csharp#768

[dprothero]

Dependency injection is also broken with the main Twilio library: twilio/twilio-csharp#768

That library is supported (everything in twilio GitHub org is officially supported, whereas this org, twilio-labs, is not.) I am sure the team has that one on their radar, but I have given them a gentle reminder as well.

[Swimburger]

DI is added through this library, so not officially supported by Twilio, but it was Twilio that introduced a breaking change again.

[AJLange]

Thank you @Swimburger for the new PR. We've gone ahead and pushed the update. We'll keep an eye on maintaining this repo on our end!

[MostHostLA]

@AJLange
I believe the update hasn't released yet; Regadless:

Can you also make sure to flag the correct .net stuff for it?
It's now missing both .net8.0 dependencies, and obviously .net9.0 dependencies.

Additionally somehow the links from within visual studio (for core6) link back to .net framework stuff from before .net6.0 was a thing, and I'm really not sure how that's even possible short of having set up the distribution for it incorrectly somehow.

[Swimburger]

@MostHostLA I'm not sure what you mean by this.

The source code as is (not released) drops .NET 6, keeps .NET 7 (we should probably remove 7), adds .NET 8 and .NET 9.

The Twilio.AspNet.Core can only be installed on ASP.NET Core, and Twilio.AspNet.Mvc can only be installed on ASP.NET on .NET Framework.

What dependencies is it missing?

[AJLange]

@MostHostLA With the new release, we should be up to date. If there's anything you still see missing let us know.

[Swimburger]

I think this issue can be closed now!