Help shape the future of CMS PaaS release notes! Take this quick survey and share your feedback. 

son.nguyen
son.nguyen  -  CMS
Aug 17, 2023
  2891
(5 votes)

Change in package structure in CMS Core 12.17.0

Motivation

As of today, EPiServer.CMS.Core relies on SixLabors ImageSharp v2 to do image manipulations under the hood. There have been quite a few WEBP issues being raised lately, which have their root in this library. In order to fix them, we need to upgrade the library to v3. But there are binary incompatible changes between v2 and v3. For partners, who also use ImageSharp v2 directly in their code base, this upgrade could be a breaking change.

Solution

We move the image service's implementation to a separate package, EPiServer.ImageLibrary.ImageSharp, and release it independently from CMS Core. There are two major versions of the package. v1 of the package depends on ImageSharp v2, and v2 of the package depends on ImageSharp v3. You are encouraged to use EPiServer.ImageLibrary.ImageSharp v2 unless ImageSharp API is consumed directly in your code.

What needs to be done

1. For projects with EPiServer.CMS umbrella package reference

When EPiServer.CMS 12.23.0 is out, which has reference to EPiServer.CMS.Core 12.17.0, just update the umbrella package, then you are done. The WEBP issues will be fixed by updating EPiServer.ImageLibrary.ImageSharp

<PackageReference Include="EPiServer.ImageLibrary.ImageSharp" Version="2.0.1" /> 

If you are on EPiServer.CMS 12.22.x and below and still want to fix WEBP issues, include these package references: 

<PackageReference Include="EPiServer.ImageLibrary.ImageSharp" Version="2.0.1" />
<PackageReference Include="EPiServer.Hosting" Version="12.17.0" />
<PackageReference Include="EPiServer.CMS.AspNetCore.TagHelpers" Version="12.17.0" />
<PackageReference Include="EPiServer.CMS.AspNetCore.HtmlHelpers" Version="12.17.0" />

2. For projects with direct reference to CMS Core, e.g. not install EPiServer.CMS

Besides upgrading CMS Core to v12.17.0 and above, you also need an additional reference:

<PackageReference Include="EPiServer.ImageLibrary.ImageSharp" Version="1.0.0" />

Missing this package would cause an exception to be thrown on startup, saying, "It needs to either update 'EPiServer.CMS' package to the latest version, which has dependency on 'EPiServer.ImageLibrary.ImageSharp' package, or install 'EPiServer.ImageLibrary.ImageSharp' package directly into your project."

Aug 17, 2023

Comments

Vladimir Vedeneev
Vladimir Vedeneev Aug 17, 2023 10:07 AM

What about license change in ImageSharp v3?

Unlike v2, It is not "free" anymore.

So if we consume v3 through EPiServer dependency - can be use it without separate license for the ImageSharp v3?

Vladimir Vedeneev
Vladimir Vedeneev Aug 17, 2023 10:12 AM

Specifically, reading here https://github.com/SixLabors/ImageSharp/blob/main/LICENSE

Works in Source or Object form are licensed to You under the Apache License, Version 2.0 if.

...

- You are consuming the Work as a Transitive Package Dependency.

So if we pay for DXP, and having transitive reference to ImageSharp v3 through episerver libraries - we are granted the license by Optimizely?

Magnus Rahl
Magnus Rahl Aug 17, 2023 11:05 AM

It will be a transitive dependency. For Optimizely it is a direct dependency, and we have obtained a commercial license to cover this.

Karol Berezicki
Karol Berezicki Sep 3, 2023 05:48 PM

Hello,

Will you keep the EPiServer.ImageLibrary.ImageSharp aligned with ImageSharp releases?
The ImageSharp has released 3.0.1 and 3.0.2, which contain bugfixes and security patch respectively, but EPiServer.ImageLibrary.ImageSharp in version 2.0.1 resolves to ImageSharp 3.0.0.

Of course, it possible to install ImageSharp in v3.0.2 directly, but it will be no longer transitive dependency.

Karl-Johan Sjögren
Karl-Johan Sjögren Sep 5, 2023 07:47 AM

@MagnusRahl

You are encouraged to use v2 unless ImageSharp API is consumed directly in your code.

Is this because of licensing or the breaking changes? We use ImageSharp directly to resize some images in a background job, would that caes still be covered under your license if we got the ImageSharp library through EPiServer.ImageLibrary.ImageSharp?

/ Karl-Johan

Magnus Rahl
Magnus Rahl Sep 5, 2023 09:37 AM

@Karol This is a grey area and I am not a lawyer... I think the intent of the transitive dependency clause would permit you to reference it directly if you do it only to force the nuget dependency resolution. Perhaps using central package management is a way to get out of that grey area, I haven't tested.

@Karl-Johan I wonder if that sentence is actually a typo, that you are encouraged to use v3 unless you call the API directly. It is more reasonable to keep v2 if you actually call it, both from a breaking changes perspective and in a licensing perspective. Calling the API directly might puts you at "risk" of having to carry your own license.

Sep 5, 2023 11:01 AM

@Karol: In addition to Magnus' answer with central package management, that would be possible with transitive pinning enabled.

@Magnus: Updated to make it less confused.

Magnus Rahl
Magnus Rahl Sep 5, 2023 11:13 AM

@Son, thanks for the clarification, it makes sense now that it is clear which package the version refers to. And yes, transitive pinning is what I had in mind.

Karol Berezicki
Karol Berezicki Sep 5, 2023 12:26 PM

Hi Magnus Rahl and Son Dinh Nguyen,

Thanks for the response and suggestion, I'll try the transitive pinning.
However, while it may work for me, not every project will use the CPM, and
probably, not everybody will be aware, that there may be some bug or exploit in ImageSharp that should be patched using transitive pinning - that's why I've asked if the package will keep up with ImageSharp releases.
I'm not a lawyer either, but I think installing the package directly will count as direct dependency.

Karol Berezicki
Karol Berezicki Sep 19, 2023 08:05 PM

I've tested the transitive pinning, and in fact it does work, but currently only in Visual Studio.
For Rider users - unfortunately there's a bug and package is not resolved correctly, see: https://youtrack.jetbrains.com/issue/RIDER-87411

Sep 20, 2023 06:44 AM

Transitive pinning support was shipped with .NET SDK 6.0.300, so that shouldn't be an issue with dotnet build. For JetBrains Rider, I had to change restore engine to Console as a workaround (go to Settings > Build, Execution, Deployment > NuGet > Restore).

Karol Berezicki
Karol Berezicki Sep 20, 2023 07:53 PM

Hi Son Dinh Nguyen,

Thanks for the tip with workaround - it worked :) 
I'll relay this info to the Rider YouTrack, might help somebody :)

Please login to comment.
Latest blogs
How to: set access right to folders

Today I stumped upon this question Solution for Handling File Upload Permissions in Episerver CMS 12, and there is a simple solution for that Using...

Quan Mai | Feb 7, 2025 | Syndicated blog

Poking around in the new Visual Builder and the SaaS CMS

Early findings from using a SaaS CMS instance and the new Visual Builder grids.

Johan Kronberg | Feb 7, 2025 | Syndicated blog

Be careful with your (order) notes

This happened a quite ago but only now I have had time to write about it. Once upon a time, I was asked to look into a customer database (in a big...

Quan Mai | Feb 5, 2025 | Syndicated blog

Imagevault download picker

This open source extension enables you to download images as ImageData with ContentReference from the ImageVault picker. It serves as an alternativ...

Luc Gosso (MVP) | Feb 4, 2025 | Syndicated blog

Optimizely SaaS vs PaaS: A Comparison from Client and Developer Perspectives

Optimizely, one of the leading digital experience platform. Offering both Software-as-a-Service (SaaS) and Platform-as-a-Service (PaaS) solutions....

Praful Jangid | Feb 3, 2025

Returning to Optimizely After Many Years

Returning to Optimizely After Many Years: A Journey Through Its New Features After several years away from Optimizely’s Content Management … More

Jose Neto | Feb 2, 2025 | Syndicated blog