Vulnerability in EPiServer.Forms
I have developed an add-on following the steps in this blog post: Add-Ons development environment
When I try to install the add-on on a sample episerver commerce site (v 7.5) using manual upload, the installation fails with error message:
InvalidOperationException: EPiServer.Packaging.Exceptions.PackagingException: There are assemblies installed with add-ons present in the main 'bin' directory. Please check the log for details.
The log states:
ERROR EPiServer.Packaging.SitePackageManager: Aborting operation. The following add-on assemblies exist in the main 'bin' directory: C:\EPiServer\CommerceSample\wwwroot\bin\EPiServer.UI.dll
The add-on project has references to the EPiServer.UI.dll (among others), but the reference is added with copy local = false, as described in the blog post by Sergii. The referenced EPiServer dlls are not part of the module output.
How can I get around this issue?
See also: Related forum post
Did you specify EPiServer as a dependency in your .nuspec file?
Yes, I have.
This has happened to me from time to time, however, I couldn't catch it when exactly, but a bit nasty workaround was to delete the dll in question from bin and install the add-on.
Are version numbers of referenced dll and existing dll in main bin dir the same?
Yes, the version numbers are the same. (On a side note: That should not matter - you should be able to create a module in one version, and it should still work with newer version using assembly redirects).
I would assume since the dlls have copy local = false and that they are not part of the nuget package, the add-on installer should not try to add them to the bin folder?
I think that even if the dll's are set to copy local in your project, when you add a dependency in a nuget package it will also install that package and copy the dll's from that package to the modules bin. I know that in the packages.config you can add developmentDependency="true" to exclude the dependency to be included in the nuspec file. Am not sure, but I think the same attribute can be added to the nuspec dependencies, which might have the same effect when installing the add-on.
I tried adding true to the nuspec file, but that did not help, I'm afraid.
I have added the dlls as references (using a reference folder), not nuget. I will try to use nuget packages instead, to see if that makes a difference.
According to the error message you might have EPiServer.UI.dll in your add-on package \lib folder. Could you check this by extracting the add-ons .nupkg file with any zip unarchiver?
The EPiServer.UI.dll is not part of the \lib folder. \lib only contains one dll which is the dll from my project.
Ok, could you please share the list of dependencies specified in the add-ons .nuspec?
In the Add-Ons dependencies only prerequisite assemblies or other Add-Ons can be specified. Regular NuGet packages can’t be used as a dependencies with Add-Ons. In your dependencies list the EPiServer.CMS.UI.Core and EPiServer.Commerce.Core are IDs of NuGet packages, that can’t be fulfilled during Add-On installation. If you want to make sure that your Add-On is installable only if the specified NuGet package is present on the site, you need to specify an assembly name and version from that NuGet package as a dependency.
Could you please, try to remove the last two dependencies, build a new package and try to install it?
Thanks, I'll do some more testing on Monday and will get back to you.
@Sergii I have tested on two different sites (both 7.5 commerce demo isites). It works on one, and fails on the other. I'll try to install a new demo site and test on that one.
@Sergi: I finally have it working. The problem was that my demo site had the EPiServer.UI.dll in the modulesbin folder (I have no idea how it got there).After removing it, the installation worked as expected.