Improperly authored NuGet package: Microsoft.Identity.Client.NativeInterop

[KirillOsenkov]

Microsoft.Identity.Client.NativeInterop is a package that keeps giving us surprises in our build.

Similar to this bug: #4832

There's another unwanted side-effect. When we add a package reference to Microsoft.Identity.Client.Broker and then build our project with /t:Pack so that it generates a nupkg, our nupkg ends up with three additional files in it:
msalruntime.dll, msalruntime_arm64.dll and msalruntime_x86.dll

Sample .csproj:

<Project Sdk="Microsoft.NET.Sdk">

  <PropertyGroup>
    <TargetFramework>net472</TargetFramework>
    <DebugType>embedded</DebugType>
    <LangVersion>latest</LangVersion>
    <OutputType>Exe</OutputType>
    <GeneratePackageOnBuild>True</GeneratePackageOnBuild>
  </PropertyGroup>

  <ItemGroup>
    <PackageReference Include="Microsoft.NetFramework.ReferenceAssemblies" Version="1.0.3" />
    <PackageReference Include="Microsoft.Identity.Client.Broker" Version="4.66.2" />
  </ItemGroup>

</Project>

[ashok672]

Microsoft.Identity.Client.Broker depends on Microsoft.Identity.Client.NativeInterop package which has the msalruntime.dlls that you see in the screenshot.

[KirillOsenkov]

I know, the bug is that those native assemblies shouldn't get packed as content or contentFiles when I pack my own package

[ashok672]

I am not sure how this happens. Our nuspec file for nativeinterop is pretty standard. Can you tell us the impact of this issue?

[KirillOsenkov]

The impact is anyone who depends on Broker and packs their NuGet will silently ship incorrect NuGets that will break production.

Please follow up with the NuGet team and show them this issue in case there are any doubts.

This is very serious and I fear the team does not currently understand the implications.