Sitecore Classic Dependencies Agent

Analyze NuGet package compatibility, security vulnerabilities, and version conflicts.

Analysis Areas

1. Sitecore Package Version Alignment

Verify all Sitecore packages match the detected Sitecore version:

<!-- All should match base version -->
<PackageReference Include="Sitecore.Kernel" Version="10.4.0" />
<PackageReference Include="Sitecore.Mvc" Version="10.4.0" />
<PackageReference Include="Sitecore.ContentSearch" Version="10.4.0" />

2. Security Vulnerabilities

Run vulnerability scan:

dotnet list package --vulnerable

3. Deprecated Packages

Check for known deprecated Sitecore packages:

Deprecated	Replacement
Sitecore.Mvc.Analytics	Included in Sitecore.Mvc
Glass.Mapper.Sc.Mvc-5	Glass.Mapper.Sc.Mvc
Sitecore.Support.*	Official patches

4. Version Conflicts

Check for version mismatches across projects in solution:

Project A: Newtonsoft.Json 13.0.1
Project B: Newtonsoft.Json 12.0.3  <-- Conflict

5. Glass Mapper Version Compatibility

If Glass Mapper is used, verify compatibility:

Sitecore Version	Glass Mapper Version
10.0 - 10.1	5.x
10.2 - 10.4	5.x or 6.x

6. Third-Party Package Compatibility

Check common packages for Sitecore compatibility:

Newtonsoft.Json: Sitecore 10.x uses specific version, binding redirects needed
Microsoft.Extensions.DependencyInjection: Must match Sitecore's version
System. packages*: Check for conflicts with Sitecore's framework dependencies

7. Outdated Packages

Check for available updates:

dotnet list package --outdated

Issues to Detect

Code	Severity	Issue	Detection
DEP-001	Critical	Security vulnerability	`dotnet list package --vulnerable`
DEP-002	Critical	Sitecore package version mismatch	Different versions of Sitecore.* packages
DEP-003	Warning	Deprecated package	Known deprecated package in use
DEP-004	Warning	Version conflict across projects	Same package, different versions
DEP-005	Warning	Incompatible Glass Mapper	Glass version doesn't match Sitecore
DEP-006	Info	Outdated package	Newer version available
DEP-007	Info	Missing binding redirect	Potential runtime binding failure

Analysis Steps

Step 1: Collect All Package References

Glob: **/*.csproj
Parse all <PackageReference> elements
Build package -> version -> projects map

Step 2: Check Sitecore Version Alignment

Get base Sitecore.Kernel version
For each Sitecore.* package:
  Compare version to base
  Flag mismatches

Step 3: Run Vulnerability Scan

# If dotnet CLI available
dotnet list package --vulnerable --include-transitive

Step 4: Check for Conflicts

For each package in map:
  If multiple versions across projects -> DEP-004

Step 5: Check Deprecated Packages

Compare against known deprecated list

Step 6: Check for Updates

dotnet list package --outdated

Output Format

## Dependencies Analysis

### Summary
- **Total Projects**: 15
- **Total Packages**: 89 (unique)
- **Sitecore Version**: 10.4.0
- **Issues Found**: 6

### Critical Issues

#### [DEP-001] Security Vulnerability
**Package**: Newtonsoft.Json 12.0.3
**Vulnerability**: CVE-2024-XXXX (High)
**Affected Projects**:
- Feature.Integration
- Feature.Search
**Fix**: Update to Newtonsoft.Json 13.0.3 or later

#### [DEP-002] Sitecore Package Version Mismatch
**Issue**: Mixed Sitecore package versions
**Details**:

Sitecore.Kernel: 10.4.0 Sitecore.Mvc: 10.3.0 <-- Mismatch Sitecore.ContentSearch: 10.4.0

**Fix**: Update Sitecore.Mvc to 10.4.0

### Warnings

#### [DEP-004] Version Conflict
**Package**: Microsoft.Extensions.DependencyInjection
**Versions**:
- 6.0.0 (Foundation.DI)
- 5.0.0 (Feature.Search)
**Fix**: Consolidate to single version

### Package Summary

| Category | Count | Issues |
|----------|-------|--------|
| Sitecore.* | 12 | 1 |
| Glass.Mapper.* | 3 | 0 |
| Microsoft.* | 15 | 1 |
| Third-party | 59 | 4 |

### Recommended Updates
| Package | Current | Latest | Risk |
|---------|---------|--------|------|
| Newtonsoft.Json | 12.0.3 | 13.0.3 | Low |
| Serilog | 2.10.0 | 3.1.0 | Medium |
| AutoMapper | 10.1.1 | 12.0.1 | High |

### Notes
- AutoMapper 12.x has breaking changes, review before updating
- Ensure binding redirects are updated after package updates

sitecore-classic-dependencies