fix: lower the min version of system.* dependencies and cleaned up unnecessary ones

[OsmanMElsayed]

Description

What problem is being solved?

#143

How is it being solved?

• Lowered the minimum required version of the System.* packages to 8.* to allow for broader set of consumers
• Removed unnecessary dependencies to avoid unnecessary dependency conflicts

References

• closes The .netstandard2.0 target has too restrictive minimum required version of the System.* dependencies #143

Review Checklist

• I have clicked on "allow edits by maintainers".
• I have added documentation for new/changed functionality in this PR or in a PR to openfga.dev [Provide a link to any relevant PRs in the references section above]
• The correct base branch is being used, if not main
• I have added tests to validate that the change in functionality is working as expected

Summary by CodeRabbit

• Chores
  • Updated package dependencies and versions for non-.NET 8 framework targets to optimize compatibility and support across different .NET versions.

[coderabbitai]

Walkthrough

The PR updates the project file to lower System.* package versions for non-.NET 8 targets (from 9.x to 8.x) and removes unnecessary dependencies like Microsoft.Bcl.AsyncInterfaces, addressing overly restrictive version requirements that caused compatibility issues in consuming applications.

Changes

Cohort / File(s)	Summary
Package Dependencies Update src/OpenFga.Sdk/OpenFga.Sdk.csproj	Removes common package references ItemGroup; updates conditional package references for non-.NET 8 targets by lowering System.Diagnostics.DiagnosticSource from 9.x to 8.x, downgrading System.Net.Http.Json and System.Text.Json versions, adding System.ComponentModel.Annotations, and removing Microsoft.Bcl.AsyncInterfaces

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~5 minutes

• Project file configuration change with straightforward version and dependency adjustments
• Minimal risk as changes align directly with issue The .netstandard2.0 target has too restrictive minimum required version of the System.* dependencies #143 requirements

Possibly related PRs

• release: v0.7.0 #129 — Both PRs modify src/OpenFga.Sdk/OpenFga.Sdk.csproj, though release: v0.7.0 #129 bumps package version while this PR adjusts dependency requirements

Suggested reviewers

• evansims
• ewanharris

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	You can run @coderabbitai generate docstrings to improve docstring coverage.

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title Check	✅ Passed	The title "fix: lower the min version of system.* dependencies and cleaned up unnecessary ones" directly and accurately summarizes the main changes in the pull request. The changeset focuses on updating the OpenFga.Sdk.csproj file to lower System.* package versions from 9.x to 8.x and removing unnecessary packages like Microsoft.Bcl.AsyncInterfaces. The title is concise, clear, and specific enough for teammates to understand the primary intent without being vague or misleading.
Linked Issues Check	✅ Passed	The pull request addresses the core objectives from linked issue #143. The changes lower System.* package versions from 9.x to 8.x as required, enabling better compatibility with consuming applications. The modifications also remove unnecessary dependencies, specifically Microsoft.Bcl.AsyncInterfaces, which was identified as problematic in the issue. The updates to conditional package references for non-.NET 8 targets align with the stated goal of making the SDK "version humble" while maintaining the .NET 8+ and net48-specific structure intact.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Copilot]

Pull Request Overview

This PR addresses dependency version constraints in the OpenFGA .NET SDK by lowering minimum required versions of System.* packages from 9.0.9 to 8.* and reorganizing package references to reduce unnecessary dependencies for consumers.

Key Changes:

• Reduced minimum versions of System.* dependencies from 9.0.9 to 8.0.x to broaden compatibility
• Removed unconditional dependencies that are only needed for pre-.NET 8 frameworks
• Consolidated package references under appropriate framework conditions

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	system.text.json@​8.0.5
	system.net.http.json@​8.0.1
	system.diagnostics.diagnosticsource@​9.0.9 ⏵ 8.0.1

View full report

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		[email protected] has a License Policy Violation. License: Unicode-3.0 (THIRD-PARTY-NOTICES.TXT) License: W3C-20150513 (THIRD-PARTY-NOTICES.TXT) License: HP-1989 (THIRD-PARTY-NOTICES.TXT) From: src/OpenFga.Sdk/OpenFga.Sdk.csproj → nuget/[email protected] → nuget/[email protected] ℹ Read more on: This package | This alert | What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected]. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore nuget/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		[email protected] has a License Policy Violation. License: Unicode-3.0 (THIRD-PARTY-NOTICES.TXT) License: W3C-20150513 (THIRD-PARTY-NOTICES.TXT) License: HP-1989 (THIRD-PARTY-NOTICES.TXT) From: src/OpenFga.Sdk/OpenFga.Sdk.csproj → nuget/[email protected] ℹ Read more on: This package | This alert | What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected]. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore nuget/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		[email protected] has a License Policy Violation. License: Unicode-3.0 (THIRD-PARTY-NOTICES.TXT) License: W3C-20150513 (THIRD-PARTY-NOTICES.TXT) License: HP-1989 (THIRD-PARTY-NOTICES.TXT) From: src/OpenFga.Sdk/OpenFga.Sdk.csproj → nuget/[email protected] ℹ Read more on: This package | This alert | What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected]. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore nuget/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		[email protected] has a License Policy Violation. License: Unicode-3.0 (THIRD-PARTY-NOTICES.TXT) License: W3C-20150513 (THIRD-PARTY-NOTICES.TXT) License: HP-1989 (THIRD-PARTY-NOTICES.TXT) From: src/OpenFga.Sdk/OpenFga.Sdk.csproj → nuget/[email protected] → nuget/[email protected] ℹ Read more on: This package | This alert | What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected]. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore nuget/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		[email protected] has a License Policy Violation. License: Unicode-3.0 (THIRD-PARTY-NOTICES.TXT) License: W3C-20150513 (THIRD-PARTY-NOTICES.TXT) License: HP-1989 (THIRD-PARTY-NOTICES.TXT) From: src/OpenFga.Sdk/OpenFga.Sdk.csproj → nuget/[email protected] ℹ Read more on: This package | This alert | What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected]. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore nuget/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 707766e and 0eafebe.

📒 Files selected for processing (1)

• src/OpenFga.Sdk/OpenFga.Sdk.csproj (2 hunks)

🧰 Additional context used

🧠 Learnings (2)

📚 Learning: 2025-09-30T04:00:16.791Z

Learnt from: evansims
PR: openfga/dotnet-sdk#122
File: docs/Nodes.md:7-7
Timestamp: 2025-09-30T04:00:16.791Z
Learning: The docs/ directory in the openfga/dotnet-sdk repository contains auto-generated documentation files that should not be manually edited. Markdown formatting issues in these files should be disregarded during review.

Applied to files:

• src/OpenFga.Sdk/OpenFga.Sdk.csproj

📚 Learning: 2025-09-30T04:00:25.010Z

Learnt from: evansims
PR: openfga/dotnet-sdk#122
File: docs/Users.md:7-7
Timestamp: 2025-09-30T04:00:25.010Z
Learning: The docs/ folder in the openfga/dotnet-sdk repository contains auto-generated API documentation from code comments. Markdown formatting issues in files under docs/ should be disregarded as they are generated and not manually edited.

Applied to files:

• src/OpenFga.Sdk/OpenFga.Sdk.csproj

🔇 Additional comments (2)

src/OpenFga.Sdk/OpenFga.Sdk.csproj (2)

42-47: Dependency downgrade strategy verified—no breaking changes detected.

Verification confirms the removal of Microsoft.Extensions.Http and Microsoft.Bcl.AsyncInterfaces is safe:

• No usage of IHttpClientBuilder, AddHttpClient, HttpClientFactory, or direct imports of either package
• No async enumerable patterns requiring Microsoft.Bcl.AsyncInterfaces
• Version split (System.Text.Json 8.0.5 vs System.Net.Http.Json 8.0.1) is intentional and compatible
• Conditional structure correctly targets non-.NET 8 runtimes only

---

50-54: System.Text.Json 8.0.5 requires System.Memory (≥ 4.5.5) and System.Threading.Tasks.Extensions (≥ 4.5.4), both of which are satisfied by the net48-specific versions 4.6.3 declared in the project file. The package versions are compatible; no changes are needed.

[Copilot]

Pull Request Overview

Copilot reviewed 1 out of 1 changed files in this pull request and generated 2 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[SoulPancake]

LG, Thanks @OsmanMElsayed

[antonio-dfg]

🚀

[rhamzeh]

Thanks @OsmanMElsayed

[rhamzeh]

Errors like this should fail the build - opened #148 to track

[OsmanMElsayed]

Thanks @OsmanMElsayed

Gladly! And huge congrats to you guys for becoming a CNCF Incubating project 🎉! @rhamzeh