Skip to content

Enable MSBuildTask0004 task-authoring analyzer at error severity#55060

Open
baronfel wants to merge 1 commit into
mainfrom
baronfel-enable-msbuildtask0004
Open

Enable MSBuildTask0004 task-authoring analyzer at error severity#55060
baronfel wants to merge 1 commit into
mainfrom
baronfel-enable-msbuildtask0004

Conversation

@baronfel

Copy link
Copy Markdown
Member

Summary

Re-enables MSBuildTask0004 (Microsoft.Build.TaskAuthoring.Analyzer) at its natural error severity, continuing the incremental "ratcheting" of the MSBuild thread-safe task-authoring analyzer started in #55053 (which enabled MSBuildTask0001).

What the rule is

MSBuildTask0004"API may cause issues in multithreaded tasks" (Warning by default). It flags APIs that can cause assembly version conflicts in a shared/multithreaded task host:

  • Assembly.Load / LoadFrom / LoadFile / LoadWithPartialName
  • Activator.CreateInstance(string, string) / Activator.CreateInstanceFrom
  • AppDomain.Load / CreateInstance / CreateInstanceFrom

Why it can be enabled now

Unlike MSBuildTask0002/0003, the concerns of 0004 do not require the IMultiThreadableTask / TaskEnvironment migration — they are about avoiding problematic reflection/assembly-loading APIs, which can be enforced today. MSBuildTask0001/0002/0003/0005 remain at suggestion pending that migration (0002/0003 need TaskEnvironment; 0005 is transitive on the others).

The codebase already complies

There are zero direct MSBuildTask0004 violations. Verified by building all 12 IsMSBuildTaskProject projects with the repo-local SDK at error severity — every project reported Build succeeded (and because the repo builds warn-as-error, any violation would have broken the build):

  • Microsoft.NET.Build.Containers
  • Microsoft.DotNet.GenAPI.Task
  • Microsoft.NET.Sdk.Publish.Tasks
  • Microsoft.DotNet.ApiCompat.Task
  • Microsoft.NET.Sdk.StaticWebAssets.Tasks
  • Microsoft.NET.Sdk.Razor.Tasks
  • Microsoft.TemplateEngine.Authoring.Tasks
  • Microsoft.NET.Build.Tasks
  • Microsoft.NET.Build.Extensions.Tasks
  • Microsoft.NET.Sdk.BlazorWebAssembly.Tasks
  • DotNetWatchTasks
  • sdk-tasks

The rule was also confirmed active by temporarily injecting Assembly.LoadFrom("x") into a real ITask.Execute() and observing error MSBuildTask0004 fire (then reverted).

Changes

Only the two .editorconfig files (repo-root and src/StaticWebAssetsSdk/ which sets root = true and keeps its own in-sync copy): MSBuildTask0004 suggestionerror, with updated comments. No source fixes were needed.

MSBuildTask0004 ('API may cause issues in multithreaded tasks') flags
Assembly.Load*/Activator.CreateInstance*/AppDomain.* calls that can cause
version conflicts in a shared task host. Unlike MSBuildTask0002/0003, its
concerns do not depend on the IMultiThreadableTask/TaskEnvironment migration,
so it can be enforced today. The codebase already has zero violations across
all 12 IsMSBuildTaskProject projects (verified by build). This continues the
incremental ratcheting started in #55053 (MSBuildTask0001).

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Copilot AI review requested due to automatic review settings June 29, 2026 21:20

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR ratchets up enforcement of the MSBuild thread-safe task-authoring analyzer by promoting MSBuildTask0004 (“API may cause issues in multithreaded tasks”) from suggestion to error, ensuring banned assembly-loading/reflection APIs are blocked in MSBuild task projects.

Changes:

  • Set dotnet_diagnostic.MSBuildTask0004.severity = error in the repo-root .editorconfig.
  • Mirror the same severity update in src/StaticWebAssetsSdk/.editorconfig (which is root = true), and update the explanatory comments in both locations.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

File Description
.editorconfig Promotes MSBuildTask0004 to error and updates ratcheting guidance/comments.
src/StaticWebAssetsSdk/.editorconfig Keeps the duplicated analyzer severity block in sync (root-scoped editorconfig) and updates comments accordingly.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants