Add validation to test that OOB packages have no SharedFx-only references

[wtgodbe]

We had a situation in 8.0 where Microsoft.Extensions.Caching.StackExchangeRedis (which is an OOB package) added a dependency on Microsoft.AspNetCore.OutputCaching (which is SharedFx-only), which caused StackExchangeRedis to have a FrameworkReference on AspNetCore.App. This means devs using StackExchangeRedis would need to have Asp.Net installed on their machine in order to use the package, which goes against the principle of an OOB package (they should be useable by non-asp.net devs). We should add validation, maybe in ResolveReferences.targets, that prevents this from happening again, as it's a very easy mistake to make.

[ghost]

Thanks for contacting us.

We're moving this issue to the .NET 9 Planning milestone for future evaluation / consideration. We would like to keep this around to collect more feedback, which can help us with prioritizing this work. We will re-evaluate this issue, during our next planning meeting(s).
If we later determine, that the issue has no community involvement, or it's very rare and low-impact issue, we will close it - so that the team can focus on more important and high impact issues.
To learn more about what to expect next and how this issue will be handled you can read more about our triage process here.

[Tratcher]

This issue only applies to Extensions, right? Note all of the Authentication OOB packages do require the shared framework.

[wtgodbe]

This issue only applies to Extensions, right? Note all of the Authentication OOB packages do require the shared framework.

Oh, I didn't know that. If that's the case then yeah, seems like this should only apply to Extensions