Third party libraries used by Sitecore
At Achmea, we made the strategic decision to use Sitecore as platform for all of our websites, we’ve got hundreds of them. To do this at enterprise level, on such a scale, it’s important that we have guidance on infrastructure, development, deployment, security, content, DMS, just to be sure that the stable environment that we deliver, will stay stable. We all know that it’s important to work with the right Sitecore assemblies (correct version) and not to overwrite them. But Sitecore doesn’t only deliver Sitecore assemblies, but 3rd party assemblies as well, for example: Microsoft assemblies, TweetSharp, Facebook API, Google API’s, et cetera. This blogpost tells us what 3rd party components Sitecore ships with, what license is tied to it and what version is delivered. It currently only includes Sitecore 8.0 update 5 and Sitecore 8.1 update 1.
And please try to guess the answer to now: “What is the year of the eldest component that ships with Sitecore?”. You will be surprised ;)
Why is this list important?
All of these components have a history in it’s development lifecycle, may have security issues in older versions and always have a license tied to it. If there’s no license, the components fall under the author’s copyright, which means that you’re not allowed to use that third party component in your software.
Aside from the license issues, make sure that you use the correct version. Sitecore may replace or update the 3rd party components in a future version, which means your software can (and believe me, someday it will) break. There is no guarantee that Sitecore will ship these component in next versions, thus it’s better to be prepared on what to do when things change. Some commercial products are included in the product as well. Questions that I have regarding those products:
- Do we, as a company, need to have a license as well to use these products, or does the Sitecore license cover this? (Probably it does, but I am not 100% sure)
- If Sitecore may use the product, for example, Telerik, may we make use of that product in our custom made components as well? For example, when extending content editor functionality? Or do we need to have separate development licenses?
I don’t have answers on those questions yet, but we already asked the question at Sitecore.
The one list
Well, this wall of text finally lead us to the list. I must admit: it was just a desktop research, but I think we are quite complete regarding the versioning. The version info is the “Assembly Info” that I got via ILSpy. I got the most recent versions by looking into github and codeplex repositories, so for some commercial products I really don’t know what the latest version is.
My main concern is that I see some really ancient builds in this list. The eldest component is from 2006! Maybe this list can help Sitecore to upgrade these components to the latest version, for the sake of its ALM ;)
| Library | Sitecore 8.0 update 5 | year | Sitecore 8.1 update 1 | year | Current version | year | License type | ||
| Telerik.Web.UI.Skins | 2012.2.607..35 | 2012 | 2015.1.401.45 | ?? | 2015 | License? | Telerik UI lib | ||
| TweetSharp | 2.0.0.0 | < 2013 | 2.0.0.0 | 3.0.0.1 | 2015 | ?? | Twitter library | ||
| WebGrease | 1.6.5135.21930 | 2014 | 1.6.5135.21930 | 1.6 | 2014 | ?? | Optimizing javascript | ||
| Yahoo.Yui.Compressor | 2.1.1.0 | 2012 | 2.1.1.0 | 2.7 | 2014 | BSD-2 | Compression library | ||
| Componentart | 2010 | 2010 | 2010 | 2012 | 2012 | ?? | Visualization controls | ||
| CsQuery | 1.3.3.249 | ?? | 1.3.3.249 | ?? | 1.3.5.200 | MIT | CsQuery is a CSS selector engine and jQuery port for .NET 4 and C#. | ||
| DotNetOpenAuth | 4.0.0.11165 | 2011/2012 | 4.0.0.11165 | 4.3 | 2013 | Ms-Pl | |||
| Ecmascript.net | 1.0.1.0 | 2012 | 1.0.1.0 | 1.0.1 | 2012 | MPL 1.1 (Mozilla Public License) | EcmaScript.NET is an open-source implementation of EcmaScript based on Rhino (JavaScript for Java) written entirely in C#. | ||
| Facebook C# SDK | 5.4.1.0 | < 2012 | 5.4.1.0 | 6.0.10 | <2012 | Apache License | Facebook API | ||
| Facebook API | 1.0.0.0 | ?? | 1.0.0.0 | ?? | ?? | Ms-Pl (Microsoft Public License) | Facebook API – not sure about the source… | ||
| GoogleApis.Authentication.OAuth2 | 1.0 | 2011? | 1.0 | 1.9.3 | 2015 | Apache 2.0 | Google OAuth2 library. Very ancient library. Stackoverflow post: “class not supported anymore” | ||
| Google.Apis | 1.0.0.30541 | 2011? | 1.0 | 1.9.3 | 2015 | Apache 2.0 | Google API library | ||
| Google.Apis.Plus.v1 | 1.0.0.0 | < 2013 | 1.0 | 1.9.2 | 2015 | Apache 2.0 | Google plus library | ||
| Hammock.Clientprofile | 1.0.0.0 | < 2011 | 1.0 | 1.3.1 | 2013 | MIT | Rest Wrapper | ||
| Html Agility Pack | 1.4.6.0 | 2012 | 1.4.6.0 | 1.4.9 | 2014 | Ms-Pl | HTML Parser that builds a read/write DOM. | ||
| Iesi.Collections | 1.0.1.0 | 2011 | 1.0.1.0 | 4.0.1.400 | 2013 | No license | Enhanced collectrions for .net | ||
| IT Hit WebDAV Server .Net v2 | 2.1.1.108 | 2009 | 2.1.1.108 | V4.0.2416 | 2015 | Found here | webdav server engine for net | ||
| Lucene.net | 3.0.3 | 2015 | 3.0.3 | 3.0.3 | 2015 | Apache 2 | Search | ||
| Mvp.Xml | 2.0.2158.1055 | 2006 | 2.0.2158.1055 | 2.3 | 2007 | BSD License | From the time before the dinosaurs even didn't exist | ||
| Netbiscuits.OnPremise | - | - | 1.1.0.0 | ?? | |||||
| Newtonsoft.Json | 6.0.5 | 2014 | 6.0.8.18111 | 2014 | 7.0.1 | 2015 | MIT | JSON (de)serializer | |
| OAuthLinkedIn | 1.0.0.0 | ?? | 1.0.0.0 | ?? | ?? | ?? | ?? | Looks like it’s taken from a github source, can’t find the original source | |
| Protobuf-net | 2.0.0.668 | 2013 | 2.0.0.668 | 2013 | 2.0.0.668 | 2013 | Apache 2 | Protocol Buffers library for idiomatic .NET | |
| Telerik RadEditor.net2 | 7.2.0.0 | ?? | 7.2.0.0 | ?? | ?? | ?? | ?? | ||
| Stimulsoft Base | 2013.1.1600.0 | 2013 | 2013.1.1600.0 | 2013 | 2015.3 | 2015 | License | Reporting technology | |
| Stimulsoft Database | 2013.1.1600.0 | 2013 | 2013.1.1600.0 | 2013 | 2015.3 | 2015 | License | Database helper | |
| Stimulsoft Report | 2013.1.1600.0 | 2013 | 2013.1.1600.0 | 2013 | 2015.3 | 2015 | License | Reporting technology | |
| Stimulsoft Report Web | 2013.1.1600.0 | 2013 | 2013.1.1600.0 | 2013 | 2015.3 | 2015 | License | Reporting technology | |
| Stimulsoft Report Web Design | 2013.1.1600.0 | 2013 | 2013.1.1600.0 | 2013 | 2015.3 | 2015 | License | Reporting technology | |
| Telerik.Web.UI | 2012.2.607.35 | 2013 | 2015.1.401.45 | 2015 | 2015 | ?? | Reporting technology | ||
| Ninject | 3.2.0.0 | 2015 | 3.2.0.0 | 2015 | 3.2 | 2015 | Ms-Pl | Lightweight dependency injection for .NET | |
| ASP.Net MVC | 5.1.0 | 2014 | 5.2.3 | 2015 | 5.2.3 | 2015 | |||
| System.Web.Webpages | 3.0 | 2013 | 3.0 | 2013 | 3.2.3 | 2015 | |||
| System.Net.Formatting | 4.0 | ? | 5.2.3 | 2015 | 5.2.3 | 2015 | |||
Conclusion
Quite some third party components are delivered with Sitecore, some are up to date, and some are really ancient. This list can help you to decide whether or not to allow a component to be used in your custom code and whether or not the license tied to the component will have impact on your company from a legal perspective.