From dfeda7e608f32f060b967f941bcec36011bda7a7 Mon Sep 17 00:00:00 2001
From: Viktor Hofer <viktor.hofer@microsoft.com>
Date: Thu, 30 Jan 2025 20:27:46 +0100
Subject: [PATCH 1/2] Update dependencies to avoid referencing vulnerable
dependencies
---
eng/BuildTask.targets | 10 +++++-----
eng/Versions.props | 4 ++--
.../Microsoft.SourceLink.Tools.Package.csproj | 2 +-
3 files changed, 8 insertions(+), 8 deletions(-)
diff --git a/eng/BuildTask.targets b/eng/BuildTask.targets
index c4a99a0c..2c6d1877 100644
--- a/eng/BuildTask.targets
+++ b/eng/BuildTask.targets
@@ -87,11 +87,11 @@
<!-- Desktop MSBuild compatibilty -->
<ItemGroup Condition="'$(TargetFrameworkIdentifier)' == '.NETFramework'">
- <PackageReference Update="System.Text.Json" Version="7.0.1" />
- <PackageReference Update="Microsoft.Extensions.Logging.Console" Version="7.0.0" />
- <PackageReference Update="Microsoft.Extensions.DependencyModel" Version="7.0.0" />
- <PackageReference Update="System.Collections.Immutable" Version="7.0.0" />
- <PackageReference Update="System.Reflection.Metadata" Version="7.0.0" />
+ <PackageReference Update="System.Text.Json" Version="8.0.5" />
+ <PackageReference Update="Microsoft.Extensions.Logging.Console" Version="8.0.1" />
+ <PackageReference Update="Microsoft.Extensions.DependencyModel" Version="8.0.2" />
+ <PackageReference Update="System.Collections.Immutable" Version="8.0.0" />
+ <PackageReference Update="System.Reflection.Metadata" Version="8.0.1" />
</ItemGroup>
<!-- Publish .NET assets and include them in the package under tools/net directory. -->
diff --git a/eng/Versions.props b/eng/Versions.props
index 3534a36a..94e6cd0e 100644
--- a/eng/Versions.props
+++ b/eng/Versions.props
@@ -18,8 +18,8 @@
<MicrosoftBuildTasksCoreVersion>17.8.3</MicrosoftBuildTasksCoreVersion>
<MicrosoftIORedistVersion>6.0.1</MicrosoftIORedistVersion>
<!-- nuget -->
- <NuGetVersioningVersion>5.7.0</NuGetVersioningVersion>
+ <NuGetVersioningVersion>6.12.1</NuGetVersioningVersion>
<!-- runtime -->
- <SystemTextJsonVersion>7.0.3</SystemTextJsonVersion>
+ <SystemTextJsonVersion>8.0.5</SystemTextJsonVersion>
</PropertyGroup>
</Project>
diff --git a/src/SourceLink.Tools/Microsoft.SourceLink.Tools.Package.csproj b/src/SourceLink.Tools/Microsoft.SourceLink.Tools.Package.csproj
index 534c5611..77660d66 100644
--- a/src/SourceLink.Tools/Microsoft.SourceLink.Tools.Package.csproj
+++ b/src/SourceLink.Tools/Microsoft.SourceLink.Tools.Package.csproj
@@ -13,6 +13,6 @@
<NoWarn>$(NoWarn);NU5128</NoWarn>
</PropertyGroup>
<ItemGroup>
- <PackageReference Include="System.Text.Json" />
+ <PackageReference Include="System.Text.Json" Condition="'$(TargetFrameworkIdentifier)' != '.NETCoreApp'" />
</ItemGroup>
</Project>
From 1029aff135ade8d2116c8f7587eb651e700840a4 Mon Sep 17 00:00:00 2001
From: Viktor Hofer <viktor.hofer@microsoft.com>
Date: Thu, 30 Jan 2025 20:28:01 +0100
Subject: [PATCH 2/2] Enable NuGet Audit (direct dependencies only)
---
NuGet.config | 4 ++++
src/Directory.Build.props | 3 +++
2 files changed, 7 insertions(+)
diff --git a/NuGet.config b/NuGet.config
index d1d257c4..a684170e 100644
--- a/NuGet.config
+++ b/NuGet.config
@@ -13,4 +13,8 @@
<disabledPackageSources>
<clear />
</disabledPackageSources>
+ <auditSources>
+ <clear />
+ <add key="nuget.org" value="https://api.nuget.org/v3/index.json" />
+ </auditSources>
</configuration>
diff --git a/src/Directory.Build.props b/src/Directory.Build.props
index 41ecf24b..ba217163 100644
--- a/src/Directory.Build.props
+++ b/src/Directory.Build.props
@@ -9,6 +9,9 @@
<GenerateResxSource>true</GenerateResxSource>
<IncludeSymbols Condition="'$(DebugType)' != 'embedded' and '$(UsingMicrosoftNoTargetsSdk)' != 'true'">true</IncludeSymbols>
+
+ <!-- Only upgrade NuGetAudit warnings to errors for official builds. -->
+ <WarningsNotAsErrors Condition="'$(OfficialBuild)' != 'true'">$(WarningsNotAsErrors);NU1901;NU1902;NU1903;NU1904</WarningsNotAsErrors>
</PropertyGroup>
</Project>