Update dependencies and enable nuget audit (direct mode) (#1358)

ViktorHofer · web-flow · commit f6bdf75b5ca6 · 2025-02-03T19:02:21.000+01:00
* Update dependencies to avoid referencing vulnerable dependencies

* Enable NuGet Audit (direct dependencies only)
diff --git a/NuGet.config b/NuGet.config
@@ -13,4 +13,8 @@
   <disabledPackageSources>
     <clear />
   </disabledPackageSources>
+  <auditSources>
+    <clear />
+    <add key="nuget.org" value="https://api.nuget.org/v3/index.json" />
+  </auditSources>
 </configuration>
diff --git a/eng/BuildTask.targets b/eng/BuildTask.targets
@@ -87,11 +87,11 @@
 
   <!-- Desktop MSBuild compatibilty -->
   <ItemGroup Condition="'$(TargetFrameworkIdentifier)' == '.NETFramework'">
-    <PackageReference Update="System.Text.Json" Version="7.0.1" />
-    <PackageReference Update="Microsoft.Extensions.Logging.Console" Version="7.0.0" />
-    <PackageReference Update="Microsoft.Extensions.DependencyModel" Version="7.0.0" />
-    <PackageReference Update="System.Collections.Immutable" Version="7.0.0" />
-    <PackageReference Update="System.Reflection.Metadata" Version="7.0.0" />
+    <PackageReference Update="System.Text.Json" Version="8.0.5" />
+    <PackageReference Update="Microsoft.Extensions.Logging.Console" Version="8.0.1" />
+    <PackageReference Update="Microsoft.Extensions.DependencyModel" Version="8.0.2" />
+    <PackageReference Update="System.Collections.Immutable" Version="8.0.0" />
+    <PackageReference Update="System.Reflection.Metadata" Version="8.0.1" />
   </ItemGroup>
 
   <!-- Publish .NET assets and include them in the package under tools/net directory. -->
diff --git a/eng/Versions.props b/eng/Versions.props
@@ -16,8 +16,8 @@
     <MicrosoftBuildTasksCoreVersion>17.8.3</MicrosoftBuildTasksCoreVersion>
     <MicrosoftIORedistVersion>6.0.1</MicrosoftIORedistVersion>
     <!-- nuget -->
-    <NuGetVersioningVersion>5.7.0</NuGetVersioningVersion>
+    <NuGetVersioningVersion>6.12.1</NuGetVersioningVersion>
     <!-- runtime -->
-    <SystemTextJsonVersion>7.0.3</SystemTextJsonVersion>
+    <SystemTextJsonVersion>8.0.5</SystemTextJsonVersion>
   </PropertyGroup>
 </Project>
diff --git a/src/Directory.Build.props b/src/Directory.Build.props
@@ -9,6 +9,9 @@
     <GenerateResxSource>true</GenerateResxSource>
     
     <IncludeSymbols Condition="'$(DebugType)' != 'embedded' and '$(UsingMicrosoftNoTargetsSdk)' != 'true'">true</IncludeSymbols>
+
+    <!-- Only upgrade NuGetAudit warnings to errors for official builds. -->
+    <WarningsNotAsErrors Condition="'$(OfficialBuild)' != 'true'">$(WarningsNotAsErrors);NU1901;NU1902;NU1903;NU1904</WarningsNotAsErrors>
   </PropertyGroup>
 
 </Project>
diff --git a/src/SourceLink.Tools/Microsoft.SourceLink.Tools.Package.csproj b/src/SourceLink.Tools/Microsoft.SourceLink.Tools.Package.csproj
@@ -13,6 +13,6 @@
     <NoWarn>$(NoWarn);NU5128</NoWarn>
   </PropertyGroup>
   <ItemGroup>
-    <PackageReference Include="System.Text.Json" />
+    <PackageReference Include="System.Text.Json" Condition="'$(TargetFrameworkIdentifier)' != '.NETCoreApp'" />
   </ItemGroup>
 </Project>
