Skip to content

Commit 2fb5d05

Browse files
AArnottAArnott
committed
Merge pull request #197 from AArnott/nugetSecurity
Secure nuget packages via packages.lock.json This is a cherry-pick of f6afe71.
1 parent dec9319 commit 2fb5d05

File tree

19 files changed

+11491
-3
lines changed

19 files changed

+11491
-3
lines changed

Directory.Build.props

Lines changed: 5 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -12,7 +12,7 @@
1212
<NoWarn>CS1591;CS1701</NoWarn>
1313
<UpdateXlfOnBuild Condition=" '$(UpdateXlfOnBuild)' == '' ">true</UpdateXlfOnBuild>
1414

15-
<MicroBuildVersion>2.0.61</MicroBuildVersion>
15+
<MicroBuildVersion>2.0.65</MicroBuildVersion>
1616
<MicroBuild_LocalizeOutputAssembly>false</MicroBuild_LocalizeOutputAssembly>
1717

1818
<PublishRepositoryUrl>true</PublishRepositoryUrl>
@@ -26,11 +26,14 @@
2626
<Authors>Microsoft</Authors>
2727
<Copyright>© Microsoft Corporation. All rights reserved.</Copyright>
2828
<PackageLicenseExpression>MIT</PackageLicenseExpression>
29+
30+
<RestorePackagesWithLockFile>true</RestorePackagesWithLockFile>
31+
<RestoreLockedMode Condition=" '$(Build_BuildId)' != '' ">true</RestoreLockedMode>
2932
</PropertyGroup>
3033
<ItemGroup>
3134
<PackageReference Include="Nerdbank.GitVersioning" Version="3.2.31" PrivateAssets="all" />
3235
<PackageReference Include="StyleCop.Analyzers" Version="1.2.0-beta.205" PrivateAssets="all" />
33-
<PackageReference Include="MicroBuild.VisualStudio" Version="$(MicroBuildVersion)" PrivateAssets="all" />
36+
<PackageReference Include="Microsoft.VisualStudio.Internal.MicroBuild.VisualStudio" Version="$(MicroBuildVersion)" PrivateAssets="all" />
3437
<PackageReference Include="Microsoft.Net.Compilers.Toolset" Version="3.7.0" PrivateAssets="all" />
3538
<PackageReference Include="Microsoft.SourceLink.GitHub" Version="1.0.0" PrivateAssets="All" />
3639
</ItemGroup>

azure-pipelines/official.yml

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -12,6 +12,7 @@ variables:
1212
BuildConfiguration: Release
1313
BuildPlatform: Any CPU
1414
NUGET_PACKAGES: $(Agent.TempDirectory)/.nuget/packages
15+
NugetSecurityAnalysisWarningLevel: none # we use packages.lock.json to verify package content.
1516

1617
jobs:
1718
- job: Windows

src/Microsoft.VisualStudio.Composition.Analyzers/packages.lock.json

Lines changed: 1034 additions & 0 deletions
Large diffs are not rendered by default.

src/Microsoft.VisualStudio.Composition.AppHost/packages.lock.json

Lines changed: 252 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,252 @@
1+
{
2+
"version": 1,
3+
"dependencies": {
4+
".NETFramework,Version=v4.7.2": {
5+
"Microsoft.Net.Compilers.Toolset": {
6+
"type": "Direct",
7+
"requested": "[3.7.0, )",
8+
"resolved": "3.7.0",
9+
"contentHash": "m+4y5aIbi/rD9NJKjb8GWL2/tGeMmzd/9OMOH6olkoQbltGMS69arcWzlQ4vrsbbN1cgvCUdYLK/e007pbz8RA=="
10+
},
11+
"Microsoft.SourceLink.GitHub": {
12+
"type": "Direct",
13+
"requested": "[1.0.0, )",
14+
"resolved": "1.0.0",
15+
"contentHash": "aZyGyGg2nFSxix+xMkPmlmZSsnGQ3w+mIG23LTxJZHN+GPwTQ5FpPgDo7RMOq+Kcf5D4hFWfXkGhoGstawX13Q==",
16+
"dependencies": {
17+
"Microsoft.Build.Tasks.Git": "1.0.0",
18+
"Microsoft.SourceLink.Common": "1.0.0"
19+
}
20+
},
21+
"Microsoft.VisualStudio.Internal.MicroBuild.VisualStudio": {
22+
"type": "Direct",
23+
"requested": "[2.0.65, )",
24+
"resolved": "2.0.65",
25+
"contentHash": "9RkfQwLeS/zF8fv/E9khT86/HgmrJkLLwvxqzfUehOJjafk3DYzjJe28cnWc+gXwO5nrho03FMCDWYg5T+y5Fw==",
26+
"dependencies": {
27+
"Microsoft.VisualStudio.Internal.MicroBuild": "2.0.65"
28+
}
29+
},
30+
"Nerdbank.GitVersioning": {
31+
"type": "Direct",
32+
"requested": "[3.2.31, )",
33+
"resolved": "3.2.31",
34+
"contentHash": "19grBnpqHLxViOt1cwE+cI+brQ2swdm4gfM97P+9KbbgWGfXtdy4EmpVAkUZ3MgntFYYbUvfldM4pUOmks5q0w=="
35+
},
36+
"Nerdbank.MSBuildExtension": {
37+
"type": "Direct",
38+
"requested": "[0.1.17-beta, )",
39+
"resolved": "0.1.17-beta",
40+
"contentHash": "hVRVItQBgafbULSFoBxxg1KSqkpKCXyuhl8qIgTx2zGoAUpew7dBFwPWlLNvd7ZxwNPY6giXDQ+H/C28iox60Q==",
41+
"dependencies": {
42+
"Microsoft.Build.Tasks.Core": "14.3.0"
43+
}
44+
},
45+
"Nullable": {
46+
"type": "Direct",
47+
"requested": "[1.3.0, )",
48+
"resolved": "1.3.0",
49+
"contentHash": "xHAviTdTY3n+t1nEPN4JPRQR5lI124qRKVw+U9H7dO5sDNPpzoWeo/MQy7dSUmv9eD3k/CJVKokz1tFK+JOzRw=="
50+
},
51+
"StyleCop.Analyzers": {
52+
"type": "Direct",
53+
"requested": "[1.2.0-beta.205, )",
54+
"resolved": "1.2.0-beta.205",
55+
"contentHash": "ORvUXKlJRqAWstZiSH9LgEuM5hBye8mUDDSpMoQhiKLFUtFEGesfr88Qa8jC0KKVaBTUZzdo4fNZM4oHeV/JsQ==",
56+
"dependencies": {
57+
"StyleCop.Analyzers.Unstable": "1.2.0.205"
58+
}
59+
},
60+
"Microsoft.Build.Framework": {
61+
"type": "Transitive",
62+
"resolved": "14.3.0",
63+
"contentHash": "GX3MdQMQ3YVx/jWerzd5vDW/VrcLxf80Ts4T9AVEUsrmL6wZK1YTGNX3jLapll+5Y7PBDbvf5R815A64hlEQ+g==",
64+
"dependencies": {
65+
"System.Collections": "4.0.11",
66+
"System.Runtime": "4.1.0",
67+
"System.Runtime.InteropServices": "4.1.0"
68+
}
69+
},
70+
"Microsoft.Build.Tasks.Core": {
71+
"type": "Transitive",
72+
"resolved": "14.3.0",
73+
"contentHash": "/h8PEha1FPAsGf6SPYP+vqTD34tuPvdeLIq+a4gKCNqwGnb66LOi3m8CQiAvumyTCrx9dli8HEE2s2EnoVJ9AA==",
74+
"dependencies": {
75+
"Microsoft.Build.Framework": "[14.3.0]",
76+
"Microsoft.Build.Utilities.Core": "[14.3.0]"
77+
}
78+
},
79+
"Microsoft.Build.Tasks.Git": {
80+
"type": "Transitive",
81+
"resolved": "1.0.0",
82+
"contentHash": "z2fpmmt+1Jfl+ZnBki9nSP08S1/tbEOxFdsK1rSR+LBehIJz1Xv9/6qOOoGNqlwnAGGVGis1Oj6S8Kt9COEYlQ=="
83+
},
84+
"Microsoft.Build.Utilities.Core": {
85+
"type": "Transitive",
86+
"resolved": "14.3.0",
87+
"contentHash": "wGluB/diyYl0iZLjiJzWJTmK0RgOgzmzb19fRBgAyORe/N6Z1zwJHK/cLJcAsuvzbanrXsf3NuGlmbc5lOvTag==",
88+
"dependencies": {
89+
"Microsoft.Build.Framework": "[14.3.0]"
90+
}
91+
},
92+
"Microsoft.SourceLink.Common": {
93+
"type": "Transitive",
94+
"resolved": "1.0.0",
95+
"contentHash": "G8DuQY8/DK5NN+3jm5wcMcd9QYD90UV7MiLmdljSJixi3U/vNaeBKmmXUqI4DJCOeWizIUEh4ALhSt58mR+5eg=="
96+
},
97+
"Microsoft.VisualStudio.Internal.MicroBuild": {
98+
"type": "Transitive",
99+
"resolved": "2.0.65",
100+
"contentHash": "nYX6AQH32jxHMXhKsrFYBygVxZIXoeEUCcagQh9Ncuk4d2KOykdwIrDpZB1mUMHbPEYxk51YGX9ZPOTHq8buXA==",
101+
"dependencies": {
102+
"Microsoft.VisualStudioEng.MicroBuild.Core": "0.4.1"
103+
}
104+
},
105+
"Microsoft.VisualStudio.Validation": {
106+
"type": "Transitive",
107+
"resolved": "15.5.31",
108+
"contentHash": "AOmvJTT4CpamJ2A6J+PBrhKPfs2HXi/MJVxN/QlViewjI4XZDrt/yp3NMto+OOgB25jDnt9IIdNTkjpNBUpXmw=="
109+
},
110+
"Microsoft.VisualStudioEng.MicroBuild.Core": {
111+
"type": "Transitive",
112+
"resolved": "0.4.1",
113+
"contentHash": "2DhYPxdDyPu0ggmMmDjFBjdlErvA/DbYRf6OhtmCaUCskgMvqfVofUAKXkFpAyu/CshNKcyiG+DX0dPIPTqhLw=="
114+
},
115+
"StyleCop.Analyzers.Unstable": {
116+
"type": "Transitive",
117+
"resolved": "1.2.0.205",
118+
"contentHash": "YiRjba3yBp2mCvtsOeQf8XU1tPaOZFTKxcsj44tTpGrhRchmtuKtgyMCV9kkOFdfKISnHk0gzhigITlrrrvMuA=="
119+
},
120+
"System.Collections": {
121+
"type": "Transitive",
122+
"resolved": "4.0.11",
123+
"contentHash": "YUJGz6eFKqS0V//mLt25vFGrrCvOnsXjlvFQs+KimpwNxug9x0Pzy4PlFMU3Q2IzqAa9G2L4LsK3+9vCBK7oTg=="
124+
},
125+
"System.Collections.Immutable": {
126+
"type": "Transitive",
127+
"resolved": "1.5.0",
128+
"contentHash": "EXKiDFsChZW0RjrZ4FYHu9aW6+P4MCgEDCklsVseRfhoO0F+dXeMSsMRAlVXIo06kGJ/zv+2w1a2uc2+kxxSaQ=="
129+
},
130+
"System.ComponentModel.Composition": {
131+
"type": "Transitive",
132+
"resolved": "4.5.0",
133+
"contentHash": "+iB9FoZnfdqMEGq6np28X6YNSUrse16CakmIhV3h6PxEWt7jYxUN3Txs1D8MZhhf4QmyvK0F/EcIN0f4gGN0dA=="
134+
},
135+
"System.Composition": {
136+
"type": "Transitive",
137+
"resolved": "1.0.31",
138+
"contentHash": "I+D26qpYdoklyAVUdqwUBrEIckMNjAYnuPJy/h9dsQItpQwVREkDFs4b4tkBza0kT2Yk48Lcfsv2QQ9hWsh9Iw==",
139+
"dependencies": {
140+
"System.Composition.AttributedModel": "1.0.31",
141+
"System.Composition.Convention": "1.0.31",
142+
"System.Composition.Hosting": "1.0.31",
143+
"System.Composition.Runtime": "1.0.31",
144+
"System.Composition.TypedParts": "1.0.31"
145+
}
146+
},
147+
"System.Composition.AttributedModel": {
148+
"type": "Transitive",
149+
"resolved": "1.0.31",
150+
"contentHash": "NHWhkM3ZkspmA0XJEsKdtTt1ViDYuojgSND3yHhTzwxepiwqZf+BCWuvCbjUt4fe0NxxQhUDGJ5km6sLjo9qnQ=="
151+
},
152+
"System.Composition.Convention": {
153+
"type": "Transitive",
154+
"resolved": "1.0.31",
155+
"contentHash": "GLjh2Ju71k6C0qxMMtl4efHa68NmWeIUYh4fkUI8xbjQrEBvFmRwMDFcylT8/PR9SQbeeL48IkFxU/+gd0nYEQ==",
156+
"dependencies": {
157+
"System.Composition.AttributedModel": "1.0.31"
158+
}
159+
},
160+
"System.Composition.Hosting": {
161+
"type": "Transitive",
162+
"resolved": "1.0.31",
163+
"contentHash": "fN1bT4RX4vUqjbgoyuJFVUizAl2mYF5VAb+bVIxIYZSSc0BdnX+yGAxcavxJuDDCQ1K+/mdpgyEFc8e9ikjvrg==",
164+
"dependencies": {
165+
"System.Composition.Runtime": "1.0.31"
166+
}
167+
},
168+
"System.Composition.Runtime": {
169+
"type": "Transitive",
170+
"resolved": "1.0.31",
171+
"contentHash": "0LEJN+2NVM89CE4SekDrrk5tHV5LeATltkp+9WNYrR+Huiyt0vaCqHbbHtVAjPyeLWIc8dOz/3kthRBj32wGQg=="
172+
},
173+
"System.Composition.TypedParts": {
174+
"type": "Transitive",
175+
"resolved": "1.0.31",
176+
"contentHash": "0Zae/FtzeFgDBBuILeIbC/T9HMYbW4olAmi8XqqAGosSOWvXfiQLfARZEhiGd0LVXaYgXr0NhxiU1LldRP1fpQ==",
177+
"dependencies": {
178+
"System.Composition.AttributedModel": "1.0.31",
179+
"System.Composition.Hosting": "1.0.31",
180+
"System.Composition.Runtime": "1.0.31"
181+
}
182+
},
183+
"System.Reflection": {
184+
"type": "Transitive",
185+
"resolved": "4.3.0",
186+
"contentHash": "KMiAFoW7MfJGa9nDFNcfu+FpEdiHpWgTcS2HdMpDvt9saK3y/G4GwprPyzqjFH9NTaGPQeWNHU+iDlDILj96aQ=="
187+
},
188+
"System.Reflection.Emit": {
189+
"type": "Transitive",
190+
"resolved": "4.3.0",
191+
"contentHash": "228FG0jLcIwTVJyz8CLFKueVqQK36ANazUManGaJHkO0icjiIypKW7YLWLIWahyIkdh5M7mV2dJepllLyA1SKg=="
192+
},
193+
"System.Reflection.Metadata": {
194+
"type": "Transitive",
195+
"resolved": "1.6.0",
196+
"contentHash": "COC1aiAJjCoA5GBF+QKL2uLqEBew4JsCkQmoHKbN3TlOZKa2fKLz5CpiRQKDz0RsAOEGsVKqOD5bomsXq/4STQ==",
197+
"dependencies": {
198+
"System.Collections.Immutable": "1.5.0"
199+
}
200+
},
201+
"System.Reflection.TypeExtensions": {
202+
"type": "Transitive",
203+
"resolved": "4.3.0",
204+
"contentHash": "7u6ulLcZbyxB5Gq0nMkQttcdBTx57ibzw+4IOXEfR+sXYQoHvjW5LTLyNr8O22UIMrqYbchJQJnos4eooYzYJA==",
205+
"dependencies": {
206+
"System.Reflection": "4.3.0"
207+
}
208+
},
209+
"System.Runtime": {
210+
"type": "Transitive",
211+
"resolved": "4.1.0",
212+
"contentHash": "v6c/4Yaa9uWsq+JMhnOFewrYkgdNHNG2eMKuNqRn8P733rNXeRCGvV5FkkjBXn2dbVkPXOsO0xjsEeM1q2zC0g=="
213+
},
214+
"System.Runtime.InteropServices": {
215+
"type": "Transitive",
216+
"resolved": "4.1.0",
217+
"contentHash": "16eu3kjHS633yYdkjwShDHZLRNMKVi/s0bY8ODiqJ2RfMhDMAwxZaUaWVnZ2P71kr/or+X9o/xFWtNqz8ivieQ==",
218+
"dependencies": {
219+
"System.Runtime": "4.1.0"
220+
}
221+
},
222+
"System.Threading.Tasks.Dataflow": {
223+
"type": "Transitive",
224+
"resolved": "4.11.1",
225+
"contentHash": "umDBSKTQMoYAbts6w49N33ctAjHhcfJkcva8xoDog01st35N+Ly/w+TB2vUcghxSw5vUYkpaCl/PI7tVw3R0Jw=="
226+
},
227+
"microsoft.visualstudio.composition": {
228+
"type": "Project",
229+
"dependencies": {
230+
"Microsoft.VisualStudio.Composition.Analyzers": "1.0.0",
231+
"Microsoft.VisualStudio.Composition.NetFxAttributes": "1.0.0",
232+
"Microsoft.VisualStudio.Validation": "15.5.31",
233+
"System.ComponentModel.Composition": "4.5.0",
234+
"System.Composition": "1.0.31",
235+
"System.Reflection.Emit": "4.3.0",
236+
"System.Reflection.Metadata": "1.6.0",
237+
"System.Reflection.TypeExtensions": "4.3.0",
238+
"System.Threading.Tasks.Dataflow": "4.11.1"
239+
}
240+
},
241+
"microsoft.visualstudio.composition.analyzers": {
242+
"type": "Project"
243+
},
244+
"microsoft.visualstudio.composition.netfxattributes": {
245+
"type": "Project",
246+
"dependencies": {
247+
"System.ComponentModel.Composition": "4.5.0"
248+
}
249+
}
250+
}
251+
}
252+
}

0 commit comments

Comments
 (0)