Override vulnerable transitive dependencies with safe versions

petrsvihlik · claude · petrsvihlik · commit a28cf30e388c · 2026-03-15T00:33:35.000+01:00
Statiq.Web pulls in several packages with known vulnerabilities.
Added explicit version overrides to resolve all NU190x warnings:
- Azure.Identity 1.19.0
- Microsoft.Build.Tasks.Core 18.4.0
- Microsoft.Data.SqlClient 6.1.4
- Microsoft.IdentityModel.JsonWebTokens / System.IdentityModel.Tokens.Jwt 8.16.0
- Microsoft.Rest.ClientRuntime 2.3.24 (capped at &lt;3.0.0 for Azure.Search compat)
- Newtonsoft.Json 13.0.4
- System.Data.SqlClient 4.9.1
- System.DirectoryServices.Protocols / System.Drawing.Common / System.Security.Cryptography.Xml 10.0.5

Co-Authored-By: Claude Sonnet 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/PetrSvihlik.Com.csproj b/PetrSvihlik.Com.csproj
@@ -12,6 +12,21 @@
     <PackageReference Include="Statiq.Web" Version="1.0.0-beta.60" />
   </ItemGroup>
 
+  <!-- Vulnerability overrides for transitive dependencies -->
+  <ItemGroup>
+    <PackageReference Include="Azure.Identity" Version="1.19.0" />
+    <PackageReference Include="Microsoft.Build.Tasks.Core" Version="18.4.0" />
+    <PackageReference Include="Microsoft.Data.SqlClient" Version="6.1.4" />
+    <PackageReference Include="Microsoft.IdentityModel.JsonWebTokens" Version="8.16.0" />
+    <PackageReference Include="Microsoft.Rest.ClientRuntime" Version="2.3.24" />
+    <PackageReference Include="Newtonsoft.Json" Version="13.0.4" />
+    <PackageReference Include="System.Data.SqlClient" Version="4.9.1" />
+    <PackageReference Include="System.DirectoryServices.Protocols" Version="10.0.5" />
+    <PackageReference Include="System.Drawing.Common" Version="10.0.5" />
+    <PackageReference Include="System.IdentityModel.Tokens.Jwt" Version="8.16.0" />
+    <PackageReference Include="System.Security.Cryptography.Xml" Version="10.0.5" />
+  </ItemGroup>
+
   <ItemGroup>
     <Compile Remove="extensionas\**" />
     <Compile Remove="input\**" />
