Skip to content

Investigate audit warnings #829

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
wants to merge 14 commits into from
Closed

Investigate audit warnings #829

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
14 commits
Select commit Hold shift + click to select a range
80e4a6e
Update System.Text.Json to get a non-vulnerable version of System.Tex…
bash Jan 29, 2025
19d4709
Explicitly reference Nuget.Packaging to get a non-vulnerable version …
bash Jan 29, 2025
6a9be60
Update Microsoft.CodeAnalysis to get non-vulernable versions of Syste…
bash Jan 29, 2025
ad8136f
Re-arrange packages
bash Jan 29, 2025
19ec5d9
Explicitly reference xunit.extensibility.execution to get non-vulerna…
bash Jan 29, 2025
f35a875
Update Microsoft.NET.Test.Sdk to get non-vulnerable versions of Newto…
bash Jan 29, 2025
053f133
Re-enable full audit mode
bash Jan 29, 2025
a956b48
Restore separately
bash Jan 29, 2025
ebf785f
Merge branch 'main' into audit-warnings
FreeApophis Jan 30, 2025
ce48c3f
Show config paths
bash Jan 30, 2025
9a79ed4
Show default config
bash Jan 30, 2025
e605acd
Predictable audit sources
bash Jan 30, 2025
9cde0bd
List vulnerable packages
bash Jan 30, 2025
39412d3
Restore first
bash Jan 30, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 5 additions & 3 deletions .github/workflows/build.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,9 +8,6 @@ on:

env:
DOTNET_NOLOGO: 1
# This is for some reason set to 'all' on CI which means
# we get warnings for transitive dependencies (e.g. from Messerli.CodeStyle -> StyleCop)
NuGetAuditMode: direct

jobs:
build:
Expand Down Expand Up @@ -53,6 +50,11 @@ jobs:
- uses: actions/checkout@v4
- uses: actions/setup-dotnet@v4
name: Install Current .NET SDK
- run: dotnet nuget config paths
- run: cat /home/runner/.nuget/NuGet/NuGet.Config
- name: Restore dependencies
run: dotnet restore -r linux-x64
- run: dotnet list Funcky.TrimmingTest package --vulnerable
- name: Run trimming test
run: dotnet publish -c Release Funcky.TrimmingTest -r linux-x64 --self-contained /p:TreatWarningsAsErrors=true
- name: Run AOT test
Expand Down
16 changes: 10 additions & 6 deletions Directory.Packages.props
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@
<ItemGroup Label="Runtime Dependencies">
<PackageVersion Include="Microsoft.Bcl.HashCode" Version="1.1.1" />
<PackageVersion Include="System.Collections.Immutable" Version="1.7.1" />
<PackageVersion Include="System.Text.Json" Version="5.0.0" />
<PackageVersion Include="System.Text.Json" Version="5.0.2" />
<PackageVersion Include="xunit.assert" Version="[2.9.3, 2.10)" />
<PackageVersion Include="xunit.extensibility.core" Version="[2.9.3, 2.10)" />
<PackageVersion Include="xunit.v3.assert" Version="[1.0.1, 2)" />
Expand All @@ -19,22 +19,26 @@
<PackageVersion Include="Microsoft.CodeAnalysis.PublicApiAnalyzers" Version="3.3.3" />
</ItemGroup>
<ItemGroup Label="Test Dependencies">
<PackageVersion Include="Microsoft.NET.Test.Sdk" Version="17.2.0" />
<PackageVersion Include="Microsoft.NET.Test.Sdk" Version="17.12.0" />
<PackageVersion Include="xunit" Version="2.9.3" />
<PackageVersion Include="xunit.runner.visualstudio" Version="3.0.1" />
<PackageVersion Include="xunit.v3" Version="1.0.1" />
<PackageVersion Include="FsCheck.Xunit" Version="3.0.1" />
<PackageVersion Include="coverlet.collector" Version="3.1.2" />
<PackageVersion Include="Verify.XUnit" Version="16.8.1" />
<PackageVersion Include="Verify.SourceGenerators" Version="1.4.0" />
<PackageVersion Include="Microsoft.CodeAnalysis" Version="4.12.0" />
<PackageVersion Include="Microsoft.CodeAnalysis.CSharp.Analyzer.Testing" Version="1.1.2" />
<PackageVersion Include="Microsoft.CodeAnalysis.CSharp.CodeFix.Testing" Version="1.1.2" />
<PackageVersion Include="Microsoft.CodeAnalysis.CSharp.CodeRefactoring.Testing" Version="1.1.2" />
</ItemGroup>
<ItemGroup Label="Transient Test Dependencies">
<PackageVersion Include="Nuget.Packaging" Version="6.12.1" />
<PackageVersion Include="xunit.extensibility.execution" Version="2.9.3" />
</ItemGroup>
<ItemGroup Label="Analyzer">
<PackageVersion Include="Microsoft.CodeAnalysis" Version="4.0.1" />
<PackageVersion Include="Microsoft.CodeAnalysis.CSharp" Version="4.0.1" />
<PackageVersion Include="Microsoft.CodeAnalysis.Analyzers" Version="3.11.0" /><!-- We explicitly reference these analyzers to get the latest version even though we might not use the latest version of Microsoft.CodeAnalysis everywhere. -->
<PackageVersion Include="Microsoft.CodeAnalysis.CSharp.Analyzer.Testing" Version="1.1.2" />
<PackageVersion Include="Microsoft.CodeAnalysis.CSharp.CodeFix.Testing" Version="1.1.2" />
<PackageVersion Include="Microsoft.CodeAnalysis.CSharp.CodeRefactoring.Testing" Version="1.1.2" />
<PackageVersion Include="Microsoft.CodeAnalysis.CSharp.Workspaces" Version="4.0.1" />
<PackageVersion Include="Microsoft.VSSDK.BuildTools" Version="17.0.1597"/>
</ItemGroup>
Expand Down
2 changes: 2 additions & 0 deletions Funcky.Analyzers/Funcky.Analyzers.Test/Funcky.Analyzers.Test.csproj
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,8 @@
<PackageReference Include="Microsoft.CodeAnalysis.CSharp.Analyzer.Testing" />
<PackageReference Include="Microsoft.CodeAnalysis.CSharp.CodeFix.Testing" />
<PackageReference Include="Microsoft.CodeAnalysis.CSharp.CodeRefactoring.Testing" />
<!-- Microsoft.CodeAnalysis.CSharp.Analyzer.Testing depends on an old version of Nuget.Packaging which pulls in vulnerable packages -->
<PackageReference Include="Nuget.Packaging" />
</ItemGroup>

<ItemGroup>
Expand Down
1 change: 1 addition & 0 deletions Funcky.FsCheck/Funcky.FsCheck.fsproj
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@
</ItemGroup>
<ItemGroup>
<PackageReference Include="FsCheck.Xunit" />
<PackageReference Include="xunit.extensibility.execution" />
</ItemGroup>
<ItemGroup>
<Compile Include="FunckyGenerators.fs" />
Expand Down
4 changes: 4 additions & 0 deletions NuGet.config
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,10 @@

<add key="nuget.org" value="https://api.nuget.org/v3/index.json" />
</packageSources>
<auditSources>
<clear />
<add key="nuget.org" value="https://api.nuget.org/v3/index.json" />
</auditSources>
<packageSourceMapping>
<packageSource key="nuget.org">
<package pattern="*" />
Expand Down
Loading