Skip to content

Update NuGet audit config and package versions#3720

Open
Thieum wants to merge 2 commits intodotnet:mainfrom
Thieum:add-nuget-auditing-and-fixes
Open

Update NuGet audit config and package versions#3720
Thieum wants to merge 2 commits intodotnet:mainfrom
Thieum:add-nuget-auditing-and-fixes

Conversation

@Thieum
Copy link
Copy Markdown

@Thieum Thieum commented Apr 16, 2026

  • The code builds and tests pass (verified by our automated build checks)

  • Commit messages follow this format
    Summary of the changes
    - Detail 1
    - Detail 2

      Fixes #bugnumber
    
  • [ N/A ] Tests for the changes have been added (for bug fixes / features)

  • [ N/A ] Code meets the expectations our engineering guidelines.
    https://github.com/dotnet/aspnetcore/wiki/Engineering-guidelines

Adding NuGet Auditing from Nuget.org (without adding it as a source for nugets, just audit), and fixing the recent alerts for NuGet and Cryptography packages.

Copilot AI review requested due to automatic review settings April 16, 2026 14:10
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Enables NuGet package auditing (including auditing against nuget.org without using it as a restore source) and updates a few package version pins to address recent vulnerability/governance alerts.

Changes:

  • Enable NuGet auditing via MSBuild properties and configure nuget.org as an audit source.
  • Bump NuGet-related package versions (Protocol/Packaging/ProjectModel).
  • Add a central version pin for System.Security.Cryptography.Xml.

Reviewed changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated 4 comments.

Show a summary per file
File Description
Directory.Build.props Enables NuGet auditing (mode/level) for restores.
NuGet.config Adds auditSources entry for nuget.org.
eng/Versions.props Updates NuGet package versions and introduces SystemSecurityCryptographyXmlVersion.
Directory.Packages.props Adds central package version entry for System.Security.Cryptography.Xml.
src/dotnet-scaffolding/Directory.Packages.props Mirrors the System.Security.Cryptography.Xml version pin for scaffolding projects.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread NuGet.config
Comment thread Directory.Packages.props Outdated
Comment thread src/dotnet-scaffolding/Directory.Packages.props
Comment thread eng/Versions.props Outdated
Copy link
Copy Markdown
Member

@haileymck haileymck left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice change!

@Thieum
Copy link
Copy Markdown
Author

Thieum commented Apr 17, 2026

fixes #3724 (if translated in the release branches?)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants