spouliot
c4625ba28a
GHSA-37gx-xxp4-5rgx and GHSA-w3x6-4m5h-cxqf (XML signature vulns) affect 8.0.2 transitively. No patched version exists in the NuGet feed yet — 9.0.0 is also flagged. Tracked in Directory.Build.props for re-check when a fix ships. System.Net.Http 4.1.0 and System.Security.Cryptography.X509Certificates 4.1.0 are false positives: same NCalc2 -> Antlr4 -> NETStandard.Library 1.6.0 chain already documented; .NET 8 BCL provides the runtime versions. Microsoft.Build / NuGet.* are build-tooling-only, not deployed to production. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
20 lines
957 B
XML
20 lines
957 B
XML
<Project>
|
|
<PropertyGroup>
|
|
<!--
|
|
NCalc2 2.1.0 -> Antlr4 4.6.4 -> Antlr4.Runtime -> NETStandard.Library 1.6.0 pulls in
|
|
old package versions that trigger NU1605 downgrade warnings when publishing for linux-x64.
|
|
These are harmless false positives — .NET 8 supplies all of these natively at runtime.
|
|
Suppressing NU1605 here is cleaner than pinning every affected transitive package individually.
|
|
-->
|
|
<NoWarn>$(NoWarn);NU1605</NoWarn>
|
|
</PropertyGroup>
|
|
|
|
<!--
|
|
TRACKED: System.Security.Cryptography.Xml 8.0.2 has two High advisories (GHSA-37gx-xxp4-5rgx,
|
|
GHSA-w3x6-4m5h-cxqf — XML signature vulnerabilities). No patched version exists in the NuGet
|
|
feed as of 2026-06-14; 9.0.0 (the only higher version) is also flagged. Re-check when a
|
|
patched 8.x or 9.x build ships and pin here. Pulled in transitively by one of: Fido2, EPPlus,
|
|
Azure SDK, or VisualStudio.Web.CodeGeneration.Design.
|
|
-->
|
|
</Project>
|