NuGet Product Used
dotnet.exe
Product Version
10.0.201
Worked before?
Unknown
Impact
I'm unable to use this version
Repro Steps & Context
Trying to build the 10.0.2xx branch of the VMR:
https://dev.azure.com/dnceng/internal/_build/results?buildId=2953507&view=results
It's flagging a bunch of nuget audit warnings. See dotnet/source-build#5544 as an example.
From what I can tell from investigating the source, there are a bunch of package references that are never meant to flag nuget audit:
https://dev.azure.com/dnceng/internal/_git/dotnet-dotnet?path=/eng/tools/tasks/Microsoft.DotNet.UnifiedBuild.MSBuildSdkResolver/Microsoft.DotNet.UnifiedBuild.MSBuildSdkResolver.csproj
<!-- IncludeAssets=compile to treat these packages as targeting-packs only. The assemblies are available in the SDK. -->
<PackageReference Include="Microsoft.Build.Tasks.Core" IncludeAssets="compile" NoWarn="NU1901;NU1902;NU1903;NU1904" />
From the comment, the intent is that Microsoft.Build and ALL transitive dependencies should ignore nuget audit. However, this doesn't appear to work and now we have to disable audit for the entire assembly rather than just those specific package references.
Verbose Logs
NuGet Product Used
dotnet.exe
Product Version
10.0.201
Worked before?
Unknown
Impact
I'm unable to use this version
Repro Steps & Context
Trying to build the 10.0.2xx branch of the VMR:
https://dev.azure.com/dnceng/internal/_build/results?buildId=2953507&view=results
It's flagging a bunch of nuget audit warnings. See dotnet/source-build#5544 as an example.
From what I can tell from investigating the source, there are a bunch of package references that are never meant to flag nuget audit:
https://dev.azure.com/dnceng/internal/_git/dotnet-dotnet?path=/eng/tools/tasks/Microsoft.DotNet.UnifiedBuild.MSBuildSdkResolver/Microsoft.DotNet.UnifiedBuild.MSBuildSdkResolver.csproj
From the comment, the intent is that Microsoft.Build and ALL transitive dependencies should ignore nuget audit. However, this doesn't appear to work and now we have to disable audit for the entire assembly rather than just those specific package references.
Verbose Logs