Change audit source to data.nuget.org and fix vulnerable package warning (#7300)

zivkan · web-flow · commit 07e47f1ebb4c · 2026-04-22T10:52:24.000+09:30
diff --git a/Directory.Packages.props b/Directory.Packages.props
@@ -96,6 +96,8 @@
     <PackageVersion Include="System.Memory" Version="$(SystemMemoryPackageVersion)" />
     <PackageVersion Include="System.Security.Cryptography.Pkcs" Version="$(SystemSecurityCryptographyPkcsVersion)" />
     <PackageVersion Include="System.Security.Cryptography.ProtectedData" Version="$(SystemSecurityCryptographyProtectedDataVersion)" />
+    <!-- S.S.C.Xml is a dependency of MSBuild. Once MSBuild no longer has a transitive dependency on a vulnerable version, this can be removed -->
+    <PackageVersion Include="System.Security.Cryptography.Xml" Version="8.0.3" />
     <PackageVersion Include="System.Text.Json" Version="$(SystemTextJsonVersion)" />
     <!--
       The Microsoft.VisualStudio.SDK metapackage brings in System.Threading.Tasks.Dataflow 4.11.1 (assembly version 4.9.5.0).
diff --git a/NuGet.Config b/NuGet.Config
@@ -11,7 +11,7 @@
   </packageSources>
   <auditSources>
     <clear />
-    <add key="nuget.org" value="https://api.nuget.org/v3/index.json" />
+    <add key="nuget.org" value="https://data.nuget.org/v3/index.json" />
   </auditSources>
   <packageSourceMapping>
     <clear />
diff --git a/build/common.project.props b/build/common.project.props
@@ -52,6 +52,8 @@
     <SuppressTfmSupportBuildWarnings>true</SuppressTfmSupportBuildWarnings>
     <DisableImplicitNuGetFallbackFolder>true</DisableImplicitNuGetFallbackFolder>
     <Nullable>enable</Nullable>
+    <!-- NuGetAuditMode only defaults to all when targeting net10.0 or higher, which many projects do not -->
+    <NuGetAuditMode>all</NuGetAuditMode>
   </PropertyGroup>
 
   <!-- Defaults -->
diff --git a/eng/pipelines/official.yml b/eng/pipelines/official.yml
@@ -30,6 +30,8 @@ variables:
 extends:
   template: azure-pipelines/MicroBuild.1ES.Official.yml@MicroBuildTemplate
   parameters:
+    settings:
+      networkIsolationPolicy: Permissive,CFSClean
     sdl:
       sourceAnalysisPool: VSEng-MicroBuildVSStable
       binskim:
diff --git a/eng/pipelines/pull_request.yml b/eng/pipelines/pull_request.yml
@@ -27,6 +27,8 @@ variables:
 extends:
   template: azure-pipelines/MicroBuild.1ES.Unofficial.yml@MicroBuildTemplate
   parameters:
+    settings:
+      networkIsolationPolicy: Permissive,CFSClean
     sdl:
       sourceAnalysisPool: VSEng-MicroBuildVSStable
       binskim:
diff --git a/src/NuGet.Core/NuGet.Build.Tasks.Pack/NuGet.Build.Tasks.Pack.csproj b/src/NuGet.Core/NuGet.Build.Tasks.Pack/NuGet.Build.Tasks.Pack.csproj
@@ -37,6 +37,8 @@
     <PackageReference Include="Microsoft.Build.Framework" ExcludeAssets="runtime" GeneratePathProperty="true" />
     <PackageReference Include="Microsoft.Build.Tasks.Core" ExcludeAssets="runtime" GeneratePathProperty="true" />
     <PackageReference Include="Microsoft.Build.Utilities.Core" ExcludeAssets="runtime" GeneratePathProperty="true" />
+    <!-- MSBuild has a dependency on a vulnerable version of System.Security.Cryptography.Xml. Once MSBuild no longer has a transitive dependency on a vulnerable version, this can be removed -->
+    <PackageReference Include="System.Security.Cryptography.Xml" />
   </ItemGroup>
 
   <ItemGroup>
