Skip to content

Stop failing the build on low/moderate NuGet audit advisories#1660

Merged
angularsen merged 1 commit intomasterfrom
claude/dont-fail-on-low-vulnerability-warnings
May 2, 2026
Merged

Stop failing the build on low/moderate NuGet audit advisories#1660
angularsen merged 1 commit intomasterfrom
claude/dont-fail-on-low-vulnerability-warnings

Conversation

@angularsen
Copy link
Copy Markdown
Owner

@angularsen angularsen commented May 2, 2026
edited
Loading

Summary

Stops the build from failing on low/moderate NuGet audit advisories while keeping them visible as warnings.

Why

PR #1657's CI failed at restore time with:

error NU1901: Warning As Error: Package 'NuGet.Packaging' 7.0.1 has a known low severity vulnerability
error NU1901: Warning As Error: Package 'NuGet.Protocol' 7.0.1 has a known low severity vulnerability

These are pulled in transitively by build tooling (CodeGen) and cannot be upgraded without breaking other constraints.

Changes

  • Add NU1901 (low) and NU1902 (moderate) to <WarningsNotAsErrors> in Directory.Build.props. They remain visible as warnings but no longer fail the build via TreatWarningsAsErrors. NU1903 (high) and NU1904 (critical) still fail the build.
  • CodeGen.csproj had its own <WarningsNotAsErrors> that overrode (not appended to) the one in Directory.Build.props. Prefix it with $(WarningsNotAsErrors); so the project inherits the NU codes (and the obsolete codes) while keeping its nullability suppressions.

🤖 Generated with Claude Code

@angularsen angularsen force-pushed the claude/dont-fail-on-low-vulnerability-warnings branch from 407cd42 to c03aac5 Compare May 2, 2026 17:46
@angularsen angularsen mentioned this pull request May 2, 2026
Merged
@angularsen angularsen force-pushed the claude/dont-fail-on-low-vulnerability-warnings branch from c03aac5 to 9cad8ff Compare May 2, 2026 18:00
@claude
Copy link
Copy Markdown

claude Bot commented May 2, 2026

Code Review

Overview: This PR fixes a CI breakage where transitive NuGet dependency vulnerabilities (from NuGet.Packaging and NuGet.Protocol pulled in by CodeGen tooling) were failing the build under TreatWarningsAsErrors. It suppresses low (NU1901) and moderate (NU1902) audit advisories while keeping high (NU1903) and critical (NU1904) as build errors.

Correctness

  • The root cause fix in CodeGen.csproj is correct: the old <WarningsNotAsErrors>8600,...</WarningsNotAsErrors> replaced the property set by Directory.Build.props, meaning CodeGen never inherited the 612;618 obsolete suppressions. Prefixing with $(WarningsNotAsErrors); properly appends instead.
  • Delimiter switch from comma to semicolon (612,618 to 612;618) is correct — semicolon is the standard MSBuild list delimiter.
  • Keeping NU1903/NU1904 as errors is the right security trade-off.

Minor Observations

  • The comment in CodeGen.csproj hardcodes the list of inherited codes: "Inherits Directory.Build.props codes (CS0612, CS0618, NU1901, NU1902)". If those base-level codes ever change, this comment will silently drift. Consider wording it as "inherits whatever Directory.Build.props defines" to avoid a future stale-comment trap.
  • Silencing NU1902 (moderate) for transitive dependencies is pragmatic, but it is worth noting which specific packages triggered this and whether they have a fix timeline. Right now it is implicit that this is a permanent exception.

No concerns

  • No breaking changes.
  • No new quantities or units.
  • No generated code changes.
  • No test coverage needed for build configuration.
  • No security issues at medium-or-higher severity introduced by this PR (suppressing moderate audit advisories for transitive tooling dependencies is acceptable given NU1903/NU1904 remain enforced).

Overall this is a clean, well-scoped fix with good inline documentation. The expanded comments explaining each warning code are a net improvement over the previous one-liners.

@angularsen @claude
Stop failing the build on low/moderate NuGet audit advisories
53b8011 
PR #1657's CI failed at restore time with:

  error NU1901: Warning As Error: Package 'NuGet.Packaging' 7.0.1 has
    a known low severity vulnerability
  error NU1901: Warning As Error: Package 'NuGet.Protocol' 7.0.1 has
    a known low severity vulnerability

These are pulled in transitively by build tooling (CodeGen) and
cannot be upgraded without breaking other constraints.

Two changes:
- Add NU1901 (low) and NU1902 (moderate) to WarningsNotAsErrors in
  Directory.Build.props so they remain visible as warnings but no
  longer fail the build via TreatWarningsAsErrors. High (NU1903) and
  critical (NU1904) advisories still fail the build.
- CodeGen.csproj had its own WarningsNotAsErrors that overrode (not
  appended to) the one in Directory.Build.props. Prefix it with
  $(WarningsNotAsErrors); so the project inherits the NU codes (and
  the obsolete codes) while keeping its nullability suppressions.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@angularsen angularsen force-pushed the claude/dont-fail-on-low-vulnerability-warnings branch from 9cad8ff to 53b8011 Compare May 2, 2026 18:09
@angularsen angularsen merged commit 3283072 into master May 2, 2026
2 of 3 checks passed
@angularsen angularsen deleted the claude/dont-fail-on-low-vulnerability-warnings branch May 2, 2026 18:12
angularsen added a commit that referenced this pull request May 2, 2026
@angularsen @claude
Update NuGet packages to latest stable
e50d006 
- Microsoft.NET.Test.Sdk 18.0.1 -> 18.5.1
- NuGet.Protocol 7.0.1 -> 7.3.1 (clears the low-severity advisories
  flagged in #1660)
- Serilog 4.3.0 -> 4.3.1

System.CommandLine.DragonFruit is left at the existing alpha; no newer
version is published to the configured sources.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
angularsen added a commit that referenced this pull request May 2, 2026
@angularsen @claude
Update NuGet packages to latest stable (#1661)
60a875a 
## Summary

Bumps centrally-managed NuGet package versions in
[Directory.Packages.props](Directory.Packages.props) to the latest
stable release.

| Package | From | To |
|---------|------|----|
| Microsoft.NET.Test.Sdk | 18.0.1 | 18.5.1 |
| NuGet.Protocol | 7.0.1 | 7.3.1 |
| Serilog | 4.3.0 | 4.3.1 |

`NuGet.Protocol` 7.3.1 clears the low-severity NU1901 advisories that
triggered the original CI failure on #1657. As a result this PR makes
#1660 unnecessary as a build-unblocker, though the comment-and-policy
clean-up there still has independent value.

`System.CommandLine.DragonFruit` is left at the existing
`0.4.0-alpha.22272.1`; no newer stable version is published to the
configured sources.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@codecov
Copy link
Copy Markdown

codecov Bot commented May 2, 2026

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 96%. Comparing base (2a60bf9) to head (53b8011).
⚠️ Report is 3 commits behind head on master.

Additional details and impacted files 
@@          Coverage Diff           @@
##           master   #1660   +/-   ##
======================================
  Coverage      96%     96%           
======================================
  Files         450     450           
  Lines       29151   29150    -1     
======================================
  Hits        28109   28109           
+ Misses       1042    1041    -1

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@angularsen