From 53b801123ba7c45f281c4f045389e18b3182fe02 Mon Sep 17 00:00:00 2001
From: Andreas Gullberg Larsen <andreas.larsen84@gmail.com>
Date: Sat, 2 May 2026 19:40:38 +0200
Subject: [PATCH] Stop failing the build on low/moderate NuGet audit advisories

PR #1657's CI failed at restore time with:

  error NU1901: Warning As Error: Package 'NuGet.Packaging' 7.0.1 has
    a known low severity vulnerability
  error NU1901: Warning As Error: Package 'NuGet.Protocol' 7.0.1 has
    a known low severity vulnerability

These are pulled in transitively by build tooling (CodeGen) and
cannot be upgraded without breaking other constraints.

Two changes:
- Add NU1901 (low) and NU1902 (moderate) to WarningsNotAsErrors in
  Directory.Build.props so they remain visible as warnings but no
  longer fail the build via TreatWarningsAsErrors. High (NU1903) and
  critical (NU1904) advisories still fail the build.
- CodeGen.csproj had its own WarningsNotAsErrors that overrode (not
  appended to) the one in Directory.Build.props. Prefix it with
  $(WarningsNotAsErrors); so the project inherits the NU codes (and
  the obsolete codes) while keeping its nullability suppressions.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 CodeGen/CodeGen.csproj | 14 ++++++++++++--
 Directory.Build.props  | 10 ++++++++--
 2 files changed, 20 insertions(+), 4 deletions(-)

diff --git a/CodeGen/CodeGen.csproj b/CodeGen/CodeGen.csproj
index 815ce3974a..da0c0ddb03 100644
--- a/CodeGen/CodeGen.csproj
+++ b/CodeGen/CodeGen.csproj
@@ -5,8 +5,18 @@
     <TargetFramework>net10.0</TargetFramework>
     <LangVersion>latest</LangVersion>
     <Nullable>enable</Nullable>
-    <!-- Allow compile with various nullability warnings until fixed. -->
-    <WarningsNotAsErrors>8600,8601,8603,8604,8618,8619,8625</WarningsNotAsErrors>
+    <!--
+      Inherits Directory.Build.props codes and adds nullability warnings the codegen sources
+      have not been annotated for. All stay visible as warnings.
+      CS8600  - null literal to non-nullable
+      CS8601  - possible null reference assignment
+      CS8603  - possible null reference return
+      CS8604  - possible null reference argument
+      CS8618  - non-nullable field uninitialized in ctor
+      CS8619  - nullability mismatch
+      CS8625  - null literal to non-nullable reference
+    -->
+    <WarningsNotAsErrors>$(WarningsNotAsErrors);8600;8601;8603;8604;8618;8619;8625</WarningsNotAsErrors>
   </PropertyGroup>
 
   <ItemGroup>
diff --git a/Directory.Build.props b/Directory.Build.props
index 2fa148beba..d8f549a773 100644
--- a/Directory.Build.props
+++ b/Directory.Build.props
@@ -17,8 +17,14 @@
   <PropertyGroup>
     <!-- Warning instead of compile error on obsolete errors.-->
     <TreatWarningsAsErrors>true</TreatWarningsAsErrors>
-    <!-- 612: obsolete, 618: obsolete with message -->
-    <WarningsNotAsErrors>612,618</WarningsNotAsErrors>
+    <!--
+      Warnings stay visible but do not fail the build. NU1903 (high) and NU1904 (critical) still fail.
+      CS0612  - obsolete member
+      CS0618  - obsolete member with message
+      NU1901  - NuGet audit: low severity vulnerability
+      NU1902  - NuGet audit: moderate severity vulnerability
+    -->
+    <WarningsNotAsErrors>612;618;NU1901;NU1902</WarningsNotAsErrors>
   </PropertyGroup>
 
   <!-- Build symbol package (.snupkg) to distribute the PDB file for debugging, in addition to Source Link per recommendation: https://learn.microsoft.com/en-us/dotnet/standard/library-guidance/sourcelink -->