Skip to content

[main] Source code updates from dotnet/dotnet#20043

Open
dotnet-maestro[bot] wants to merge 6 commits into
mainfrom
darc-main-f43ffe24-2381-450f-8041-76de13fc1ab3
Open

[main] Source code updates from dotnet/dotnet#20043
dotnet-maestro[bot] wants to merge 6 commits into
mainfrom
darc-main-f43ffe24-2381-450f-8041-76de13fc1ab3

Conversation

@dotnet-maestro

@dotnet-maestro dotnet-maestro Bot commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

Note

This is a codeflow update. It may contain both source code changes from
the VMR
as well as dependency updates. Learn more here.

This pull request brings the following source code changes

From https://github.com/dotnet/dotnet

Associated changes in source repos

Diff the source with this PR branch
darc vmr diff --name-only https://github.com/dotnet/dotnet:ca60c43d982bb8e171b66ef8a38a777e004768ba..https://github.com/dotnet/fsharp:darc-main-f43ffe24-2381-450f-8041-76de13fc1ab3

@dotnet-maestro

dotnet-maestro Bot commented Jul 8, 2026

Copy link
Copy Markdown
Contributor Author

@github-actions

github-actions Bot commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

✅ No release notes required

@github-actions github-actions Bot added the AI-Tooling-Check-Bypassed Tooling check: non-fork PR, not diff-analyzed label Jul 8, 2026
T-Gro and others added 4 commits July 8, 2026 14:35
The backflowed NuGet.config now defines an <auditSources> entry, which
enables NuGet vulnerability auditing. This surfaced NU1903 (treated as an
error via TreatWarningsAsErrors) for the vulnerable transitive packages
System.Net.Http 4.3.0 and System.Text.RegularExpressions 4.3.0, which are
pulled in only by the test dependency graph and are runtime-provided on
modern target frameworks.

Suppress just these two advisories for test projects via NuGetAuditSuppress,
keeping auditing active everywhere else.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
The per-advisory NuGetAuditSuppress approach was brittle: after suppressing
System.Net.Http/System.Text.RegularExpressions, auditing surfaced a fresh
batch of advisories on MessagePack 2.5.198 in FSharp.Compiler.LanguageServer.Tests.

Since the backflowed NuGet.config enables auditing for all these test-only,
runtime-provided transitive packages, downgrade NU1901-NU1904 from errors to
warnings for test projects instead. Findings stay visible; TreatWarningsAsErrors
no longer fails the test build. Scoped to tests/ only; product projects keep
audit-as-error.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
The previous WarningsNotAsErrors attempt did not take effect in CI: NuGet
restore does not honor WarningsNotAsErrors for restore-time audit warnings,
so NU1903 still failed the build (System.Net.Http / System.Text.RegularExpressions).

NuGet restore does reliably honor NoWarn. Suppress NU1901-NU1904 via NoWarn in
tests/Directory.Build.props so all test-only, runtime-provided transitive
packages (System.Net.Http, System.Text.RegularExpressions, MessagePack, etc.)
stop failing the build. Scoped to test projects; product projects keep audit-as-error.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

AI-Tooling-Check-Bypassed Tooling check: non-fork PR, not diff-analyzed

Projects

Status: New

Development

Successfully merging this pull request may close these issues.

2 participants