Updated vulnerable NuGet.* packages to 6.14.3#8
Merged
Conversation
* Upgraded `NuGet.Common` and `NuGet.Protocol` from `6.14.0` to `6.14.3` in Directory.Packages.props to incorporate the latest bug fixes and improvements * Enabled `CentralPackageTransitivePinningEnabled`
There was a problem hiding this comment.
Pull request overview
This PR strengthens dependency and restore hygiene by moving the repo toward fully centrally-pinned package resolution, and updates specific NuGet-related packages to patched versions.
Changes:
- Enabled Central Package Transitive Pinning (
CentralPackageTransitivePinningEnabled) to ensure transitive dependency versions are centrally governed. - Updated
NuGet.CommonandNuGet.Protocolto6.14.3and added explicit pins for additional packages needed under the new pinning policy.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
| Directory.Packages.props | Updates/pins NuGet-related and security-advisory-related package versions under central package management. |
| Directory.Build.props | Enables transitive pinning to enforce central version control for transitive restores. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Proposed Changes
Enables Central Package Transitive Pinning (
CentralPackageTransitivePinningEnabled) inDirectory.Build.propsso that all transitive NuGet dependencies are resolved exclusively from the versions declared inDirectory.Packages.props. As a direct consequence, several vulnerable or outdated transitive packages are pinned explicitly:NuGet.CommonandNuGet.Protocolare upgraded from6.11.1to6.14.3, andNuGet.Packaging,System.Drawing.Common, andSystem.Formats.Asn1are added as explicit version pins to satisfy security advisories. The SDK is updated to10.0.300and the legacy.slnfile is replaced by the newer.slnxformat. All GitHub Actions workflows are updated to their latest action versions.Types of changes
What types of changes does your code introduce to FSharp.Control.R3?
Put an
xin the boxes that applyChecklist
Put an
xin the boxes that apply. You can also fill these out after creating the PR. If you're unsure about any of them, don't hesitate to ask. We're here to help! This is simply a reminder of what we are going to look for before merging your code.Further comments
Transitive pinning is enforced by adding
<CentralPackageTransitivePinningEnabled>true</CentralPackageTransitivePinningEnabled>toDirectory.Build.props. This requires that any transitive package whose resolved version must be overridden is listed explicitly inDirectory.Packages.props– hence the addition ofNuGet.Packaging,System.Drawing.Common, andSystem.Formats.Asn1entries. Without these pins the build would fail under the new pinning policy.