Summary
dotnet restore nuke-common.slnx with NuGetAudit=true /p:NuGetAuditMode=all /p:NuGetAuditLevel=low emits 35 audit warnings on current develop (@27e8077b). Two advisory groups:
System.Security.Cryptography.Xml (transitive, 8.0.0 + 9.0.0)
Fixed versions: 8.0.3 / 9.0.15 / 10.0.6.
Scriban 6.2.1 (direct dep in Nuke.SourceGenerators)
9 advisories: 1 critical (GHSA-5wr9-m6jw-xx44), 5 high, 3 moderate. Fixed in 7.0.0+; latest is 7.1.0, still supports netstandard2.0.
Suggested fix
- Enable
CentralPackageTransitivePinningEnabled in Directory.Packages.props and pin System.Security.Cryptography.Xml with TFM-conditional overrides (10.0.6 / 9.0.15 / 8.0.3).
- Bump
Scriban 6.2.1 → 7.1.0.
build/_build.csproj opts out of CPM, so it needs a direct <PackageReference> for the fixed package version.
Summary
dotnet restore nuke-common.slnxwithNuGetAudit=true /p:NuGetAuditMode=all /p:NuGetAuditLevel=lowemits 35 audit warnings on currentdevelop(@27e8077b). Two advisory groups:System.Security.Cryptography.Xml (transitive, 8.0.0 + 9.0.0)
EncryptedXmlFixed versions: 8.0.3 / 9.0.15 / 10.0.6.
Scriban 6.2.1 (direct dep in
Nuke.SourceGenerators)9 advisories: 1 critical (GHSA-5wr9-m6jw-xx44), 5 high, 3 moderate. Fixed in 7.0.0+; latest is 7.1.0, still supports
netstandard2.0.Suggested fix
CentralPackageTransitivePinningEnabledinDirectory.Packages.propsand pinSystem.Security.Cryptography.Xmlwith TFM-conditional overrides (10.0.6 / 9.0.15 / 8.0.3).Scriban6.2.1 → 7.1.0.build/_build.csprojopts out of CPM, so it needs a direct<PackageReference>for the fixed package version.