[dev] Source code updates from dotnet/dotnet

[dotnet-maestro]

Note

This is a codeflow update. It may contain both source code changes from the VMR as well as dependency updates. Learn more here.

This pull request brings the following source code changes

From https://github.com/dotnet/dotnet

• Subscription: 5ba36ed4-9948-4cfe-8753-1c3463a6cf09
• Build: 20250726.2
• Date Produced: July 27, 2025 8:33:22 PM UTC
• Commit: 03fb78540de4e5b3c8874da30e60b58321956993
• Commit Diff: 8577847...03fb785
• Branch: main

Updated Dependencies

• From 10.0.0-beta.25304.106 to 10.0.0-beta.25376.102
  • Microsoft.DotNet.Arcade.Sdk
• From 3.0.0 to 10.0.0-preview.25277.113
  • Microsoft.Web.Xdt

Associated changes in source repos

• dotnet/arcade@48c22bf...0fbc9e8
• dotnet/aspnetcore@1a7ca4a...bf1f642
• dotnet/cecil@ace481b...2478ada
• dotnet/command-line-api@493a1d2...3a3e014
• dotnet/deployment-tools@c97b44a...0fe2f4d
• dotnet/diagnostics@aebf15d...d7d8500
• dotnet/efcore@a72632d...cb3e343
• dotnet/emsdk@b71a7e2...d65eb5b
• dotnet/fsharp@e8bfd35...7dd51e6
• dotnet/msbuild@695b1ef...1f60126
• dotnet/razor@ddcd02f...2c9fd5d
• dotnet/roslyn@b422f78...fadd60c
• dotnet/roslyn-analyzers@fb6e4b4...06f47ea
• dotnet/runtime@e67e997...69eea4d
• dotnet/scenario-tests@3ba5504...086c938
• dotnet/sdk@c8d913c...049672a
• dotnet/source-build-assets@804fed8...858616f
• dotnet/sourcelink@b1cdbdf...cf5eeea
• dotnet/symreader@6565fef...fa7beaa
• dotnet/templating@fd2db2b...fabe402
• microsoft/vstest@2e6d928...dbcd471
• dotnet/windowsdesktop@1e5f448...4134668
• dotnet/winforms@dd514dc...91ebb74
• dotnet/wpf@fdce540...390c570
• dotnet/xdt@0819f8f...3ae5c14

[dotnet-maestro]

Notification for subscribed users from https://github.com/dotnet/dotnet:

@dotnet/product-construction

Action requested: Please take a look at this failing automated dependency-flow pull request's checks; failures may be related to changes which originated in your repo.

• This pull request contains changes from your source repo (https://github.com/dotnet/dotnet) and seems to have failed checks in this PR. Please take a peek at the failures and comment if they seem relevant to your changes.
• If you're being tagged in this comment it is due to an entry in the related Maestro Subscription of the Build Asset Registry. If you feel this entry has added your GitHub login or your GitHub team in error, please update the subscription to reflect this.
• For more details, please read the Arcade Darc documentation

[ViktorHofer]

@NuGet/nuget-client there's a NuGet Audit vulnerability warning for Microsoft.Build.Tasks.Core/17.12.6. Should this version get upgraded to something newer?

I see the version hardcoded here:

NuGet.Client/Directory.Packages.props

Line 21 in 58c248e

<MicrosoftBuildVersion Condition="'$(DotNetBuildSourceOnly)' == 'true'">17.12.6</MicrosoftBuildVersion>

Unrelated but it looks like all versions referenced in that file are marked as vulnerable. Shouldn't all of them get updated?

[nkolev92]

We build against 17.11 in non-source build scenarios.

We can probably use 17.12 in general.

We basically need to match whatever https://learn.microsoft.com/en-us/dotnet/core/porting/versioning-sdk-msbuild-vs#targeting-and-support-rules says the min version is.

We'd need to figure out what the min msbuild version of the next version of the SDK before updating.

[ViktorHofer]

Any idea why this isn't a problem in the main build? IOW why are those vulnerable dependencies not showing up anywhere?

[jeffkl]

@ViktorHofer we might have fixed this in #6488, can this PR be rebased?

[jebriede]

[PR Review] @jeffkl would you please work with @ViktorHofer in understanding how to review this and how to move it forward?

[ViktorHofer]

@premun we are still getting eng/common updates into NuGet backflow PRs. Is this intentional?

[premun]

Yes, until we decide how to solve this (dotnet/dotnet#1054)

[ViktorHofer]

I'm not sure what you mean by decide. Until nuget-client onboards to Arcade (which isn't funded), we need to exclude eng/common updates.

[premun]

But we need to figure out the "how". The service always flows these things in a bundle and even if we wanted to hardcode this, it's not as simple as one if statement somewhere.

I still don't understand why we can't have the files checked in. There is already some eng/common in the repo.

[ViktorHofer]

Submitted dotnet/arcade-services#4994 to be able to pin the .NET SDK to a specific version.

[dotnet-maestro]

Important

There are conflicts with the dev branch in this PR. Apart from conflicts in the source files, this means there are unresolved conflicts in the codeflow metadata file eng/Version.Details.xml.
When resolving these, please use the (incoming/ours) version from the PR branch. The correct content should be this:

<Source Uri="https://github.com/dotnet/dotnet" Mapping="nuget-client" Sha="1c92f346e02a8363def6f7bdbcc526d3c579dd74" BarId="275898" />

In case of unclarities, consult the FAQ or tag @dotnet/product-construction for assistance.

[ViktorHofer]

@jeffkl @nkolev92 can you help with the NuGet.Client-PrivateDev pipeline failure? Otherwise, this PR should now be ready. It contains:

• "Recent" changes that were made in the VMR that backflow into this repository
• The "/eng/common" layout which will be needed for onboarding to Arcade and partially needed for onboarding to OneLocBuild localization (related to @mmitche's work around using xlf localization).
• The "tools.pinned" attribute in global.json which prevents Maestro (the service that opens these PRs) from updating the .NET SDK version as NuGet intentionally stays on 9.0.300.

[ViktorHofer]

Gentle ping. We need to get this in so that the sync into and from the VMR is correctly working.