Skip to content

Fix CG alerts on release/9.0#16733

Merged
missymessa merged 5 commits into
release/9.0from
dev/mjanecke/fix-cg-alerts-release-9.0
Apr 23, 2026
Merged

Fix CG alerts on release/9.0#16733
missymessa merged 5 commits into
release/9.0from
dev/mjanecke/fix-cg-alerts-release-9.0

Conversation

@missymessa

@missymessa missymessa commented Apr 20, 2026

Copy link
Copy Markdown
Member

Summary

Bump vulnerable package versions to resolve Component Governance alerts on the release/9.0 branch.

Changes

Package Old Version New Version Advisory
NuGet.Commands 6.11.0 6.11.2 GHSA-g4vj-cjjj-v7hg
NuGet.Frameworks 6.11.0 6.11.2 GHSA-g4vj-cjjj-v7hg
NuGet.Packaging 6.11.0 6.11.2 GHSA-g4vj-cjjj-v7hg
NuGet.ProjectModel 6.11.0 6.11.2 GHSA-g4vj-cjjj-v7hg
NuGet.Versioning 6.11.0 6.11.2 GHSA-g4vj-cjjj-v7hg
System.Security.Cryptography.Xml 9.0.0-rc.2.24473.5 9.0.15 CVE-2026-33116, CVE-2026-26171
.NET SDK 9.0.115 9.0.116 DOTNET-Security-9.0

@missymessa
Fix CG alerts on release/9.0
a605403 
- NuGet.* 6.11.0 -> 6.11.2 (GHSA-g4vj-cjjj-v7hg)
- System.Security.Cryptography.Xml 9.0.0-rc.2 -> 9.0.15 (CVE-2026-33116, CVE-2026-26171)
- .NET SDK 9.0.115 -> 9.0.116 (DOTNET-Security-9.0)
missymessa and others added 4 commits April 20, 2026 15:31
@missymessa
Also bump System.Security.Cryptography.Pkcs to 9.0.15
7cfd283 
System.Security.Cryptography.Xml 9.0.15 depends on Pkcs >= 9.0.15,
which conflicts with the older 9.0.0-rc.2 pin (NU1605).
@missymessa
Also bump System.Formats.Asn1 to 9.0.15
2abfc40 
System.Security.Cryptography.Pkcs 9.0.15 depends on Asn1 >= 9.0.15,
which conflicts with the older 9.0.0-rc.2 pin (NU1109).
@missymessa
Add security-patched packages to source-build prebuilt baseline
4876465 
Microsoft.Bcl.Cryptography, System.Formats.Asn1,
System.Security.Cryptography.Pkcs, and System.Security.Cryptography.Xml
at 9.0.15 are new prebuilts from the security version bump.
@missymessa
Merge branch 'release/9.0' into dev/mjanecke/fix-cg-alerts-release-9.0
8f30cee
@missymessa missymessa merged commit 33235ae into release/9.0 Apr 23, 2026
10 checks passed
@missymessa missymessa deleted the dev/mjanecke/fix-cg-alerts-release-9.0 branch April 23, 2026 16:27
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mmitche mmitche mmitche approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@missymessa @mmitche