dotnet · ViktorHofer · Jan 12, 2025 · Jan 9, 2025 · Jan 9, 2025 · Jan 11, 2025
diff --git a/src/SourceBuild/content/Directory.Build.props b/src/SourceBuild/content/Directory.Build.props
@@ -133,6 +133,10 @@
     <!-- Don't use Arcade's ExcludeFrom* build infra in the VMR orchestrator. -->
     <DisableArcadeExcludeFromBuildSupport>true</DisableArcadeExcludeFromBuildSupport>
     <LangVersion>latest</LangVersion>
+    <!-- Explicitly set NuGetAuditModel level as it's currently disabled in the product. -->
+    <NuGetAuditMode>all</NuGetAuditMode>
+    <!-- Only upgrade NuGetAudit warnings to errors for official builds. -->
+    <WarningsNotAsErrors Condition="'$(OfficialBuildId)' == ''">$(WarningsNotAsErrors);NU1901;NU1902;NU1903;NU1904</WarningsNotAsErrors>
   </PropertyGroup>
 
   <PropertyGroup>

diff --git a/src/SourceBuild/content/Directory.Packages.props b/src/SourceBuild/content/Directory.Packages.props
@@ -13,15 +13,20 @@
     <!-- MSBuild dependencies -->
     <PackageVersion Include="Microsoft.Build.Tasks.Core" Version="$(MicrosoftBuildVersion)" />
     <PackageVersion Include="Microsoft.Build.Utilities.Core" Version="$(MicrosoftBuildVersion)" />
+    <!-- NuGet dependencies -->
+    <PackageVersion Include="NuGet.ProjectModel" Version="$(NuGetProjectModelVersion)" />
+    <PackageVersion Include="NuGet.Protocol" Version="$(NuGetProtocolVersion)" />
     <!-- Runtime dependencies -->
     <PackageVersion Include="Microsoft.Extensions.FileSystemGlobbing" Version="$(MicrosoftExtensionsFileSystemGlobbingVersion)" />
     <PackageVersion Include="Microsoft.Extensions.Logging.Console" Version="$(MicrosoftExtensionsLoggingConsoleVersion)" />
     <PackageVersion Include="Microsoft.Extensions.Logging" Version="$(MicrosoftExtensionsLoggingVersion)" />
-    <!-- External dependencies -->
+  </ItemGroup>
+
+  <!-- External dependencies -->
+  <ItemGroup>
     <PackageVersion Include="Newtonsoft.Json" Version="$(NewtonsoftJsonVersion)" />
     <PackageVersion Include="xunit.extensibility.core" Version="$(XUnitVersion)" />
     <PackageVersion Include="xunit.extensibility.execution" Version="$(XUnitVersion)" />
-    <PackageVersion Include="NuGet.Protocol" Version="$(NuGetProtocolVersion)" />
     <PackageVersion Include="Octokit" Version="$(OctokitVersion)" />
   </ItemGroup>
 

diff --git a/src/SourceBuild/content/NuGet.config b/src/SourceBuild/content/NuGet.config
@@ -12,4 +12,8 @@
   <disabledPackageSources>
     <clear />
   </disabledPackageSources>
+  <auditSources>
+    <clear />
+    <add key="nuget.org" value="https://api.nuget.org/v3/index.json" />
+  </auditSources>
 </configuration>
diff --git a/src/SourceBuild/content/eng/Versions.props b/src/SourceBuild/content/eng/Versions.props
@@ -28,13 +28,14 @@
     <!-- command-line-api dependencies -->
     <SystemCommandLineVersion>2.0.0-beta4.24126.1</SystemCommandLineVersion>
     <!-- msbuild dependencies -->
-    <MicrosoftBuildVersion>17.8.3</MicrosoftBuildVersion>
+    <MicrosoftBuildVersion>17.12.6</MicrosoftBuildVersion>
+    <!-- nuget dependencies -->
+    <NuGetProtocolVersion>6.12.1</NuGetProtocolVersion>
+    <NuGetProjectModelVersion>6.12.1</NuGetProjectModelVersion>
     <!-- runtime dependencies -->
     <MicrosoftExtensionsFileSystemGlobbingVersion>9.0.0</MicrosoftExtensionsFileSystemGlobbingVersion>
     <MicrosoftExtensionsLoggingConsoleVersion>9.0.0</MicrosoftExtensionsLoggingConsoleVersion>
     <MicrosoftExtensionsLoggingVersion>9.0.0</MicrosoftExtensionsLoggingVersion>
-    <!-- nuget dependencies -->
-    <NuGetProtocolVersion>6.11.0</NuGetProtocolVersion>
     <!-- external dependencies -->
     <NewtonsoftJsonVersion>13.0.3</NewtonsoftJsonVersion>
     <OctokitVersion>10.0.0</OctokitVersion>

diff --git a/src/SourceBuild/content/eng/tools/Directory.Build.props b/src/SourceBuild/content/eng/tools/Directory.Build.props
@@ -6,16 +6,4 @@
     <RestoreSources Condition="'$(DotNetBuildSourceOnly)' == 'true'">$(ReferencePackagesDir);$(PrebuiltPackagesPath);$(PrebuiltSourceBuiltPackagesPath)</RestoreSources>
   </PropertyGroup>
 
-  <!--
-    Use some assemblies from the SDK, instead of package references. This ensures they match what's
-    found when the task is loaded by the SDK's MSBuild.
-    Reference NuGet assemblies, except a command line assembly that causes warnings such as:
-    MSB3277: Found conflicts between different versions of "System.Collections" that could not be resolved.
-  -->
-  <ItemGroup>
-    <SdkAssembly Include="$([MSBuild]::NormalizePath('$(NetCoreRoot)', 'sdk', '$(NETCoreSdkVersion)', 'Newtonsoft.Json.dll'));
-                          $([MSBuild]::NormalizeDirectory('$(NetCoreRoot)', 'sdk', '$(NETCoreSdkVersion)'))NuGet.*.dll"
-                 Exclude="$([MSBuild]::NormalizePath('$(NetCoreRoot)', 'sdk', '$(NETCoreSdkVersion)', 'NuGet.CommandLine.XPlat.dll'))" />
-  </ItemGroup>
-
 </Project>
diff --git a/...t.SourceBuild.Tasks.LeakDetection/Microsoft.DotNet.SourceBuild.Tasks.LeakDetection.csproj b/...t.SourceBuild.Tasks.LeakDetection/Microsoft.DotNet.SourceBuild.Tasks.LeakDetection.csproj
@@ -13,8 +13,4 @@
     <ProjectReference Include="../Microsoft.DotNet.UnifiedBuild.Tasks/Microsoft.DotNet.UnifiedBuild.Tasks.csproj" />
   </ItemGroup>
 
-  <ItemGroup>
-    <ReferencePath Include="@(SdkAssembly)" />
-  </ItemGroup>
-
 </Project>
diff --git a/...t.UnifiedBuild.MSBuildSdkResolver/Microsoft.DotNet.UnifiedBuild.MSBuildSdkResolver.csproj b/...t.UnifiedBuild.MSBuildSdkResolver/Microsoft.DotNet.UnifiedBuild.MSBuildSdkResolver.csproj
@@ -5,8 +5,9 @@
   </PropertyGroup>
 
   <ItemGroup>
-    <PackageReference Include="Microsoft.Build.Tasks.Core" ExcludeAssets="runtime" />
-    <PackageReference Include="Microsoft.Build.Utilities.Core" ExcludeAssets="runtime" />
+    <!-- IncludeAssets=compile to treat these packages as targeting-packs only. The assemblies are available in the SDK. -->
+    <PackageReference Include="Microsoft.Build.Tasks.Core" IncludeAssets="compile" />
+    <PackageReference Include="Microsoft.Build.Utilities.Core" IncludeAssets="compile" />
   </ItemGroup>
 
   <Target Name="InstallResolver" BeforeTargets="PrepareForRun">

diff --git a/...ools/tasks/Microsoft.DotNet.UnifiedBuild.Tasks/Microsoft.DotNet.UnifiedBuild.Tasks.csproj b/...ools/tasks/Microsoft.DotNet.UnifiedBuild.Tasks/Microsoft.DotNet.UnifiedBuild.Tasks.csproj
@@ -5,12 +5,12 @@
   </PropertyGroup>
 
   <ItemGroup>
-    <PackageReference Include="Microsoft.Build.Tasks.Core" />
-    <PackageReference Include="Microsoft.Build.Utilities.Core" />
-  </ItemGroup>
-
-  <ItemGroup>
-    <ReferencePath Include="@(SdkAssembly)" />
+    <!-- IncludeAssets=compile to treat these packages as targeting-packs only. The assemblies are available in the SDK. -->
+    <PackageReference Include="Microsoft.Build.Tasks.Core" IncludeAssets="compile" />
+    <PackageReference Include="Microsoft.Build.Utilities.Core" IncludeAssets="compile" />
+    <PackageReference Include="NuGet.Protocol" IncludeAssets="compile" />
+    <PackageReference Include="NuGet.ProjectModel" IncludeAssets="compile" />
+    <PackageReference Include="Newtonsoft.Json" IncludeAssets="compile" />
   </ItemGroup>
 
 </Project>
diff --git a/src/SourceBuild/content/test/Microsoft.DotNet.Tests/Microsoft.DotNet.Tests.csproj b/src/SourceBuild/content/test/Microsoft.DotNet.Tests/Microsoft.DotNet.Tests.csproj
@@ -5,38 +5,17 @@
     <DefaultExcludesInProjectFolder>$(DefaultExcludesInProjectFolder);assets/**/*</DefaultExcludesInProjectFolder>
     <VSTestLogger>console%3bverbosity=normal;trx%3bverbosity=diagnostic%3bLogFileName=$(MSBuildProjectName).trx</VSTestLogger>
     <VSTestCLIRunSettings>$(VSTestCLIRunSettings);RunConfiguration.DotNetHostPath=$(DotnetTool)</VSTestCLIRunSettings>
-    <!--
-      Required while we're using direct SDK assembly references in
-      $(RepositoryEngineeringDir)tools/Directory.Build.props for all tools projects
-      including Microsoft.DotNet.UnifiedBuild.Tasks.
-    -->
-    <NoWarn>$(NoWarn);MSB3277</NoWarn>
   </PropertyGroup>
 
   <ItemGroup>
-    <ProjectReference Include="$(RepositoryEngineeringDir)tools/tasks/Microsoft.DotNet.UnifiedBuild.Tasks/Microsoft.DotNet.UnifiedBuild.Tasks.csproj" />
-  </ItemGroup>
-
-  <ItemGroup>
+    <PackageReference Include="Microsoft.Build.Tasks.Core" />
+    <PackageReference Include="Microsoft.Build.Utilities.Core" />
     <PackageReference Include="Microsoft.Extensions.FileSystemGlobbing" />
-  </ItemGroup>
-
-  <!--
-    Copied from $(RepositoryEngineeringDir)tools/Directory.Build.props - keep in sync.
+    <PackageReference Include="Newtonsoft.Json" />
+    <PackageReference Include="NuGet.ProjectModel" />
+    <PackageReference Include="NuGet.Protocol" />
 
-    Use some assemblies from the SDK, instead of package references. This ensures they match what's
-    found when the task is loaded by the SDK's MSBuild.
-    Reference NuGet assemblies, except a command line assembly that causes warnings such as:
-    MSB3277: Found conflicts between different versions of "System.Collections" that could not be resolved.
-  -->
-  <ItemGroup>
-    <SdkAssembly Include="$([MSBuild]::NormalizePath('$(NetCoreRoot)', 'sdk', '$(NETCoreSdkVersion)', 'Newtonsoft.Json.dll'));
-                          $([MSBuild]::NormalizeDirectory('$(NetCoreRoot)', 'sdk', '$(NETCoreSdkVersion)'))NuGet.*.dll"
-                 Exclude="$([MSBuild]::NormalizePath('$(NetCoreRoot)', 'sdk', '$(NETCoreSdkVersion)', 'NuGet.CommandLine.XPlat.dll'))" />
-  </ItemGroup>
-
-  <ItemGroup>
-    <ReferencePath Include="@(SdkAssembly)" />
+    <ProjectReference Include="$(RepositoryEngineeringDir)tools/tasks/Microsoft.DotNet.UnifiedBuild.Tasks/Microsoft.DotNet.UnifiedBuild.Tasks.csproj" />
   </ItemGroup>
 
   <ItemGroup>