[release/9.0.1xx] Update dependencies from dotnet/arcade

[dotnet-maestro]

This pull request updates the following dependencies

From https://github.com/dotnet/arcade

• Subscription: fb3f8aec-5167-4ffc-ab85-08dcc13e8b5d
• Build: 20250602.2
• Date Produced: June 2, 2025 9:40:50 PM UTC
• Commit: 0d52a8b262d35fa2fde84e398cb2e791b8454bd2
• Branch: refs/heads/release/9.0

• Updates:
  • Microsoft.SourceBuild.Intermediate.arcade: from 9.0.0-beta.25263.2 to 9.0.0-beta.25302.2
  • Microsoft.DotNet.Arcade.Sdk: from 9.0.0-beta.25263.2 to 9.0.0-beta.25302.2
  • Microsoft.DotNet.Build.Tasks.Installers: from 9.0.0-beta.25263.2 to 9.0.0-beta.25302.2
  • Microsoft.DotNet.Helix.Sdk: from 9.0.0-beta.25263.2 to 9.0.0-beta.25302.2
  • Microsoft.DotNet.SignTool: from 9.0.0-beta.25263.2 to 9.0.0-beta.25302.2
  • Microsoft.DotNet.XliffTasks: from 9.0.0-beta.25263.2 to 9.0.0-beta.25302.2
  • Microsoft.DotNet.XUnitExtensions: from 9.0.0-beta.25263.2 to 9.0.0-beta.25302.2

[v-wuzhai]

@dotnet/source-build Could you take a look at the failures here?

[NikolaMilosavljevic]

These are all NuGet Audit errors - @ViktorHofer do you know if these show up in repo builds in 9.0 branches?

Latest arcade CI or PR, 9.0, builds were on Tuesday, before the Audit errors were triggered. So, this explains why we have not seen this in arcade builds yet.

[ViktorHofer]

I'm not 100% sure which version of NuGet inserted into 9.0 but assuming it was 6.11, NuGetAudit is enabled by default for direct dependencies (not transitives): https://github.com/NuGet/NuGet.Client/blob/5469bd0d9de8108f15f21644759773b85471366c/src/NuGet.Core/NuGet.Build.Tasks/NuGet.targets#L71-L72

So any direct reference to i.e. the Microsoft.Build.Tasks.Core package that got marked as vulnerable yesterday will error.

[NikolaMilosavljevic]

Errors are very similar to those seen in 10.0 branches, i.e.:

    /vmr/src/arcade/src/Microsoft.DotNet.Build.Tasks.TargetFramework/src/Microsoft.DotNet.Build.Tasks.TargetFramework.csproj : error NU1901: Warning As Error: Package 'Microsoft.Build.Tasks.Core' 17.8.3 has a known low severity vulnerability, https://github.com/advisories/GHSA-h4j7-5rxr-p4wc [/vmr/src/arcade/Arcade.sln]
##[error]/vmr/src/arcade/src/Microsoft.DotNet.Build.Tasks.TargetFramework/src/Microsoft.DotNet.Build.Tasks.TargetFramework.csproj(0,0): error NU1901: (NETCORE_ENGINEERING_TELEMETRY=Restore) Warning As Error: Package 'Microsoft.Build.Tasks.Core' 17.8.3 has a known low severity vulnerability, https://github.com/advisories/GHSA-h4j7-5rxr-p4wc
    /vmr/src/arcade/src/Microsoft.DotNet.Build.Tasks.Packaging/src/Microsoft.DotNet.Build.Tasks.Packaging.csproj : error NU1901: Warning As Error: Package 'Microsoft.Build.Tasks.Core' 17.8.3 has a known low severity vulnerability, https://github.com/advisories/GHSA-h4j7-5rxr-p4wc [/vmr/src/arcade/Arcade.sln]
##[error]/vmr/src/arcade/src/Microsoft.DotNet.Build.Tasks.Packaging/src/Microsoft.DotNet.Build.Tasks.Packaging.csproj(0,0): error NU1901: (NETCORE_ENGINEERING_TELEMETRY=Restore) Warning As Error: Package 'Microsoft.Build.Tasks.Core' 17.8.3 has a known low severity vulnerability, https://github.com/advisories/GHSA-h4j7-5rxr-p4wc

[NikolaMilosavljevic]

Arcade uses packages from SBRP, version 17.8.3, which is considered vulnerable. Next up, in the same range, that isn't vulnerable is 17.8.29. I'll produce SBRP packages and flow them to arcade, so the version can be updated. This should eventually resolve the issue.

[NikolaMilosavljevic]

I've merged the fix in arcade repo - dotnet/arcade#15843. It should be picked up by this flow after successful build. That should resolve the source-build issue.

[NikolaMilosavljevic]

I've triggered the arcade->sdk flow for 9.0.1xx - it should update this PR shortly and start a rerun of the checks.

[v-wuzhai]

/azp run dotnet-sdk-public-ci,sdk-source-build,sdk-unified-build

[azure-pipelines]

Azure Pipelines successfully started running 2 pipeline(s).

[v-wuzhai]

@dotnet/source-build Could you take a look at this sdk-source-build failure?

Build FAILED.

/vmr/src/nuget-client/src/NuGet.Core/NuGet.Build.Tasks.Pack/NuGet.Build.Tasks.Pack.csproj : warning NU1901: Package 'Microsoft.Build.Tasks.Core' 16.8.0 has a known low severity vulnerability, GHSA-h4j7-5rxr-p4wc [TargetFramework=net9.0]
/vmr/src/nuget-client/src/NuGet.Core/NuGet.Build.Tasks.Pack/NuGet.Build.Tasks.Pack.csproj : warning NU1901: Package 'Microsoft.Build.Tasks.Core' 16.8.0 has a known low severity vulnerability, GHSA-h4j7-5rxr-p4wc [TargetFramework=netstandard2.0]
/vmr/src/nuget-client/src/NuGet.Core/NuGet.Build.Tasks.Pack/NuGet.Build.Tasks.Pack.csproj : warning NU1901: Package 'Microsoft.Build.Tasks.Core' 16.8.0 has a known low severity vulnerability, GHSA-h4j7-5rxr-p4wc [TargetFramework=net9.0]
/vmr/src/nuget-client/src/NuGet.Core/NuGet.Build.Tasks.Pack/NuGet.Build.Tasks.Pack.csproj : warning NU1901: Package 'Microsoft.Build.Tasks.Core' 16.8.0 has a known low severity vulnerability, GHSA-h4j7-5rxr-p4wc [TargetFramework=netstandard2.0]
/vmr/src/nuget-client/src/NuGet.Core/NuGet.Build.Tasks.Pack/NuGet.Build.Tasks.Pack.csproj : error NU1901: Package 'Microsoft.Build.Tasks.Core' 16.8.0 has a known low severity vulnerability, GHSA-h4j7-5rxr-p4wc [/vmr/src/nuget-client/build/restorehelper.targets]
4 Warning(s)
1 Error(s)

[v-wuzhai]

@dotnet/source-build @NikolaMilosavljevic Just wanted to follow up on this—any updates?

[ellahathaway]

@dotnet/source-build @NikolaMilosavljevic Just wanted to follow up on this—any updates?

The issue occurs when building nuget-client with netstandard2.0. It's this line that's causing the issue:

<MicrosoftBuildVersion Condition="'$(TargetFramework)' == 'netcoreapp3.1' Or '$(TargetFramework)' == 'netstandard2.0'">16.8.0</MicrosoftBuildVersion>

NuGet/NuGet.Client#6488 fixed this issue in main. @zivkan - can you please take a look?

[marcpopMSFT]

superseded.