Stop failing the build on low/moderate NuGet audit advisories

angularsen · claude · angularsen · commit 53b801123ba7 · 2026-05-02T20:09:38.000+02:00
PR #1657's CI failed at restore time with: error NU1901: Warning As Error: Package 'NuGet.Packaging' 7.0.1 has a known low severity vulnerability error NU1901: Warning As Error: Package 'NuGet.Protocol' 7.0.1 has a known low severity vulnerability These are pulled in transitively by build tooling (CodeGen) and cannot be upgraded without breaking other constraints. Two changes: - Add NU1901 (low) and NU1902 (moderate) to WarningsNotAsErrors in Directory.Build.props so they remain visible as warnings but no longer fail the build via TreatWarningsAsErrors. High (NU1903) and critical (NU1904) advisories still fail the build. - CodeGen.csproj had its own WarningsNotAsErrors that overrode (not appended to) the one in Directory.Build.props. Prefix it with $(WarningsNotAsErrors); so the project inherits the NU codes (and the obsolete codes) while keeping its nullability suppressions. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
diff --git a/CodeGen/CodeGen.csproj b/CodeGen/CodeGen.csproj
@@ -5,8 +5,18 @@
     <TargetFramework>net10.0</TargetFramework>
     <LangVersion>latest</LangVersion>
     <Nullable>enable</Nullable>
-    <!-- Allow compile with various nullability warnings until fixed. -->
-    <WarningsNotAsErrors>8600,8601,8603,8604,8618,8619,8625</WarningsNotAsErrors>
+    <!--
+      Inherits Directory.Build.props codes and adds nullability warnings the codegen sources
+      have not been annotated for. All stay visible as warnings.
+      CS8600  - null literal to non-nullable
+      CS8601  - possible null reference assignment
+      CS8603  - possible null reference return
+      CS8604  - possible null reference argument
+      CS8618  - non-nullable field uninitialized in ctor
+      CS8619  - nullability mismatch
+      CS8625  - null literal to non-nullable reference
+    -->
+    <WarningsNotAsErrors>$(WarningsNotAsErrors);8600;8601;8603;8604;8618;8619;8625</WarningsNotAsErrors>
   </PropertyGroup>
 
   <ItemGroup>
diff --git a/Directory.Build.props b/Directory.Build.props
@@ -17,8 +17,14 @@
   <PropertyGroup>
     <!-- Warning instead of compile error on obsolete errors.-->
     <TreatWarningsAsErrors>true</TreatWarningsAsErrors>
-    <!-- 612: obsolete, 618: obsolete with message -->
-    <WarningsNotAsErrors>612,618</WarningsNotAsErrors>
+    <!--
+      Warnings stay visible but do not fail the build. NU1903 (high) and NU1904 (critical) still fail.
+      CS0612  - obsolete member
+      CS0618  - obsolete member with message
+      NU1901  - NuGet audit: low severity vulnerability
+      NU1902  - NuGet audit: moderate severity vulnerability
+    -->
+    <WarningsNotAsErrors>612;618;NU1901;NU1902</WarningsNotAsErrors>
   </PropertyGroup>
 
   <!-- Build symbol package (.snupkg) to distribute the PDB file for debugging, in addition to Source Link per recommendation: https://learn.microsoft.com/en-us/dotnet/standard/library-guidance/sourcelink -->
