Corvus.Testing.AzureFunctions.SpecFlow.NUnit.csproj

<Project Sdk="Microsoft.NET.Sdk">

  <PropertyGroup>
    <TargetFramework>net6.0</TargetFramework>
    <Copyright>Copyright (c) Endjin Limited 2024. All rights reserved.</Copyright>
  </PropertyGroup>

  <PropertyGroup>
    <IsTestProject>false</IsTestProject>
    <TestProject>false</TestProject>
  </PropertyGroup>
  <ItemGroup>
    <!-- This project takes depedency on nUnit that adds the TestContainer capability importing NUnit.props, but this is not a test project -->
    <ProjectCapability Remove="TestContainer" />
  </ItemGroup>

  <PropertyGroup>
    <PackageLicenseExpression>Apache-2.0</PackageLicenseExpression>
    <PackageDescription>A metapackage that encapsulates the required dependencies when using Corvus.Testing.AzureFunctions.SpecFlow and Endjin's standard practises.  Also simplifies the dependency management process when using tools like Dependabot.</PackageDescription>
    <PackageTags>metapackage</PackageTags>
    <PackageReleaseNotes></PackageReleaseNotes>
    <RootNamespace>MetaPackage.SpecFlow.AzureFunctions.NUnit</RootNamespace>
    <IsPackable>true</IsPackable>
    <IncludeBuildOutput>false</IncludeBuildOutput>
    <IncludeContentInPack>false</IncludeContentInPack>
    <!-- Suppress the NuGet warning we're always going to get - ref: https://github.com/NuGet/Home/issues/8583 -->
    <NoWarn>$(NoWarn);NU5128</NoWarn>
  </PropertyGroup>

  <ItemGroup>
    <PackageReference Include="SpecFlow.NUnit.Runners" Version="3.9.74">
      <!-- ensure the 'build' assets are available to projects that reference this project, which they are by default -->
      <!-- ref: https://docs.microsoft.com/en-us/nuget/consume-packages/package-references-in-project-files#controlling-dependency-assets -->
      <PrivateAssets>contentfiles; analyzers</PrivateAssets>
    </PackageReference>
    <PackageReference Include="coverlet.msbuild" Version="6.0.2">
      <!-- ensure the 'build' assets are not private -->
      <PrivateAssets>contentfiles; analyzers</PrivateAssets>
    </PackageReference>
    <PackageReference Include="Microsoft.NET.Test.Sdk" Version="17.8.0">
      <!-- ensure the 'build' assets are not private -->
      <PrivateAssets>contentfiles; analyzers</PrivateAssets>
    </PackageReference>
    
    <!--
    We have an indirect dependency on System.Text.RegularExpressions, and by default applications
    will end up with the 4.3.0 version, for which a security advisory exists. The issue is around
    a potential denial of service attack, and since this only affects test projects (not production
    code) this doesn't appear to be a realistic security flaw. However, some code analyzers will
    flag this, so we are upgrading the reference to prevent warnings.
    
    The dependency comes from NUnit:
    
    Corvus.Testing.AzureFunctions.SpecFlow.NUnit
      SpecFlow.NUnit.Runners 3.9.74
        NUnit3TestAdapter 3.17.0
          System.Xml.XmlDocument
            System.Xml.ReaderWriter
              System.Text.RegularExpressions
              
    It's possible that this problem will go away with NUnit3TestAdapter 4, because that doesn't
    appear to have this dependency. Currently, SpecFlow.NUnit.Runners depends on the older
    version (and as of 2023/04/20, previews for SpecFlow.NUnit.Runners v4 continue to do that)
    but if at some point we are able to move to NUnit3TestAdapter 4, we should look at
    removing this dependency, because we shouldn't need it any more.
    -->
    <PackageReference Include="System.Text.RegularExpressions" Version="4.3.1" />
  </ItemGroup>

  <ItemGroup>
    <ProjectReference Include="..\Corvus.Testing.AzureFunctions.SpecFlow\Corvus.Testing.AzureFunctions.SpecFlow.csproj" />
  </ItemGroup>

</Project>