fixed CICD build error

Author: firejeff01

.github/workflows/ci.yml

@@ -28,9 +28,22 @@ jobs:
       - name: Audit packages for known vulnerabilities
         shell: pwsh
         run: |
-          $output = dotnet list Tender.slnx package --vulnerable --include-transitive 2>&1 | Out-String
-          Write-Host $output
-          if ($output -match 'has the following vulnerable packages') {
+          # 逐個 csproj 跑（避開 wixproj 不支援 list package 的問題）
+          $projects = Get-ChildItem -Path . -Recurse -Filter *.csproj -File `
+            | Where-Object { $_.FullName -notmatch '[\\/](bin|obj)[\\/]' } `
+            | Select-Object -ExpandProperty FullName
+          $hasVuln = $false
+          foreach ($p in $projects) {
+            $rel = Resolve-Path -Relative $p
+            Write-Host "=== $rel ==="
+            $output = dotnet list $p package --vulnerable --include-transitive 2>&1 | Out-String
+            Write-Host $output
+            # 用 advisory URL 比對（locale-agnostic）
+            if ($output -match 'github\.com/advisories/') {
+              $hasVuln = $true
+            }
+          }
+          if ($hasVuln) {
             Write-Warning 'Vulnerable packages detected; review the audit output above.'
           } else {
             Write-Host 'No known vulnerable packages found.'

.github/workflows/release.yml

@@ -54,11 +54,25 @@ jobs:
       - name: Audit packages for known vulnerabilities
         shell: pwsh
         run: |
-          # 列出含已知漏洞的套件（含遞移依賴）。目前不阻斷 build，只記錄供日後檢視；
-          # 若想嚴格阻斷，把 $errored = $true 改成直接 throw。
-          $output = dotnet list Tender.slnx package --vulnerable --include-transitive 2>&1 | Out-String
-          Write-Host $output
-          if ($output -match 'has the following vulnerable packages') {
+          # 列出含已知漏洞的 NuGet 套件（含遞移依賴）。
+          # 逐個 csproj 跑（不能用 Tender.slnx：slnx 會把 Tender.Installer.wixproj
+          # 拉進來，但 wixproj 不支援 dotnet list package，會讓整個 step exit 1）。
+          # 目前不阻斷 build，只 print warning；若想嚴格阻斷把 Write-Warning 改 throw。
+          $projects = Get-ChildItem -Path . -Recurse -Filter *.csproj -File `
+            | Where-Object { $_.FullName -notmatch '[\\/](bin|obj)[\\/]' } `
+            | Select-Object -ExpandProperty FullName
+          $hasVuln = $false
+          foreach ($p in $projects) {
+            $rel = Resolve-Path -Relative $p
+            Write-Host "=== $rel ==="
+            $output = dotnet list $p package --vulnerable --include-transitive 2>&1 | Out-String
+            Write-Host $output
+            # 用 advisory URL 比對（locale-agnostic；en-US 與 zh-TW 輸出文字不同）
+            if ($output -match 'github\.com/advisories/') {
+              $hasVuln = $true
+            }
+          }
+          if ($hasVuln) {
             Write-Warning 'Vulnerable packages detected; review the audit output above.'
           } else {
             Write-Host 'No known vulnerable packages found.'

tests/Directory.Build.props

@@ -0,0 +1,15 @@
+<Project>
+
+  <!--
+    顯式覆寫測試 transitive 帶進來的舊版 NuGet shim：
+    System.Net.Http 4.3.0 與 System.Text.RegularExpressions 4.3.0 在 .NET 5+
+    為 type-forward 空殼，實際實作來自 runtime BCL，CVE 攻擊面僅適用於
+    .NET Framework，本專案 net8.0 無實際風險。升到 4.3.4 / 4.3.1（含 metadata
+    修補的版本）讓 audit 不再標 High。僅作用於 tests/ 下的所有測試專案。
+  -->
+  <ItemGroup>
+    <PackageReference Include="System.Net.Http" Version="4.3.4" />
+    <PackageReference Include="System.Text.RegularExpressions" Version="4.3.1" />
+  </ItemGroup>
+
+</Project>