fix(deps): pin floating NuGet versions to current latest

lilith · lilith · commit a00da6787d96 · 2026-05-19T15:04:59.000-06:00
Replace wildcard PackageReference Version specifiers with exact
versions so builds become reproducible and a malicious republish of a
floating version can't silently change what we link.

- System.Drawing.Common 10.* -&gt; 10.0.8 (both Imazen.WebP and test proj)
- Microsoft.NET.Test.Sdk 18.* -&gt; 18.5.1 (test only)
- xunit 2.* -&gt; 2.9.3 (test only)
- xunit.runner.visualstudio 3.* -&gt; 3.1.5 (test only)

Maintainers can bump these explicitly when new releases drop. Already-
exact pins (System.Runtime.InteropServices.RuntimeInformation 4.3.0,
Microsoft.NETFramework.ReferenceAssemblies* 1.0.3) left alone.
diff --git a/src/Imazen.Test.Webp/Imazen.Test.Webp.csproj b/src/Imazen.Test.Webp/Imazen.Test.Webp.csproj
@@ -7,9 +7,9 @@
   </PropertyGroup>
 
   <ItemGroup>
-    <PackageReference Include="Microsoft.NET.Test.Sdk" Version="18.*" />
-    <PackageReference Include="xunit" Version="2.*" />
-    <PackageReference Include="xunit.runner.visualstudio" Version="3.*">
+    <PackageReference Include="Microsoft.NET.Test.Sdk" Version="18.5.1" />
+    <PackageReference Include="xunit" Version="2.9.3" />
+    <PackageReference Include="xunit.runner.visualstudio" Version="3.1.5">
       <PrivateAssets>all</PrivateAssets>
       <IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
     </PackageReference>
@@ -25,7 +25,7 @@
 
   <!-- System.Drawing.Common for .NET Core tests on Windows -->
   <ItemGroup Condition="'$(TargetFramework)' == 'net8.0' Or '$(TargetFramework)' == 'net10.0'">
-    <PackageReference Include="System.Drawing.Common" Version="10.*" />
+    <PackageReference Include="System.Drawing.Common" Version="10.0.8" />
   </ItemGroup>
 
   <ItemGroup>
diff --git a/src/Imazen.WebP/Imazen.WebP.csproj b/src/Imazen.WebP/Imazen.WebP.csproj
@@ -18,7 +18,7 @@
 
   <!-- System.Drawing.Common for netstandard2.0 and net8.0 -->
   <ItemGroup Condition="'$(TargetFramework)' == 'netstandard2.0' Or '$(TargetFramework)' == 'net8.0'">
-    <PackageReference Include="System.Drawing.Common" Version="10.*" />
+    <PackageReference Include="System.Drawing.Common" Version="10.0.8" />
   </ItemGroup>
 
   <!-- System.Runtime.InteropServices.RuntimeInformation for net472/net48 -->
