netclaw/Directory.Packages.props at dev · netclaw-dev/netclaw · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
<Project>
  <PropertyGroup>
    <ManagePackageVersionsCentrally>true</ManagePackageVersionsCentrally>
    <CentralPackageTransitivePinningEnabled>true</CentralPackageTransitivePinningEnabled>
    <!-- Nuget package versions -->
    <AkkaHostingVersion>1.5.69</AkkaHostingVersion>
    <AkkaPersistenceSqlHostingVersion>1.5.67</AkkaPersistenceSqlHostingVersion>
    <AkkaRemindersVersion>0.6.0</AkkaRemindersVersion>
    <OpenTelemetryVersion>1.16.0</OpenTelemetryVersion>
    <SlackNetVersion>0.17.10</SlackNetVersion>
    <DiscordNetVersion>3.20.1</DiscordNetVersion>
    <MattermostNetVersion>5.0.0</MattermostNetVersion>
    <MicrosoftExtensionsAIVersion>10.6.0</MicrosoftExtensionsAIVersion>
    <MicrosoftAspNetCoreVersion>10.0.9</MicrosoftAspNetCoreVersion>
    <SkiaSharpVersion>3.119.4</SkiaSharpVersion>
    <!-- Aspire pins are exercised only by samples/Netclaw.Demo.AppHost and its
         integration tests. The 13.x line is the .NET 10 generation of Aspire;
         9.x pulls a vulnerable KubernetesClient 17.0.4 (GHSA-w7r3-mgwf-4mqq)
         that trips NU1902 under our TreatWarningsAsErrors policy. -->
    <AspireHostingVersion>13.4.4</AspireHostingVersion>
    <CommunityToolkitAspireVersion>13.4.0</CommunityToolkitAspireVersion>
  </PropertyGroup>
  <!-- App dependencies -->
  <ItemGroup>
    <PackageVersion Include="Akka.Hosting" Version="$(AkkaHostingVersion)" />
    <PackageVersion Include="Akka.Cluster.Sharding" Version="$(AkkaHostingVersion)" />
    <PackageVersion Include="Akka.Persistence" Version="$(AkkaHostingVersion)" />
    <PackageVersion Include="Akka.Persistence.Hosting" Version="$(AkkaHostingVersion)" />
    <PackageVersion Include="Akka.Persistence.Sql.Hosting" Version="$(AkkaPersistenceSqlHostingVersion)" />
    <PackageVersion Include="Aaron.Akka.Reminders" Version="$(AkkaRemindersVersion)" />
    <PackageVersion Include="Aaron.Akka.Reminders.Sqlite" Version="$(AkkaRemindersVersion)" />
    <PackageVersion Include="Anthropic" Version="12.29.1" />
    <PackageVersion Include="HtmlAgilityPack" Version="1.12.4" />
    <PackageVersion Include="Microsoft.AspNetCore.DataProtection.Extensions" Version="$(MicrosoftAspNetCoreVersion)" />
    <PackageVersion Include="Microsoft.AspNetCore.OpenApi" Version="$(MicrosoftAspNetCoreVersion)" />
    <PackageVersion Include="Microsoft.Extensions.AI" Version="$(MicrosoftExtensionsAIVersion)" />
    <PackageVersion Include="Microsoft.Extensions.AI.Abstractions" Version="$(MicrosoftExtensionsAIVersion)" />
    <PackageVersion Include="Microsoft.Extensions.Logging.Abstractions" Version="$(MicrosoftAspNetCoreVersion)" />
    <PackageVersion Include="Microsoft.Extensions.TimeProvider.Testing" Version="$(MicrosoftExtensionsAIVersion)" />
    <PackageVersion Include="ModelContextProtocol.Core" Version="1.4.0" />
    <PackageVersion Include="ModelContextProtocol.AspNetCore" Version="1.4.0" />
    <PackageVersion Include="Microsoft.AspNetCore.SignalR.Client" Version="$(MicrosoftAspNetCoreVersion)" />
    <PackageVersion Include="Microsoft.AspNetCore.DataProtection" Version="$(MicrosoftAspNetCoreVersion)" />
    <PackageVersion Include="System.Security.Cryptography.Xml" Version="$(MicrosoftAspNetCoreVersion)" />
    <PackageVersion Include="Microsoft.AspNetCore.TestHost" Version="$(MicrosoftAspNetCoreVersion)" />
    <PackageVersion Include="Microsoft.Data.Sqlite" Version="$(MicrosoftAspNetCoreVersion)" />
    <PackageVersion Include="Microsoft.Extensions.AI.OpenAI" Version="$(MicrosoftExtensionsAIVersion)" />
    <PackageVersion Include="Microsoft.Extensions.Configuration.Json" Version="$(MicrosoftAspNetCoreVersion)" />
    <PackageVersion Include="Microsoft.Extensions.Hosting" Version="$(MicrosoftAspNetCoreVersion)" />
    <PackageVersion Include="Microsoft.Extensions.Http" Version="$(MicrosoftAspNetCoreVersion)" />
    <PackageVersion Include="JsonSchema.Net" Version="7.4.0" />
    <PackageVersion Include="NSec.Cryptography" Version="26.4.0" />
    <PackageVersion Include="OpenTelemetry" Version="$(OpenTelemetryVersion)" />
    <PackageVersion Include="OpenTelemetry.Api" Version="$(OpenTelemetryVersion)" />
    <PackageVersion Include="OpenTelemetry.Exporter.OpenTelemetryProtocol" Version="$(OpenTelemetryVersion)" />
    <PackageVersion Include="OpenTelemetry.Extensions.Hosting" Version="$(OpenTelemetryVersion)" />
    <PackageVersion Include="OllamaSharp" Version="5.4.25" />
    <PackageVersion Include="SauceControl.Blake2Fast" Version="2.0.0" />
    <PackageVersion Include="Discord.Net" Version="$(DiscordNetVersion)" />
    <PackageVersion Include="Mattermost.NET" Version="$(MattermostNetVersion)" />
    <PackageVersion Include="SlackNet" Version="$(SlackNetVersion)" />
    <PackageVersion Include="SlackNet.Extensions.DependencyInjection" Version="$(SlackNetVersion)" />
    <PackageVersion Include="Cronos" Version="0.13.0" />
    <PackageVersion Include="Netclaw.SkillClient" Version="0.3.1" />
    <PackageVersion Include="ShellSyntaxTree" Version="0.1.5" />
    <PackageVersion Include="Termina" Version="0.14.0-beta.1" />
  </ItemGroup>
  <!-- Serialization -->
  <ItemGroup>
    <PackageVersion Include="Google.Protobuf" Version="3.35.1" />
    <PackageVersion Include="Grpc.Tools" Version="2.81.1" />
    <PackageVersion Include="YamlDotNet" Version="18.0.0" />
  </ItemGroup>
  <!-- Test dependencies -->
  <ItemGroup>
    <PackageVersion Include="Akka.Hosting.TestKit" Version="$(AkkaHostingVersion)" />
    <PackageVersion Include="xunit.v3" Version="3.2.2" />
    <PackageVersion Include="xunit.runner.visualstudio" Version="3.1.5" />
    <PackageVersion Include="Microsoft.NET.Test.Sdk" Version="18.6.0" />
    <PackageVersion Include="CsCheck" Version="4.7.0" />
    <PackageVersion Include="Verify.XunitV3" Version="31.20.0" />
    <PackageVersion Include="Testcontainers" Version="4.12.0" />
  </ItemGroup>
  <!-- .NET Aspire (samples/Netclaw.Demo.AppHost only) -->
  <ItemGroup>
    <PackageVersion Include="Aspire.Hosting.AppHost" Version="$(AspireHostingVersion)" />
    <PackageVersion Include="Aspire.Hosting.Testing" Version="$(AspireHostingVersion)" />
    <PackageVersion Include="CommunityToolkit.Aspire.Hosting.Ollama" Version="$(CommunityToolkitAspireVersion)" />
  </ItemGroup>
  <!-- Image normalization (Netclaw.Media). SkiaSharp ships Windows/macOS native
       assets in the base package; Linux needs the explicit headless native asset
       (NoDependencies = no fontconfig, we do no text rendering). -->
  <ItemGroup>
    <PackageVersion Include="SkiaSharp" Version="$(SkiaSharpVersion)" />
    <PackageVersion Include="SkiaSharp.NativeAssets.Linux.NoDependencies" Version="$(SkiaSharpVersion)" />
  </ItemGroup>
  <!-- Benchmarks (benchmarks/Netclaw.Benchmarks only) -->
  <ItemGroup>
    <PackageVersion Include="BenchmarkDotNet" Version="0.15.8" />
  </ItemGroup>
  <!-- Source generators -->
  <ItemGroup>
    <PackageVersion Include="Microsoft.CodeAnalysis.CSharp" Version="5.3.0" />
  </ItemGroup>
  <!-- SourceLink support for all Akka.NET projects -->
  <ItemGroup>
    <PackageVersion Include="Microsoft.SourceLink.GitHub" Version="10.0.300" />
  </ItemGroup>
  <!-- Transitive security pin: Aspire.Hosting.AppHost → StreamJsonRpc pulls in
       MessagePack 2.5.192, flagged by NuGetAudit (GHSA-hv8m-jj95-wg3x, LZ4
       decompression DoS). Netclaw uses MessagePack nowhere — this is sample-only
       Aspire tooling RPC — but pin to the patched v2 (2.5.301) to clear the audit. -->
  <ItemGroup>
    <PackageVersion Include="MessagePack" Version="2.5.301" />
  </ItemGroup>
  <!-- Transitive audit suppress: Microsoft.Data.Sqlite → SQLitePCLRaw.lib.e_sqlite3 2.1.11
       is flagged by NuGetAudit (GHSA-2m69-gcr7-jv3q, CVE-2025-6965 — SQLite < 3.50.2
       memory corruption in aggregate-term handling). No patched version of
       SQLitePCLRaw.lib.e_sqlite3 is available on NuGet: 3.50.3 was published then unlisted,
       and 2.1.11 remains the latest stable release. This suppress will be removed once
       Microsoft ships a Microsoft.Data.Sqlite release that pins a non-vulnerable
       SQLitePCLRaw.lib.e_sqlite3. Track: https://github.com/dotnet/efcore/issues/38257 -->
  <ItemGroup>
    <NuGetAuditSuppress Include="https://github.com/advisories/GHSA-2m69-gcr7-jv3q" />
  </ItemGroup>
</Project>