Don't allow NuGet tasks to call vulnerability APIs

dependabot / dependabot-core

🤖 Dependabot's core logic for creating update PRs.

https://docs.github.com/en/code-security/dependabot

MIT License

4.73k stars 1.02k forks source link

Don't allow NuGet tasks to call vulnerability APIs #10964

Open brettfo opened 6 days ago

brettfo commented 6 days ago

When doing NuGet dependency detection, we essentially call dotnet restore and part of that involves NuGet checking for known vulnerabilities. We don't use this directly. There's likely an environment variable or MSBuild property that we can set to avoid this.

Relevant error numbers are NU1903 and NU3028

brettfo commented 6 days ago

This might be solved by setting the property $(NuGetAudit) to false when evaluating anything.