NU1903 error when run dotnet build

[rstm-sf]

Summary

When I try to build a solution, I get errors NU1903

Details

> dotnet build
    .\sdk-dotnet\tests\Temporalio.Tests\Temporalio.Tests.csproj : error NU1903: Warning As Error: Package 'System.Net.Http' 4.3.0 has a known high severity vulnerability, https://github.com/advisories/GHSA-7jgj-8wvc-jh57
    .\sdk-dotnet\src\Temporalio.Extensions.Hosting\Temporalio.Extensions.Hosting.csproj : error NU1903: Warning As Error: Package 'System.Text.Json' 7.0.0 has a known high severity vulnerability, https://github.com/advisories/GHSA-hh2w-p6rv-4g7w
    .\sdk-dotnet\tests\Temporalio.Tests\Temporalio.Tests.csproj : error NU1903: Warning As Error: Package 'System.Text.Json' 8.0.0 has a known high severity vulnerability, https://github.com/advisories/GHSA-hh2w-p6rv-4g7w
    .\sdk-dotnet\tests\Temporalio.Tests\Temporalio.Tests.csproj : error NU1903: Warning As Error: Package 'System.Text.RegularExpressions' 4.3.0 has a known high severity vulnerability, https://github.com/advisories/GHSA-cmhx-cq75-c4mj

Restore failed with 4 error(s) in 0.7s

[cretz]

Hrmm, these issues do not occur in our CI build when we do a dotnet build. I wonder if our dotnet version is off. For instance, https://github.com/temporalio/sdk-dotnet/actions/runs/10812517816 is not reporting this. Can you provide the steps to replicate this build error? Is there a global setting you have that we do not in CI?

Regardless, we can definitely update the test dependencies. For the Temporalio.Extensions.Hosting dependency I'm a bit more hesitant to require the next major version (though of course we suggest all users of the library use the latest), but we may be able to upgrade that too.

[rstm-sf]

Seems to be because the .NET 6 SDK is being used and it may not have up-to-date package checking for known vulnerabilities.

I have SDKs from 6 to 9 and when I build, I used global.json to specify that I should use SDK 8. Now I tried to specify 6 SDK and there were no errors either

dotnet build
MSBuild version 17.3.4+a400405ba for .NET
  Determining projects to restore...
  Restored .\sdk-dotnet\src\Temporalio.Extensions.OpenTelemetry\Temporalio.Extensions.OpenTelemetry.csproj (in 193 ms).
  Restored .\sdk-dotnet\src\Temporalio.Extensions.DiagnosticSource\Temporalio.Extensions.DiagnosticSource.csproj (in 193 ms).
  Restored .\sdk-dotnet\src\Temporalio.Extensions.Hosting\Temporalio.Extensions.Hosting.csproj (in 213 ms).
  Restored .\sdk-dotnet\src\Temporalio\Temporalio.csproj (in 193 ms).
  Restored .\sdk-dotnet\tests\Temporalio.Tests\Temporalio.Tests.csproj (in 232 ms).
  Temporalio -> .\sdk-dotnet\src\Temporalio\bin\Debug\netcoreapp3.1\Temporalio.dll
  Temporalio -> .\sdk-dotnet\src\Temporalio\bin\Debug\netstandard2.0\Temporalio.dll
  Temporalio -> .\sdk-dotnet\src\Temporalio\bin\Debug\net462\Temporalio.dll
  Temporalio.Extensions.DiagnosticSource -> .\sdk-dotnet\src\Temporalio.Extensions.DiagnosticSource\bin\Debug\netstandard2.0\Temporalio.Extensions.DiagnosticSource.dll
  Temporalio.Extensions.OpenTelemetry -> .\sdk-dotnet\src\Temporalio.Extensions.OpenTelemetry\bin\Debug\netstandard2.0\Temporalio.Extensions.OpenTelemetry.dll
  Temporalio.Extensions.Hosting -> .\sdk-dotnet\src\Temporalio.Extensions.Hosting\bin\Debug\netstandard2.0\Temporalio.Extensions.Hosting.dll
  Temporalio.Extensions.Hosting -> .\sdk-dotnet\src\Temporalio.Extensions.Hosting\bin\Debug\net462\Temporalio.Extensions.Hosting.dll
  Temporalio.Extensions.DiagnosticSource -> .\sdk-dotnet\src\Temporalio.Extensions.DiagnosticSource\bin\Debug\net462\Temporalio.Extensions.DiagnosticSource.dll
  Temporalio.Extensions.OpenTelemetry -> .\sdk-dotnet\src\Temporalio.Extensions.OpenTelemetry\bin\Debug\net462\Temporalio.Extensions.OpenTelemetry.dll
  Temporalio.Extensions.Hosting -> .\sdk-dotnet\src\Temporalio.Extensions.Hosting\bin\Debug\net6.0\Temporalio.Extensions.Hosting.dll
  Temporalio.Tests -> .\sdk-dotnet\tests\Temporalio.Tests\bin\Debug\net6.0\Temporalio.Tests.dll

{
  "sdk": {
    "version": "6.0.0",
    "rollForward": "latestFeature",
    "allowPrerelease": false
  }
}

[cretz]

Thanks! We will look into setting up a build with .NET 8 and look into updating minimum dependencies in a way that doesn't harm past users.

This should just affect builds of the SDK not usage of the SDK so we likely won't release an emergency patch release for this, but we should get to this soon. You can either alter the dependency versions explicitly or disable this warning in the meantime.