Disable transitive package version pinning (#15406)

* Disable transitive package version pinning * Take top-level dependencies on Azure.Identity and System.Net.Http * Take top-level dependencies on System.Security.Cryptography.Xml and System.Text.RegularExpressions
2023-12-08 15:00:18 +01:00
parent f65e76ba5a
commit 9e96bba9bc
7 changed files with 22 additions and 14 deletions
--- a/Directory.Packages.props
+++ b/Directory.Packages.props
@@ -2,17 +2,14 @@
 <Project>
  <PropertyGroup>
    <ManagePackageVersionsCentrally>true</ManagePackageVersionsCentrally>
-    <CentralPackageTransitivePinningEnabled>true</CentralPackageTransitivePinningEnabled>
  </PropertyGroup>
-  
  <!-- Global packages (private, build-time packages for all projects) -->
  <ItemGroup>
    <GlobalPackageReference Include="Nerdbank.GitVersioning" Version="3.6.133" />
    <GlobalPackageReference Include="StyleCop.Analyzers" Version="1.2.0-beta.507" />
-    <GlobalPackageReference Include="Umbraco.Code" Version="2.0.0" />
+    <GlobalPackageReference Include="Umbraco.Code" Version="2.1.0" />
    <GlobalPackageReference Include="Umbraco.GitVersioning.Extensions" Version="0.2.0" />
  </ItemGroup>
-  
  <!-- Microsoft packages -->
  <ItemGroup>
    <PackageVersion Include="Microsoft.AspNetCore.Mvc.NewtonsoftJson" Version="8.0.0" />
@@ -37,16 +34,14 @@
    <PackageVersion Include="Microsoft.Extensions.Options.DataAnnotations" Version="8.0.0" />
    <PackageVersion Include="System.Runtime.Caching" Version="8.0.0" />
  </ItemGroup>
-  
  <!-- Umbraco packages -->
  <ItemGroup>
    <PackageVersion Include="Umbraco.JsonSchema.Extensions" Version="0.3.0" />
    <PackageVersion Include="Umbraco.CSharpTest.Net.Collections" Version="15.0.0" />
  </ItemGroup>
-  
  <!-- Third-party packages -->
  <ItemGroup>
-    <PackageVersion Include="Asp.Versioning.Mvc" Version="7.1.0" />
+    <PackageVersion Include="Asp.Versioning.Mvc" Version="7.1.1" />
    <PackageVersion Include="Asp.Versioning.Mvc.ApiExplorer" Version="7.1.0" />
    <PackageVersion Include="Dazinator.Extensions.FileProviders" Version="2.0.0" />
    <PackageVersion Include="Examine" Version="3.1.0" />
@@ -83,14 +78,15 @@
    <PackageVersion Include="Smidge.Nuglify" Version="4.3.0" />
    <PackageVersion Include="Swashbuckle.AspNetCore" Version="6.5.0" />
  </ItemGroup>
-  
-  <!-- Transitive pinned versions -->
+  <!-- Transitive pinned versions (only required because our direct dependencies have vulnerable versions of transitive dependencies) -->
  <ItemGroup>
-    <!-- NPoco.SqlServer brings in a vulnerable version of Azure.Identity -->
+    <!-- Both Microsoft.EntityFrameworkCore.SqlServer and NPoco.SqlServer bring in a vulnerable version of Azure.Identity -->
    <PackageVersion Include="Azure.Identity" Version="1.10.4" />
-    <!-- Umbraco.Code depends on an outdated Microsoft.CodeAnalysis.CSharp.Workspaces version-->
-    <PackageVersion Include="Microsoft.CodeAnalysis.CSharp.Workspaces" Version="4.8.0" />
    <!-- Dazinator.Extensions.FileProviders brings in a vulnerable version of System.Net.Http -->
    <PackageVersion Include="System.Net.Http" Version="4.3.4" />
+    <!-- Examine brings in a vulnerable version of System.Security.Cryptography.Xml -->
+    <PackageVersion Include="System.Security.Cryptography.Xml" Version="8.0.0" />
+    <!-- Both Dazinator.Extensions.FileProviders and MiniProfiler.AspNetCore.Mvc bring in a vulnerable version of System.Text.RegularExpressions -->
+    <PackageVersion Include="System.Text.RegularExpressions" Version="4.3.1" />
  </ItemGroup>
 </Project>