Update packages used by repo (#5939)

Directory.Packages.props

@@ -4,12 +4,13 @@
 
     <MicrosoftCodeAnalysisPublicApiAnalyzersVersion Condition="'$(MicrosoftCodeAnalysisPublicApiAnalyzersVersion)' == ''">3.3.4</MicrosoftCodeAnalysisPublicApiAnalyzersVersion>
     <NewtonsoftJsonPackageVersion Condition="'$(NewtonsoftJsonPackageVersion)' == ''">13.0.3</NewtonsoftJsonPackageVersion>
-    <SystemTextJsonVersion Condition="'$(SystemTextJsonVersion)' == ''">7.0.3</SystemTextJsonVersion>
+    <SystemTextJsonVersion Condition="'$(SystemTextJsonVersion)' == ''">8.0.4</SystemTextJsonVersion>
     <SystemPackagesVersion Condition="'$(SystemPackagesVersion)' == ''">4.3.0</SystemPackagesVersion>
     <SystemCommandLineVersion Condition="'$(SystemCommandLineVersion)' == ''">2.0.0-beta4.23307.1</SystemCommandLineVersion>
     <MSTestPackageVersion>3.4.3</MSTestPackageVersion>
   </PropertyGroup>
 
+  <!-- MSBuild has vulnerable dependencies Microsoft.IO.Redist and System.Security.Cryptography.Xml. When it's upgraded, try removing pinned packages-->
   <PropertyGroup>
     <!-- Default MSBuild version -->
     <MicrosoftBuildVersion Condition="'$(MicrosoftBuildVersion)' == ''">17.10.4</MicrosoftBuildVersion>
@@ -29,8 +30,7 @@
     <SystemComponentModelCompositionPackageVersion Condition="'$(SystemComponentModelCompositionPackageVersion)' == ''">4.5.0</SystemComponentModelCompositionPackageVersion>
     <SystemSecurityCryptographyPkcsVersion Condition="'$(SystemSecurityCryptographyPkcsVersion)' == ''">6.0.4</SystemSecurityCryptographyPkcsVersion>
     <!-- System.Security.Cryptography.Xml is a dependency of Microsoft.Build.Tasks.Core. This property can be probably removed when MSBuild is updated to a newer version. -->
-    <SystemSecurityCryptographyXmlVersion Condition="'$(SystemSecurityCryptographyXmlVersion)' == ''">6.0.1</SystemSecurityCryptographyXmlVersion>
-    <SystemSecurityCryptographyXmlVersion Condition="'$(MicrosoftBuildVersion)' == '16.8.0' Or '$(MicrosoftBuildVersion)' == '16.11.0'">4.7.1</SystemSecurityCryptographyXmlVersion>
+    <SystemSecurityCryptographyXmlVersion Condition="'$(SystemSecurityCryptographyXmlVersion)' == ''">8.0.1</SystemSecurityCryptographyXmlVersion>
   </PropertyGroup>
 
   <ItemGroup>
@@ -59,6 +59,7 @@
     <PackageVersion Include="Microsoft.NET.StringTools" Version="$(MicrosoftBuildVersion)" />
     <PackageVersion Include="Microsoft.NET.Test.Sdk" Version="17.8.0" />
     <PackageVersion Include="Microsoft.PowerShell.3.ReferenceAssemblies" Version="1.0.0" />
+    <!-- Microsoft.TeamFoundationServer.ExtendedClient has vulnerable dependencies Microsoft.IdentityModel.JsonWebTokens and System.IdentityModel.Tokens.Jwt . When it's upgraded, try removing the pinned packages -->
     <PackageVersion Include="Microsoft.TeamFoundationServer.ExtendedClient" Version="16.153.0" />
     <PackageVersion Include="Microsoft.Test.Apex.VisualStudio" Version="17.11.35005.70" />
     <PackageVersion Include="Microsoft.TestPlatform.Portable" Version="17.1.0" />
@@ -67,6 +68,7 @@
     <PackageVersion Include="Microsoft.VisualStudio.ProjectSystem.Managed" Version="17.2.0-beta1-20502-01" />
     <PackageVersion Include="Microsoft.VisualStudio.ProjectSystem.Managed.VS" Version="17.2.0-beta1-20502-01" />
     <PackageVersion Include="Microsoft.VisualStudio.ProjectSystem.VS" Version="17.4.221-pre" />
+    <!-- Microsoft.VisualStudio.SDK has vulnerable dependencies System.Text.json and Microsoft.IO.Redist. When it's upgraded, try removing the pinned packages -->
     <PackageVersion Include="Microsoft.VisualStudio.SDK" Version="17.10.40171" />
     <PackageVersion Include="Microsoft.VisualStudio.Sdk.TestFramework.Xunit" Version="17.6.32" />
     <PackageVersion Include="Microsoft.VisualStudio.Setup.Configuration.Interop" Version="3.4.2244" />
@@ -92,6 +94,7 @@
     <PackageVersion Include="System.Resources.ResourceManager" Version="$(SystemPackagesVersion)" />
     <PackageVersion Include="System.Runtime.Extensions" Version="$(SystemPackagesVersion)" />
     <PackageVersion Include="System.Runtime.InteropServices" Version="$(SystemPackagesVersion)" />
+    <!-- System.Security.Cryptography.Pkcs has a vulnerable dependency System.Formats.Asn1. When it's upgraded, try removing the pinned packages -->
     <PackageVersion Include="System.Security.Cryptography.Pkcs" Version="$(SystemSecurityCryptographyPkcsVersion)" />
     <PackageVersion Include="System.Security.Cryptography.ProtectedData" Version="4.4.0" />
     <PackageVersion Include="System.Security.Cryptography.Xml" Version="$(SystemSecurityCryptographyXmlVersion)" />
@@ -106,11 +109,21 @@
     -->
     <PackageVersion Include="System.Threading.Tasks.Dataflow" Version="4.9.0" />
     <PackageVersion Include="VsWebSite.Interop" Version="17.10.40173" />
-    <PackageVersion Include="xunit" Version="2.6.3" />
+    <PackageVersion Include="xunit" Version="2.9.0" />
     <PackageVersion Include="xunit.runner.visualstudio" Version="2.4.5" />
     <PackageVersion Include="Xunit.StaFact" Version="1.1.11" />
   </ItemGroup>
 
+  <!--
+    These PackageVersions are only used to resolve transitive packages with known vulnerabilities.
+    Once the packages depending on these packages are upgraded, these PackageVersions can be removed.
+  -->
+  <ItemGroup>
+    <PackageVersion Include="Microsoft.IO.Redist" Version="6.0.1" />
+    <PackageVersion Include="Microsoft.IdentityModel.JsonWebTokens" Version="5.7.0" />
+    <PackageVersion Include="System.IdentityModel.Tokens.Jwt" Version="5.7.0" />
+  </ItemGroup>
+
   <!--
     Packages that provide NuGet's Visual Studio extensibility APIs should not depend on the Visual Studio SDK, to ensure
     there are no circular references in case the VS SDK itself adds our package as a dependency. Everything else, however
@@ -126,6 +139,7 @@
     <PackageVersion Include="Microsoft.ServiceHub.Framework" Version="4.5.31" />
     <PackageVersion Include="Microsoft.VisualStudio.ComponentModelHost" Version="17.10.191" />
     <PackageVersion Update="Microsoft.VisualStudio.SDK" Version="" />
+    <!-- Microsoft.VisualStudio.Shell.15.0 has vulnerable dependencies System.Text.Json and Microsoft.IO.Redist. When it's upgraded, try removing the pinned packages -->
     <PackageVersion Include="Microsoft.VisualStudio.Shell.15.0" Version="17.10.40173" />
   </ItemGroup>
 

NuGet.Config

@@ -9,6 +9,10 @@
     <add key="nuget-build" value="https://pkgs.dev.azure.com/dnceng/public/_packaging/nuget-build/nuget/v3/index.json" />
     <add key="vside" value="https://pkgs.dev.azure.com/azure-public/vside/_packaging/msft_consumption%40Local/nuget/v3/index.json" />
   </packageSources>
+  <auditSources>
+    <clear />
+    <add key="nuget.org" value="https://api.nuget.org/v3/index.json" />
+  </auditSources>
   <packageSourceMapping>
     <clear />
     <packageSource key = "dotnet-public">

build/common.project.props

@@ -67,6 +67,7 @@
   <!-- Defaults -->
   <PropertyGroup>
     <TreatWarningsAsErrors Condition=" '$(TreatWarningsAsErrors)' == '' ">true</TreatWarningsAsErrors>
+    <WarningsNotAsErrors>NU1901;NU1902;NU1903;NU1904</WarningsNotAsErrors>
     <!-- Treat all warnings as errors, except on official builds since we don't want new warnings to break servicing branches -->
     <MSBuildTreatWarningsAsErrors Condition=" '$(MSBuildTreatWarningsAsErrors)' == '' And '$(IsOfficialBuild)' != 'true' ">true</MSBuildTreatWarningsAsErrors>
   </PropertyGroup>

src/NuGet.Clients/NuGet.PackageManagement.VisualStudio/NuGet.PackageManagement.VisualStudio.csproj

@@ -23,12 +23,21 @@
     <PackageReference Include="Microsoft.Build" ExcludeAssets="Runtime" PrivateAssets="All" />
     <PackageReference Include="Microsoft.Build.Utilities.Core" ExcludeAssets="Runtime" PrivateAssets="All" />
     <PackageReference Include="Microsoft.DataAI.NuGetRecommender.Contracts" />
-    <PackageReference Include="Microsoft.TeamFoundationServer.ExtendedClient" /> 
+    <PackageReference Include="Microsoft.TeamFoundationServer.ExtendedClient" />
     <PackageReference Include="Microsoft.VisualStudio.VCProjectEngine" />
     <PackageReference Include="Microsoft.VisualStudio.Sdk" />
     <PackageReference Include="VsWebSite.Interop" />
   </ItemGroup>
 
+  <ItemGroup Label="transitive package pinning">
+    <!--
+      These packages are dependencies of Microsoft.TeamFoundationServer.ExtendedClient
+      When it is upgraded to a newer version, try deleting the below PackageReferences
+      -->
+    <PackageReference Include="Microsoft.IdentityModel.JsonWebTokens" />
+    <PackageReference Include="System.IdentityModel.Tokens.Jwt" />
+  </ItemGroup>
+
   <ItemGroup>
     <ProjectReference Include="..\NuGet.Indexing\NuGet.Indexing.csproj" />
     <ProjectReference Include="..\NuGet.VisualStudio.Common\NuGet.VisualStudio.Common.csproj" />

src/NuGet.Clients/NuGet.VisualStudio.Contracts/NuGet.VisualStudio.Contracts.csproj

@@ -17,7 +17,15 @@
 
   <ItemGroup>
     <PackageReference Include="Microsoft.ServiceHub.Framework" />
+  </ItemGroup>
+  <ItemGroup Label="transitive package pinning">
+    <!--
+      These packages are dependencies of directly referenced PackageReferences.
+      When the above PackageReferences are upgraded to newer versions, try deleting the below PackageReferences
+      -->
     <!-- We do this to avoid the warning our build raises about keeping a consistent newtonsoft.json version. We don't need newtonsonft.json type in here, we don't use it. -->
     <PackageReference Include="Newtonsoft.Json" PrivateAssets="all" ExcludeAssets="all" />
+    <!-- System.Text.Json is a dependency of Microsoft.ServiceHub.Framework. Remove the PackageReference once it no longer depends on a vulnerable version -->
+    <PackageReference Include="System.Text.Json" />
   </ItemGroup>
 </Project>

src/NuGet.Clients/NuGet.VisualStudio.Internal.Contracts/NuGet.VisualStudio.Internal.Contracts.csproj

@@ -12,6 +12,14 @@
     <PackageReference Include="Microsoft.VisualStudio.Sdk" />
   </ItemGroup>
 
+  <ItemGroup Label="transitive package pinning">
+    <!--
+      These packages are dependencies of the VS SDK
+      When it is upgraded to a newer version, try deleting the below PackageReference
+      -->
+    <PackageReference Include="Microsoft.IO.Redist" />
+  </ItemGroup>
+
   <ItemGroup>
     <ProjectReference Include="..\..\NuGet.Core\NuGet.PackageManagement\NuGet.PackageManagement.csproj" />
   </ItemGroup>

src/NuGet.Clients/NuGet.VisualStudio.Interop/NuGet.VisualStudio.Interop.csproj

@@ -17,6 +17,16 @@
     <PackageReference Include="Microsoft.VisualStudio.Shell.15.0" />
     <PackageReference Include="Newtonsoft.Json" ExcludeAssets="all" />
   </ItemGroup>
+
+  <ItemGroup Label="transitive package pinning">
+    <!--
+      These packages are dependencies of Microsoft.VisualStudio.Shell.15.0
+      When it is upgraded to a newer version, try deleting the below PackageReferences
+      -->
+    <PackageReference Include="Microsoft.IO.Redist" />
+    <PackageReference Include="System.Text.Json" />
+  </ItemGroup>
+
   <ItemGroup>
     <Reference Include="System.ComponentModel.Composition" />
   </ItemGroup>

src/NuGet.Core/NuGet.Build.Tasks.Console/NuGet.Build.Tasks.Console.csproj

@@ -33,7 +33,15 @@
   <ItemGroup Condition=" '$(TargetFramework)' == '$(NETFXTargetFramework)' ">
     <Reference Include="Microsoft.Build.Utilities.v4.0" Aliases="MicrosoftBuildUtilitiesv4" />
   </ItemGroup>
-
+
+  <ItemGroup Label="transitive package pinning">
+    <!--
+      These packages are dependencies of MSBuild
+      When it is upgraded to a newer version, try deleting the below PackageReferences
+      -->
+    <PackageReference Include="Microsoft.IO.Redist" Condition=" '$(TargetFrameworkIdentifier)' == '.NETFramework' " />
+  </ItemGroup>
+
   <ItemGroup>
     <None Include="App.config" Condition=" '$(TargetFramework)' == '$(NETFXTargetFramework)' " />
     <None Include="app.manifest" />

src/NuGet.Core/NuGet.Build.Tasks.Pack/NuGet.Build.Tasks.Pack.csproj

@@ -47,6 +47,14 @@
     <PackageReference Include="Microsoft.Build.Utilities.Core" ExcludeAssets="runtime" GeneratePathProperty="true" />
   </ItemGroup>
 
+  <ItemGroup Label="transitive package pinning">
+    <!--
+      This package is a dependency of Microsoft.Build.Tasks.Core
+      When it is upgraded to a newer version, try deleting the below PackageReference
+      -->
+    <PackageReference Include="System.Security.Cryptography.Xml" GeneratePathProperty="true" Condition=" '$(TargetFramework)' != '$(NETFXTargetFramework)' " />
+  </ItemGroup>
+
   <ItemGroup>
     <Compile Update="Strings.Designer.cs">
       <DesignTime>True</DesignTime>

src/NuGet.Core/NuGet.Packaging/NuGet.Packaging.csproj

@@ -46,6 +46,14 @@
     <PackageReference Include="System.Security.Cryptography.Pkcs" />
   </ItemGroup>
 
+  <ItemGroup Label="transitive package pinning">
+    <!--
+      This package is a dependency of System.Security.Cryptography.Pkcs
+      When it is upgraded to a newer version, try deleting the below PackageReference
+      -->
+    <PackageReference Include="System.Formats.Asn1" Condition=" '$(TargetFramework)' != '$(NETFXTargetFramework)'" />
+  </ItemGroup>
+
   <ItemGroup>
     <Compile Update="Signing\DerEncoding\SR.Designer.cs">
       <DesignTime>True</DesignTime>

test/NuGet.Clients.Tests/NuGet.PackageManagement.UI.Test/Models/V3DetailControlModelTests.cs

@@ -625,7 +625,7 @@ public static IEnumerable<object[]> FloatingVersions_TestCases()
         [InlineData("3.0.0", "3.0.0", true, false)]
         [InlineData("3", "3.0.0", true, false)]
         [InlineData("3.0.1-beta", "3.0.1-beta", true, true)]
-        public async void WhenPackageStyleIsPackageReference_And_CustomVersion_InstalledTab_IsSelectedVersionCorrect(string allowedVersions, string installedVersion, bool isLatest, bool includePrerelease)
+        public async Task WhenPackageStyleIsPackageReference_And_CustomVersion_InstalledTab_IsSelectedVersionCorrect(string allowedVersions, string installedVersion, bool isLatest, bool includePrerelease)
         {
             // Arange project
             Mock<IServiceBroker> mockServiceBroker = new Mock<IServiceBroker>();
@@ -730,7 +730,7 @@ await model.SetCurrentPackageAsync(
         [Theory]
         [MemberData(nameof(FloatingVersions_TestCases))]
 
-        public async void WhenPackageStyleIsPackageReference_And_CustomVersion_UpdatesTab_IsSelectedVersionCorrect(string allowedVersions, string installedVersion, bool isLatest, bool includePrerelease)
+        public async Task WhenPackageStyleIsPackageReference_And_CustomVersion_UpdatesTab_IsSelectedVersionCorrect(string allowedVersions, string installedVersion, bool isLatest, bool includePrerelease)
         {
             // Assert
             // Updates Tab wont show package if it is latest
@@ -855,7 +855,7 @@ await model.SetCurrentPackageAsync(
         [InlineData("3.0.0", "3.0.0", true, false)]
         [InlineData("3", "3.0.0", true, false)]
         [InlineData("3.0.1-beta", "3.0.1-beta", true, true)]
-        public async void WhenPackageStyleIsPackageReference_And_CustomVersion_BrowseTab_IsSelectedVersionCorrect(string allowedVersions, string installedVersion, bool isLatest, bool includePrerelease)
+        public async Task WhenPackageStyleIsPackageReference_And_CustomVersion_BrowseTab_IsSelectedVersionCorrect(string allowedVersions, string installedVersion, bool isLatest, bool includePrerelease)
         {
             // Arange project
             Mock<IServiceBroker> mockServiceBroker = new Mock<IServiceBroker>();
@@ -1065,7 +1065,7 @@ public static IEnumerable<object[]> FloatingVersions_TestCases_NonPackageReferen
         [InlineData(NuGetProjectKind.ProjectK, ProjectModel.ProjectStyle.ProjectJson, "[3,)", "3", true, false)]
         [InlineData(NuGetProjectKind.ProjectK, ProjectModel.ProjectStyle.ProjectJson, "[3.0,)", "3.0", true, false)]
         [InlineData(NuGetProjectKind.ProjectK, ProjectModel.ProjectStyle.ProjectJson, "[3.0.0,)", "3.0.0", true, false)]
-        public async void WhenPackageStyleIsNotPackageReference_And_CustomVersion_InstalledTab_IsSelectedVersionCorrect(NuGetProjectKind projectKind, ProjectModel.ProjectStyle projectStyle, string allowedVersions, string installedVersion, bool isLatest, bool includePrerelease)
+        public async Task WhenPackageStyleIsNotPackageReference_And_CustomVersion_InstalledTab_IsSelectedVersionCorrect(NuGetProjectKind projectKind, ProjectModel.ProjectStyle projectStyle, string allowedVersions, string installedVersion, bool isLatest, bool includePrerelease)
         {
             // Arange project
             Mock<IServiceBroker> mockServiceBroker = new Mock<IServiceBroker>();
@@ -1168,7 +1168,7 @@ await model.SetCurrentPackageAsync(
         [InlineData(NuGetProjectKind.ProjectK, ProjectModel.ProjectStyle.ProjectJson, "[3,)", "3", true, false)]
         [InlineData(NuGetProjectKind.ProjectK, ProjectModel.ProjectStyle.ProjectJson, "[3.0,)", "3.0", true, false)]
         [InlineData(NuGetProjectKind.ProjectK, ProjectModel.ProjectStyle.ProjectJson, "[3.0.0,)", "3.0.0", true, false)]
-        public async void WhenPackageStyleIsNotPackageReference_And_CustomVersion_BrowseTab_IsSelectedVersionCorrect(NuGetProjectKind projectKind, ProjectModel.ProjectStyle projectStyle, string allowedVersions, string installedVersion, bool isLatest, bool includePrerelease)
+        public async Task WhenPackageStyleIsNotPackageReference_And_CustomVersion_BrowseTab_IsSelectedVersionCorrect(NuGetProjectKind projectKind, ProjectModel.ProjectStyle projectStyle, string allowedVersions, string installedVersion, bool isLatest, bool includePrerelease)
         {
             // Arange project
             Mock<IServiceBroker> mockServiceBroker = new Mock<IServiceBroker>();
@@ -1271,7 +1271,7 @@ await model.SetCurrentPackageAsync(
 
         [Theory]
         [MemberData(nameof(FloatingVersions_TestCases_NonPackageReferenceProject))]
-        public async void WhenPackageStyleIsNotPackageReference_And_CustomVersion_UpdatesTab_IsSelectedVersionCorrect(NuGetProjectKind projectKind, ProjectModel.ProjectStyle projectStyle, string allowedVersions, string installedVersion, bool isLatest, bool includePrerelease)
+        public async Task WhenPackageStyleIsNotPackageReference_And_CustomVersion_UpdatesTab_IsSelectedVersionCorrect(NuGetProjectKind projectKind, ProjectModel.ProjectStyle projectStyle, string allowedVersions, string installedVersion, bool isLatest, bool includePrerelease)
         {
             // Arrange project
             Mock<IServiceBroker> mockServiceBroker = new Mock<IServiceBroker>();

test/NuGet.Clients.Tests/NuGet.PackageManagement.UI.Test/PackageLicenseUtilitiesTests.cs

@@ -83,7 +83,7 @@ public void PackageLicenseUtility_GeneratesLinkWithHigherVersion()
             var links = PackageLicenseUtilities.GenerateLicenseLinks(licenseData, licenseFileHeader: null, packagePath: null, packageIdentity: null);
 
             Assert.True(links[0] is WarningText);
-            Assert.Empty(links.Where(e => e is LicenseText));
+            Assert.DoesNotContain(links, e => e is LicenseText);
         }
 
         [Fact]

test/NuGet.Clients.Tests/NuGet.Tools.Test/NuGetBrokeredServiceFactoryTests.cs

@@ -148,12 +148,12 @@ public async Task ProfferServicesAsync_WithAuthorizingBrokeredServiceFactoryServ
             }
         }
 
-        public static TheoryData ServicesAndFactories => new TheoryData<ServiceRpcDescriptor, Type>
+        public static TheoryData<ServiceRpcDescriptor, Type> ServicesAndFactories => new()
             {
                 { ContractsNuGetServices.NuGetProjectServiceV1, typeof(NuGetProjectService) }
             };
 
-        public static TheoryData ServicesAndAuthorizingFactories => new TheoryData<ServiceRpcDescriptor, Type>
+        public static TheoryData<ServiceRpcDescriptor, Type> ServicesAndAuthorizingFactories => new()
             {
                 { NuGetServices.ProjectManagerService, typeof(NuGetProjectManagerService) },
                 { NuGetServices.ProjectUpgraderService, typeof(NuGetProjectUpgraderService) },

test/NuGet.Clients.Tests/NuGet.VisualStudio.Common.Test/NuGetFeedbackDiagnosticFileProviderTests.cs

@@ -15,7 +15,6 @@
 using NuGet.Commands;
 using NuGet.Common;
 using NuGet.Configuration;
-using NuGet.Configuration.Test;
 using NuGet.PackageManagement;
 using NuGet.PackageManagement.Test;
 using NuGet.Packaging.Core;
@@ -55,7 +54,7 @@ public NuGetFeedbackDiagnosticFileProviderTests()
         }
 
         [Fact]
-        public async void GetFiles_NoSolutionMock_ReturnsZip()
+        public async Task GetFiles_NoSolutionMock_ReturnsZip()
         {
             // Arrange - also see constructor
             List<Task> backgroundTasks = new();
@@ -267,7 +266,7 @@ public async Task WriteToZipAsync_WithNonMSSource_SourceHashed()
                 Directory.CreateDirectory(privateRepositoryPath);
 
                 var configPath = Path.Combine(solutionManager.TestDirectory, "nuget.config");
-                SettingsTestUtils.CreateConfigurationFile(configPath, $@"<?xml version=""1.0"" encoding=""utf-8""?>
+                File.WriteAllText(configPath, $@"<?xml version=""1.0"" encoding=""utf-8""?>
 <configuration>
     <packageSources>
     <!--To inherit the global NuGet package sources remove the <clear/> line below -->