When NuGet finds a vulnerable package in your project, it tells you. NU1901 through NU1904 have warned about CVEs in your dependencies for a while now. The SDK that runs the build, though? That’s been a blind spot. You can sit on a perfectly patched set of packages and still be running dotnet build with an SDK that went end of life last May. That always struck me as a gap worth closing. So I decided to fix it.
No comments yet. Log in to reply on the Fediverse. Comments will appear here.