FIX - warning NU1903: - Package 'Microsoft.Build' 17.12.6 has a known high severity vulnerability
[C#, .NET, MSBuild]
Recently, I began to get the following warning on a project I was updating:
GNU bash, version 3.2.57(1)-release (arm64-apple-darwin24)
Microsoft (R) .NET SDK version 10.0.101
/Users/rad/Projects/innova.integration.corebanking/build/_build.csproj : warning NU1903: Package 'Microsoft.Build' 17.12.6 has a known high severity vulnerability, https://github.com/advisories/GHSA-w3q9-fxm7-j8fq
/Users/rad/Projects/innova.integration.corebanking/build/_build.csproj : warning NU1903: Package 'Microsoft.Build.Tasks.Core' 17.12.6 has a known high severity vulnerability, https://github.com/advisories/GHSA-h4j7-5rxr-p4wc
/Users/rad/Projects/innova.integration.corebanking/build/_build.csproj : warning NU1903: Package 'Microsoft.Build.Tasks.Core' 17.12.6 has a known high severity vulnerability, https://github.com/advisories/GHSA-w3q9-fxm7-j8fq
/Users/rad/Projects/innova.integration.corebanking/build/_build.csproj : warning NU1903: Package 'Microsoft.Build.Utilities.Core' 17.12.6 has a known high severity vulnerability, https://github.com/advisories/GHSA-w3q9-fxm7-j8fq
/Users/rad/Projects/innova.integration.corebanking/build/_build.csproj : warning NU1903: Package 'Microsoft.Build' 17.12.6 has a known high severity vulnerability, https://github.com/advisories/GHSA-w3q9-fxm7-j8fq
/Users/rad/Projects/innova.integration.corebanking/build/_build.csproj : warning NU1903: Package 'Microsoft.Build.Tasks.Core' 17.12.6 has a known high severity vulnerability, https://github.com/advisories/GHSA-h4j7-5rxr-p4wc
/Users/rad/Projects/innova.integration.corebanking/build/_build.csproj : warning NU1903: Package 'Microsoft.Build.Tasks.Core' 17.12.6 has a known high severity vulnerability, https://github.com/advisories/GHSA-w3q9-fxm7-j8fq
/Users/rad/Projects/innova.integration.corebanking/build/_build.csproj : warning NU1903: Package 'Microsoft.Build.Utilities.Core' 17.12.6 has a known high severity vulnerability, https://github.com/advisories/GHSA-w3q9-fxm7-j8fq
Of course, my first port of call was to check the project file (.csproj) for the project that was the source of this warning.
<Project Sdk="Microsoft.NET.Sdk">
<PropertyGroup>
<OutputType>Exe</OutputType>
<TargetFramework>net10.0</TargetFramework>
<NukeRootDirectory>..</NukeRootDirectory>
<NukeScriptDirectory>..</NukeScriptDirectory>
<NukeTelemetryVersion>1</NukeTelemetryVersion>
<IsPackable>false</IsPackable>
</PropertyGroup>
<ItemGroup>
<PackageReference Include="Nuke.Common" Version="9.0.4" />
</ItemGroup>
<ItemGroup>
<PackageDownload Include="GitVersion.Tool" Version="[5.12.0]" />
</ItemGroup>
</Project>
Strangely enough, the packages that were complaining were not referenced at all!
This indicated that they were a transient dependency on one (or both) of the referenced packages in the file.
The solution was simple enough: install the packages directly.
I ran the following commands in the console:
dotnet add package Microsoft.Build
dotnet add package Microsoft.Build.Tasks.Core
dotnet add package Microsoft.Build.Utilities.Core
This updated the .csproj file such that it looked like this:
<Project Sdk="Microsoft.NET.Sdk">
<PropertyGroup>
<OutputType>Exe</OutputType>
<TargetFramework>net10.0</TargetFramework>
<NukeRootDirectory>..</NukeRootDirectory>
<NukeScriptDirectory>..</NukeScriptDirectory>
<NukeTelemetryVersion>1</NukeTelemetryVersion>
<IsPackable>false</IsPackable>
</PropertyGroup>
<ItemGroup>
<PackageReference Include="Microsoft.Build" Version="18.0.2" />
<PackageReference Include="Microsoft.Build.Tasks.Core" Version="18.0.2" />
<PackageReference Include="Microsoft.Build.Utilities.Core" Version="18.0.2" />
<PackageReference Include="Nuke.Common" Version="9.0.4" />
</ItemGroup>
<ItemGroup>
<PackageDownload Include="GitVersion.Tool" Version="[5.12.0]" />
</ItemGroup>
</Project>
The warning no longer appears.
TLDR
Directly installing and updating MSBuild packages eliminates the error about vulnerable versions in use.
Happy hacking!