Remove multiple internal feeds #23231
Conversation
|
Should SNIPPETS 5000 have run here? |
| @@ -3,7 +3,6 @@ | |||
| <packageSources> | |||
| <clear /> | |||
| <add key="dotnet-public" value="https://pkgs.dev.azure.com/dnceng/public/_packaging/dotnet-public/nuget/v3/index.json" /> | |||
| <add key="dotnet-tools" value="https://pkgs.dev.azure.com/dnceng/public/_packaging/dotnet-tools/nuget/v3/index.json" /> | |||
There was a problem hiding this comment.
This is certainly a false positive. The removal of the package will break the sample. A security risk is possible only if nuget.org exists along with the private feeds. See also dotnet/roslyn-sdk#725
There was a problem hiding this comment.
@Youssef1313 Can we configure it differently? It's blocking our publishing pipeline.
There was a problem hiding this comment.
There is currently no way (AFAIK). The appropriate fix should be from roslyn-sdk side when the package is published on nuget.org.
No, it is only configured to run on certain files. See here for the listing. Maye you should add a nuget.config entry? |
|
@IEvangelist I think it's not the only needed change. See dotnet/samples#3746 (comment) |
Hi @Youssef1313 - I'm well aware my friend. We might end up going with an exclusion listing (negation) rather than include paths, might be simpler to say when we don't want it running versus all the things that we'd like it to trigger on. |
|
I agree it sounds better to go for an exclusion list. 🎉 |
|
PR is incorrect. Also, I was able to add a variable to the pipelines so the build doesn't fail. |
NuGet Security Analysis found 1 vulnerable package manifest in the repository. Visit https://aka.ms/nugetmultifeed for more details.