Fix unrelated CVE warnings

[Mailaender]

that happen because .NET changed <NuGetAuditMode> to all. See https://github.com/OpenHV/OpenHV/actions/runs/11987849692/job/33422489150 for example.

[RoosterDragon]

Do you still get warnings after updating the package but using the new mode? It seems valuable to use the new setting if we can.

[Mailaender]

You mean I should skip d866823?

[RoosterDragon]

You mean I should skip d866823?

Yes, I think getting these warnings is valuable.

[Mailaender]

Okay. Kept the audit mode covering also indirect dependencies. This is not fixable downstream because the setting is at project level. OpenHV/OpenHV#1231 solved it by downgrading Windows and therefore the .NET version.

[michaeldgg2]

If newer version of the SDK is bothering you, you can force different in global.json, you don't have to downgrade entire Windows version because of that.

https://learn.microsoft.com/en-us/dotnet/core/tools/global-json

[Mailaender]

I haven't tried that, but I assume that would only change the targeted SDK not the default setting of <NuGetAuditMode> as .NET 9 would still be responsible for the compilation.

[michaeldgg2]

No, if you force a specific version of SDK via global.json, you need to have that version installed, otherwise the .NET CLI command will fail to run (taking into account rollForward configuration of course).

In CI (continuous integration) scenarios, however, you typically want to specify an acceptable range for the SDK version that is used. The global.json file has a rollForward feature that provides flexible ways to specify an acceptable range of versions.

[PunkPun]

changelog

[PunkPun]

changelog

f316d4c