Fix transitive vulnerable dependencies 3x

[bart-vmware]

Description

Adds explicit package references for transient packages that are reported as vulnerable.
Includes a GitHub Actions workflow to detect future vulnerabilities.

The higher versions mostly affect test dependencies, except for the following:

• Microsoft.IdentityModel.JsonWebTokens (replacement for System.IdentityModel.Tokens.Jwt): Bumped both from 5.2.2 to 7.7.1

The warnings caused by KubernetesClient are suppressed, because there's no non-breaking solution. The lowest version without transitive vulnerabilities no longer targets netstandard2.0, which breaks upstream Steeltoe packages. Furthermore, that version has breaking API changes that are non-trivial to fix. The suppression works in the .NET CLI, but Visual Studio Package Manager ignores it.

Quality checklist

• Your code complies with our Coding Style.
• You've updated unit and/or integration tests for your change, where applicable.
• You've updated documentation for your change, where applicable.
  If your change affects other repositories, such as Documentation, Samples and/or MainSite, add linked PRs here.
• There's an open issue for the PR that you are making. If you'd like to propose a new feature or change, please open an issue to discuss the change or find an existing issue.
• You've added required license files and/or file headers (explaining where the code came from with proper attribution), where code is copied from StackOverflow, a blog, or OSS.

[thompson-tomo]

We should not be introducing explicit dependencies for things available natively from the framework. If necessary they could be conditional so that they are only added on the older TFM'S where necessary or another dependency has it as a dependency for all TFM'S.

At the same time transitive pinning in conjunction with central package packagement also helps simplify this.

[bart-vmware]

We should not be introducing explicit dependencies for things available natively from the framework. If necessary they could be conditional so that they are only added on the older TFM'S where necessary or another dependency has it as a dependency for all TFM'S.

At the same time transitive pinning in conjunction with central package packagement also helps simplify this.

This is not possible in most cases. *Base projects in Steeltoe 3.x reference netstandard, which doesn't provide these packages. The goal here is to ensure non-vulnerable dependencies with minimal customer impact, rather than redesigning how dependencies flow in 3.x. It's either this or dropping netstandard and net6.0 entirely, which has way more impact.

See also the explanation at #1556. Our plan is to release a minor 3.x version that works with .NET 6 and .NET 8 (except for Stream/Messaging/Integration) and will be supported for one year. This should enable customers to transition to Steeltoe 4.0, where dependencies are handled in a different manner.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[TimHess]

I don't love the situation with KubernetesClient, but I agree that doing anything different would have an undesired ripple effect