Skip to content

Fix CG alert around Microsoft.IO.Redist #175

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Aug 6, 2024
Merged

Fix CG alert around Microsoft.IO.Redist #175

merged 2 commits into from
Aug 6, 2024

Conversation

@joperezr
Copy link
Member

@joperezr joperezr commented Aug 6, 2024

Fixing Component Governance alert due to a transitive dependency.

@joperezr joperezr requested review from ericstj and radical August 6, 2024 18:27
@joperezr joperezr enabled auto-merge (squash) August 6, 2024 18:28
jaredpar
jaredpar reviewed Aug 6, 2024
View reviewed changes
@joperezr @jaredpar
Update src/SourceBrowser/src/Directory.Packages.props
43b56da 
Co-authored-by: Jared Parsons <jared@paranoidcoding.org>
ericstj
ericstj reviewed Aug 6, 2024
View reviewed changes
src/SourceBrowser/src/Directory.Packages.props
<PackageVersion Include="Microsoft.Build.Utilities.Core" Version="17.5.0" />
<PackageVersion Include="Microsoft.Build" Version="17.5.0" />

<!-- component governance -->
Copy link
Member

@ericstj ericstj Aug 6, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not sure it's helpful to say component governance here. We need this because it's a transitive dependency of MSBuild.

Copy link
Member Author

@joperezr joperezr Aug 6, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oh, sorry, had auto-merge set so it merged after your approval but I can fix this in a follow up. The thinking here is that this isn't a direct dependency, so I wanted to add a section for Versions that are only there due to lifting transitive dependencies for CG. We do that in Aspire too. This way, we know we can safely remove those once we update direct dependencies that have bumped the transitive version.

ericstj
ericstj approved these changes Aug 6, 2024
View reviewed changes
Copy link
Member

@ericstj ericstj left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's fine, but as a nit I'd just put it in with "Other dependencies". We need it because it's a transitive dependency of MSBuild.

@joperezr joperezr merged commit 4292dd2 into main Aug 6, 2024
@akoeplinger akoeplinger deleted the FixCGAlert branch April 25, 2025 14:26
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jaredpar jaredpar jaredpar left review comments

@ericstj ericstj ericstj approved these changes

@radical radical Awaiting requested review from radical

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@joperezr @jaredpar @ericstj