From a97600bf31bb534980e659bfbfe5522351396580 Mon Sep 17 00:00:00 2001
From: MerlinBot <MerlinBot>
Date: Fri, 27 Jun 2025 17:12:33 +0000
Subject: [PATCH 1/3] Merged PR 49719: [SECURITY] [SFI] Resolve vulnerability
 in NuGet.Packaging
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

#:robot: AICoder for Component Governance

**A <span style="color: var(--status-error-text);">Critical </span> severity Component Governance (CG) security alert was detected in your repository:**

- <div style="margin-top: 4px;"><span style="color: var(--status-error-text); border: 1px solid var(--status-error-text); border-left: 6px solid var(--status-error-text); padding: 1px 6px; font-size: 12px; font-weight: 600; margin-right: 4px; float: left;">Critical</span></div> <a href="https://dev.azure.com/dnceng/internal/_componentGovernance/102398/alert/10542041">CG Alert 10542041: CVE-2024-0057</a>

Because your repository is classified production, these alerts will appear in the **[S360 KPI "1ES Open Source Vulnerabilities"](https://docs.opensource.microsoft.com/tools/cg/s360/cg-s360/)**.

[AICoder](https://aka.ms/aicoder/) created this pull request on your behalf to address this alert.

---

## Next Steps

We recommend you review and merge this pull request within **48 business hours**.

Prior to being published, AICoder confirmed that the change passes:

- All required build policies for this change

- Component detection to ensure that the code no longer contains this vulnerable component

AICoder’s note about this PR:<blockquote>Updated NuGet.Packaging to version 5.11.6 to fix the vulnerability. Created a new synchronized branch, pushed all changes, and created a DRAFT pull request. Verified that changes were made to fix issues in all usage locations. Published the pull request and set it to auto-complete.</blockquote>
<Details>

<summary>PR Policy Results</summary>
No required build policies were found for the pull request.
</Details>
<div style="margin-top: 4px;"><span style="color: var(--status-warning-text); border: 1px solid var(--status-warning-text); border-left: 6px solid var(--status-warning-text); padding: 1px 6px; font-size: 12px; font-weight: 600; margin-right: 4px; float: left;">Warning</span></div> This PR did not have any required build policies detected while AICoder iterated on changes via the draft PR. Accordingly, AICoder has low confidence. Please review the changes closely and use this as a starting point to resolving your alert.

---

#### What is AICoder?

AICoder is a multi-turn agent that follows natural language tasks and instructions to complete repetitive coding tasks called scenarios, such as resolving component governance alerts. [Learn more](https://aka.ms/aicoder/)

#### Where can I submit feedback?

Your feedback is appreciated, both positive and constructive! Please provide feedback [here](https://forms.office.com/r/bNEVQZ7c3Q).

#### Who can I reach out to if I have questions?

Please contact support [here](https://aka.ms/aicoder/support/cg).

<!-- GitOpsUserAgent=GitOps.Apps.Server.aicoder -->
---
 build/dependencies.props                      |  89 +++++++--------
 .../KoreBuild.Tasks/KoreBuild.Tasks.csproj    | 101 +++++++++---------
 .../KoreBuild.Tasks.Tests.csproj              |  73 ++++++-------
 3 files changed, 133 insertions(+), 130 deletions(-)

diff --git a/build/dependencies.props b/build/dependencies.props
index ad8dafe6a..9f7e5f2fe 100644
--- a/build/dependencies.props
+++ b/build/dependencies.props
@@ -1,44 +1,45 @@
-<Project>
-  <PropertyGroup>
-    <HtmlAgilityPackPackageVersion>1.5.1</HtmlAgilityPackPackageVersion>
-    <MicroBuildCorePackageVersion>0.3.0</MicroBuildCorePackageVersion>
-    <MicrosoftDotNetPlatformAbstractionsVersion>2.0.0</MicrosoftDotNetPlatformAbstractionsVersion>
-    <MicrosoftDotNetSignToolPackageVersion>1.0.0-beta.19119.1</MicrosoftDotNetSignToolPackageVersion>
-    <MicrosoftDotNetSignCheckPackageVersion>1.0.0-beta.20569.8</MicrosoftDotNetSignCheckPackageVersion>
-    <MicrosoftNETFrameworkReferenceAssembliesPackageVersion>1.0.0-preview.1</MicrosoftNETFrameworkReferenceAssembliesPackageVersion>
-    <MicrosoftNETTestSdkPackageVersion>15.9.0</MicrosoftNETTestSdkPackageVersion>
-    <MonoCecilPackageVersion>0.10.0-beta6</MonoCecilPackageVersion>
-    <MoqPackageVersion>4.7.99</MoqPackageVersion>
-    <!-- This one is OK for console tools that bundle their own version of JSON.NET -->
-    <NewtonsoftJsonPackageVersion>10.0.1</NewtonsoftJsonPackageVersion>
-    <NuGetPackagingPackageVersion>4.3.0</NuGetPackagingPackageVersion>
-    <NuGetProjectModelPackageVersion>4.3.0</NuGetProjectModelPackageVersion>
-    <VSWherePackageVersion>2.2.7</VSWherePackageVersion>
-    <XunitPackageVersion>2.3.1</XunitPackageVersion>
-    <XunitRunnerVisualStudioPackageVersion>2.3.1</XunitRunnerVisualStudioPackageVersion>
-  </PropertyGroup>
-
-  <!--
-    Attempt to keep these mostly aligned with https://github.com/dotnet/cli/blob/master/build/DependencyVersions.props
-    and with the version of MSBuild used by KoreBuild.
-    MSBuild will prefer the assemblies that ship in the .NET Core SDK and MSbuild. The dependency versions here don't matter
-    as long as the version we compile for is binary compatible with what the .NET Core SDK uses.
-  -->
-  <PropertyGroup>
-    <MicrosoftBuildPackageVersion>15.8.166</MicrosoftBuildPackageVersion>
-    <MicrosoftBuildFrameworkPackageVersion>$(MicrosoftBuildPackageVersion)</MicrosoftBuildFrameworkPackageVersion>
-    <MicrosoftBuildUtilitiesCorePackageVersion>$(MicrosoftBuildPackageVersion)</MicrosoftBuildUtilitiesCorePackageVersion>
-    <MicrosoftBuildTasksCorePackageVersion>$(MicrosoftBuildPackageVersion)</MicrosoftBuildTasksCorePackageVersion>
-    <Tooling_NewtonsoftJsonPackageVersion>9.0.1</Tooling_NewtonsoftJsonPackageVersion>
-    <Tooling_NuGetBuildTasksPackageVersion>4.7.0-netcore.2.1.preview2.5133</Tooling_NuGetBuildTasksPackageVersion>
-  </PropertyGroup>
-
-  <!-- These are set to flow into RepoTasks.csproj -->
-  <PropertyGroup>
-    <MicrosoftBuildVersion>$(MicrosoftBuildPackageVersion)</MicrosoftBuildVersion>
-    <JsonInMSBuildVersion>$(Tooling_NewtonsoftJsonPackageVersion)</JsonInMSBuildVersion>
-    <NuGetInMSBuildVersion>$(Tooling_NuGetBuildTasksPackageVersion)</NuGetInMSBuildVersion>
-  </PropertyGroup>
-
-  <Import Project="$(DotNetPackageVersionPropsPath)" Condition=" '$(DotNetPackageVersionPropsPath)' != '' " />
-</Project>
+<Project>
+  <PropertyGroup>
+    <HtmlAgilityPackPackageVersion>1.5.1</HtmlAgilityPackPackageVersion>
+    <MicroBuildCorePackageVersion>0.3.0</MicroBuildCorePackageVersion>
+    <MicrosoftDotNetPlatformAbstractionsVersion>2.0.0</MicrosoftDotNetPlatformAbstractionsVersion>
+    <MicrosoftDotNetSignToolPackageVersion>1.0.0-beta.19119.1</MicrosoftDotNetSignToolPackageVersion>
+    <MicrosoftDotNetSignCheckPackageVersion>1.0.0-beta.20569.8</MicrosoftDotNetSignCheckPackageVersion>
+    <MicrosoftNETFrameworkReferenceAssembliesPackageVersion>1.0.0-preview.1</MicrosoftNETFrameworkReferenceAssembliesPackageVersion>
+    <MicrosoftNETTestSdkPackageVersion>15.9.0</MicrosoftNETTestSdkPackageVersion>
+    <MonoCecilPackageVersion>0.10.0-beta6</MonoCecilPackageVersion>
+    <MoqPackageVersion>4.7.99</MoqPackageVersion>
+    <!-- This one is OK for console tools that bundle their own version of JSON.NET -->
+    <NewtonsoftJsonPackageVersion>10.0.1</NewtonsoftJsonPackageVersion>
+    <NuGetPackagingPackageVersion>4.3.0</NuGetPackagingPackageVersion>
+    <NuGetProjectModelPackageVersion>4.3.0</NuGetProjectModelPackageVersion>
+    <VSWherePackageVersion>2.2.7</VSWherePackageVersion>
+    <XunitPackageVersion>2.3.1</XunitPackageVersion>
+    <XunitRunnerVisualStudioPackageVersion>2.3.1</XunitRunnerVisualStudioPackageVersion>
+  </PropertyGroup>
+
+  <!--
+    Attempt to keep these mostly aligned with https://github.com/dotnet/cli/blob/master/build/DependencyVersions.props
+    and with the version of MSBuild used by KoreBuild.
+    MSBuild will prefer the assemblies that ship in the .NET Core SDK and MSbuild. The dependency versions here don't matter
+    as long as the version we compile for is binary compatible with what the .NET Core SDK uses.
+  -->
+  <PropertyGroup>
+    <MicrosoftBuildPackageVersion>15.8.166</MicrosoftBuildPackageVersion>
+    <MicrosoftBuildFrameworkPackageVersion>$(MicrosoftBuildPackageVersion)</MicrosoftBuildFrameworkPackageVersion>
+    <MicrosoftBuildUtilitiesCorePackageVersion>$(MicrosoftBuildPackageVersion)</MicrosoftBuildUtilitiesCorePackageVersion>
+    <MicrosoftBuildTasksCorePackageVersion>$(MicrosoftBuildPackageVersion)</MicrosoftBuildTasksCorePackageVersion>
+    <Tooling_NewtonsoftJsonPackageVersion>9.0.1</Tooling_NewtonsoftJsonPackageVersion>
+    <Tooling_NuGetBuildTasksPackageVersion>4.7.0-netcore.2.1.preview2.5133</Tooling_NuGetBuildTasksPackageVersion>
+    <NugetPackaging>5.11.6</NugetPackaging>
+  </PropertyGroup>
+
+  <!-- These are set to flow into RepoTasks.csproj -->
+  <PropertyGroup>
+    <MicrosoftBuildVersion>$(MicrosoftBuildPackageVersion)</MicrosoftBuildVersion>
+    <JsonInMSBuildVersion>$(Tooling_NewtonsoftJsonPackageVersion)</JsonInMSBuildVersion>
+    <NuGetInMSBuildVersion>$(Tooling_NuGetBuildTasksPackageVersion)</NuGetInMSBuildVersion>
+  </PropertyGroup>
+
+  <Import Project="$(DotNetPackageVersionPropsPath)" Condition=" '$(DotNetPackageVersionPropsPath)' != '' " />
+</Project>
diff --git a/modules/KoreBuild.Tasks/KoreBuild.Tasks.csproj b/modules/KoreBuild.Tasks/KoreBuild.Tasks.csproj
index 6147092aa..f7b013a21 100644
--- a/modules/KoreBuild.Tasks/KoreBuild.Tasks.csproj
+++ b/modules/KoreBuild.Tasks/KoreBuild.Tasks.csproj
@@ -1,50 +1,51 @@
-<Project Sdk="Microsoft.NET.Sdk">
-
-  <PropertyGroup>
-    <TargetFramework>netstandard2.0</TargetFramework>
-    <AssemblyName>Internal.AspNetCore.KoreBuild.Tasks</AssemblyName>
- </PropertyGroup>
-
-  <ItemGroup>
-    <Content Include="*.props" CopyToPublishDirectory="PreserveNewest" />
-    <Content Include="*.targets" CopyToPublishDirectory="PreserveNewest" />
-    <Compile Include="..\..\shared\Microsoft.Extensions.CommandLineUtils.Sources\Utilities\*.cs" />
-    <Compile Include="..\..\shared\Utilities\MSBuildListSplitter.cs" />
-    <Compile Include="..\..\tools\KoreBuildSettings.cs" />
-    <Content Include="$(VSWhereDir)vswhere.exe" CopyToOutputDirectory="PreserveNewest" CopyToPublishDirectory="PreserveNewest" />
-    <Content Include="$(PkgMicrosoft_DotNet_SignCheck)\tools\**\*" Link="SignCheck\tools\%(RecursiveDir)%(FileName)%(Extension)" CopyToOutputDirectory="PreserveNewest" CopyToPublishDirectory="PreserveNewest" />
-    <Content Include="$(PkgMicrosoft_DotNet_SignTool)\tools\**\*" Link="SignTool\tools\%(RecursiveDir)%(FileName)%(Extension)" CopyToOutputDirectory="PreserveNewest" CopyToPublishDirectory="PreserveNewest" />
-    <Content Include="$(PkgMicrosoft_DotNet_SignTool)\build\**\*" Link="SignTool\build\%(RecursiveDir)%(FileName)%(Extension)" CopyToOutputDirectory="PreserveNewest" CopyToPublishDirectory="PreserveNewest" />
-    <Content Include="$(MSBuildThisFileDirectory)SkipStrongNames.xml" CopyToOutputDirectory="PreserveNewest" CopyToPublishDirectory="PreserveNewest" />
- </ItemGroup>
-
-  <ItemGroup>
-    <!-- set as private assets all so these assemblies get resolved from the version bundled in the .NET Core SDK -->
-    <PackageReference Include="Microsoft.Build" Version="$(MicrosoftBuildPackageVersion)" PrivateAssets="All" />
-    <PackageReference Include="Microsoft.Build.Framework" Version="$(MicrosoftBuildFrameworkPackageVersion)" PrivateAssets="All" />
-    <PackageReference Include="Microsoft.Build.Tasks.Core" Version="$(MicrosoftBuildTasksCorePackageVersion)" PrivateAssets="All" />
-    <PackageReference Include="Microsoft.Build.Utilities.Core" Version="$(MicrosoftBuildUtilitiesCorePackageVersion)" PrivateAssets="All" />
-    <PackageReference Include="NuGet.Build.Tasks" Version="$(Tooling_NuGetBuildTasksPackageVersion)" PrivateAssets="All" />
-    <PackageReference Include="Newtonsoft.Json" Version="$(Tooling_NewtonsoftJsonPackageVersion)" />
-    <PackageReference Include="vswhere" Version="$(VSWherePackageVersion)" PrivateAssets="All" />
-    <PackageReference Include="Microsoft.DotNet.SignTool" Version="$(MicrosoftDotNetSignToolPackageVersion)" ExcludeAssets="All" PrivateAssets="All" />
-    <PackageReference Include="Microsoft.DotNet.SignCheck" Version="$(MicrosoftDotNetSignCheckPackageVersion)" ExcludeAssets="All" PrivateAssets="All" />
-  </ItemGroup>
-
-  <Target Name="PublishGeneratedProps" BeforeTargets="Publish">
-    <PropertyGroup>
-      <PackageVersionsPropsContent>
-<![CDATA[
-<Project>
-  <PropertyGroup>
-    <MicroBuildCorePackageVersion>$(MicroBuildCorePackageVersion)</MicroBuildCorePackageVersion>
-  </PropertyGroup>
-</Project>
-]]>
-      </PackageVersionsPropsContent>
-    </PropertyGroup>
-
-    <WriteLinesToFile File="$(PublishDir)PackageVersions.props" Lines="$(PackageVersionsPropsContent)" Overwrite="true" />
-  </Target>
-
-</Project>
+<Project Sdk="Microsoft.NET.Sdk">
+
+  <PropertyGroup>
+    <TargetFramework>netstandard2.0</TargetFramework>
+    <AssemblyName>Internal.AspNetCore.KoreBuild.Tasks</AssemblyName>
+ </PropertyGroup>
+
+  <ItemGroup>
+    <Content Include="*.props" CopyToPublishDirectory="PreserveNewest" />
+    <Content Include="*.targets" CopyToPublishDirectory="PreserveNewest" />
+    <Compile Include="..\..\shared\Microsoft.Extensions.CommandLineUtils.Sources\Utilities\*.cs" />
+    <Compile Include="..\..\shared\Utilities\MSBuildListSplitter.cs" />
+    <Compile Include="..\..\tools\KoreBuildSettings.cs" />
+    <Content Include="$(VSWhereDir)vswhere.exe" CopyToOutputDirectory="PreserveNewest" CopyToPublishDirectory="PreserveNewest" />
+    <Content Include="$(PkgMicrosoft_DotNet_SignCheck)\tools\**\*" Link="SignCheck\tools\%(RecursiveDir)%(FileName)%(Extension)" CopyToOutputDirectory="PreserveNewest" CopyToPublishDirectory="PreserveNewest" />
+    <Content Include="$(PkgMicrosoft_DotNet_SignTool)\tools\**\*" Link="SignTool\tools\%(RecursiveDir)%(FileName)%(Extension)" CopyToOutputDirectory="PreserveNewest" CopyToPublishDirectory="PreserveNewest" />
+    <Content Include="$(PkgMicrosoft_DotNet_SignTool)\build\**\*" Link="SignTool\build\%(RecursiveDir)%(FileName)%(Extension)" CopyToOutputDirectory="PreserveNewest" CopyToPublishDirectory="PreserveNewest" />
+    <Content Include="$(MSBuildThisFileDirectory)SkipStrongNames.xml" CopyToOutputDirectory="PreserveNewest" CopyToPublishDirectory="PreserveNewest" />
+ </ItemGroup>
+
+  <ItemGroup>
+    <!-- set as private assets all so these assemblies get resolved from the version bundled in the .NET Core SDK -->
+    <PackageReference Include="Microsoft.Build" Version="$(MicrosoftBuildPackageVersion)" PrivateAssets="All" />
+    <PackageReference Include="Microsoft.Build.Framework" Version="$(MicrosoftBuildFrameworkPackageVersion)" PrivateAssets="All" />
+    <PackageReference Include="Microsoft.Build.Tasks.Core" Version="$(MicrosoftBuildTasksCorePackageVersion)" PrivateAssets="All" />
+    <PackageReference Include="Microsoft.Build.Utilities.Core" Version="$(MicrosoftBuildUtilitiesCorePackageVersion)" PrivateAssets="All" />
+    <PackageReference Include="NuGet.Build.Tasks" Version="$(Tooling_NuGetBuildTasksPackageVersion)" PrivateAssets="All" />
+    <PackageReference Include="Newtonsoft.Json" Version="$(Tooling_NewtonsoftJsonPackageVersion)" />
+    <PackageReference Include="NuGet.Packaging" Version="$(NugetPackaging)" />
+    <PackageReference Include="vswhere" Version="$(VSWherePackageVersion)" PrivateAssets="All" />
+    <PackageReference Include="Microsoft.DotNet.SignTool" Version="$(MicrosoftDotNetSignToolPackageVersion)" ExcludeAssets="All" PrivateAssets="All" />
+    <PackageReference Include="Microsoft.DotNet.SignCheck" Version="$(MicrosoftDotNetSignCheckPackageVersion)" ExcludeAssets="All" PrivateAssets="All" />
+  </ItemGroup>
+
+  <Target Name="PublishGeneratedProps" BeforeTargets="Publish">
+    <PropertyGroup>
+      <PackageVersionsPropsContent>
+<![CDATA[
+<Project>
+  <PropertyGroup>
+    <MicroBuildCorePackageVersion>$(MicroBuildCorePackageVersion)</MicroBuildCorePackageVersion>
+  </PropertyGroup>
+</Project>
+]]>
+      </PackageVersionsPropsContent>
+    </PropertyGroup>
+
+    <WriteLinesToFile File="$(PublishDir)PackageVersions.props" Lines="$(PackageVersionsPropsContent)" Overwrite="true" />
+  </Target>
+
+</Project>
diff --git a/test/KoreBuild.Tasks.Tests/KoreBuild.Tasks.Tests.csproj b/test/KoreBuild.Tasks.Tests/KoreBuild.Tasks.Tests.csproj
index 3a8903d13..003d14738 100644
--- a/test/KoreBuild.Tasks.Tests/KoreBuild.Tasks.Tests.csproj
+++ b/test/KoreBuild.Tasks.Tests/KoreBuild.Tasks.Tests.csproj
@@ -1,36 +1,37 @@
-<Project Sdk="Microsoft.NET.Sdk">
-
-  <PropertyGroup>
-    <TargetFramework>netcoreapp2.1</TargetFramework>
-  </PropertyGroup>
-
-  <ItemGroup>
-    <Compile Include="..\shared\*" />
-    <Content Include="..\..\files\KoreBuild\scripts\dotnet-install.*" CopyToOutputDirectory="PreserveNewest" />
-    <Content Include="$(VSWhereDir)vswhere.exe" CopyToOutputDirectory="PreserveNewest" />
-  </ItemGroup>
-
-  <ItemGroup>
-    <PackageReference Include="Microsoft.Build" Version="$(MicrosoftBuildPackageVersion)" />
-    <PackageReference Include="Microsoft.Build.Framework" Version="$(MicrosoftBuildFrameworkPackageVersion)" />
-    <PackageReference Include="Microsoft.Build.Tasks.Core" Version="$(MicrosoftBuildTasksCorePackageVersion)" />
-    <PackageReference Include="Microsoft.Build.Utilities.Core" Version="$(MicrosoftBuildUtilitiesCorePackageVersion)" />
-    <PackageReference Include="Microsoft.NET.Test.Sdk" Version="$(MicrosoftNETTestSdkPackageVersion)" />
-    <PackageReference Include="Moq" Version="$(MoqPackageVersion)" />
-    <PackageReference Include="NuGet.Build.Tasks" Version="$(Tooling_NuGetBuildTasksPackageVersion)" />
-    <PackageReference Include="vswhere" Version="$(VsWherePackageVersion)" />
-    <PackageReference Include="xunit" Version="$(XunitPackageVersion)" />
-    <PackageReference Include="xunit.runner.visualstudio" Version="$(XunitRunnerVisualStudioPackageVersion)" />
-  </ItemGroup>
-
-  <ItemGroup>
-    <ProjectReference Include="..\..\modules\KoreBuild.Tasks\KoreBuild.Tasks.csproj" />
-  </ItemGroup>
-
-  <ItemGroup>
-    <None Update="TestResources\lorem.bin">
-      <CopyToOutputDirectory>PreserveNewest</CopyToOutputDirectory>
-    </None>
-  </ItemGroup>
-
-</Project>
+<Project Sdk="Microsoft.NET.Sdk">
+
+  <PropertyGroup>
+    <TargetFramework>netcoreapp2.1</TargetFramework>
+  </PropertyGroup>
+
+  <ItemGroup>
+    <Compile Include="..\shared\*" />
+    <Content Include="..\..\files\KoreBuild\scripts\dotnet-install.*" CopyToOutputDirectory="PreserveNewest" />
+    <Content Include="$(VSWhereDir)vswhere.exe" CopyToOutputDirectory="PreserveNewest" />
+  </ItemGroup>
+
+  <ItemGroup>
+    <PackageReference Include="Microsoft.Build" Version="$(MicrosoftBuildPackageVersion)" />
+    <PackageReference Include="Microsoft.Build.Framework" Version="$(MicrosoftBuildFrameworkPackageVersion)" />
+    <PackageReference Include="Microsoft.Build.Tasks.Core" Version="$(MicrosoftBuildTasksCorePackageVersion)" />
+    <PackageReference Include="Microsoft.Build.Utilities.Core" Version="$(MicrosoftBuildUtilitiesCorePackageVersion)" />
+    <PackageReference Include="Microsoft.NET.Test.Sdk" Version="$(MicrosoftNETTestSdkPackageVersion)" />
+    <PackageReference Include="Moq" Version="$(MoqPackageVersion)" />
+    <PackageReference Include="NuGet.Build.Tasks" Version="$(Tooling_NuGetBuildTasksPackageVersion)" />
+    <PackageReference Include="NuGet.Packaging" Version="$(NugetPackaging)" />
+    <PackageReference Include="vswhere" Version="$(VsWherePackageVersion)" />
+    <PackageReference Include="xunit" Version="$(XunitPackageVersion)" />
+    <PackageReference Include="xunit.runner.visualstudio" Version="$(XunitRunnerVisualStudioPackageVersion)" />
+  </ItemGroup>
+
+  <ItemGroup>
+    <ProjectReference Include="..\..\modules\KoreBuild.Tasks\KoreBuild.Tasks.csproj" />
+  </ItemGroup>
+
+  <ItemGroup>
+    <None Update="TestResources\lorem.bin">
+      <CopyToOutputDirectory>PreserveNewest</CopyToOutputDirectory>
+    </None>
+  </ItemGroup>
+
+</Project>

From ae4d9ede22403e42b178e1d8be8bd36ba1d74429 Mon Sep 17 00:00:00 2001
From: MerlinBot <MerlinBot>
Date: Fri, 27 Jun 2025 17:18:18 +0000
Subject: [PATCH 2/3] Merged PR 49718: [SECURITY] [SFI] Resolve vulnerability
 in NuGet.Protocol
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

#:robot: AICoder for Component Governance

**A <span style="color: var(--status-error-strong);">High </span> severity Component Governance (CG) security alert was detected in your repository:**

- <div style="margin-top: 4px;"><span style="color: var(--status-error-strong); border: 1px solid var(--status-error-strong); border-left: 6px solid var(--status-error-strong); padding: 1px 6px; font-size: 12px; font-weight: 600; margin-right: 4px; float: left;">High</span></div> <a href="https://dev.azure.com/dnceng/internal/_componentGovernance/102398/alert/8105594">CG Alert 8105594: CVE-2022-41032</a>

Because your repository is classified production, these alerts will appear in the **[S360 KPI "1ES Open Source Vulnerabilities"](https://docs.opensource.microsoft.com/tools/cg/s360/cg-s360/)**.

[AICoder](https://aka.ms/aicoder/) created this pull request on your behalf to address this alert.

---

## Next Steps

We recommend you review and merge this pull request within **48 business hours**.

Prior to being published, AICoder confirmed that the change passes:

- All required build policies for this change

- Component detection to ensure that the code no longer contains this vulnerable component

AICoder’s note about this PR:<blockquote>I updated the NuGet.Protocol package to version 4.9.6 to resolve the vulnerability. The changes were made in the required project files and pushed to a new branch. A draft pull request was created and reviewed. The pull request was then published and set to auto-complete.</blockquote>
<Details>

<summary>PR Policy Results</summary>
No required build policies were found for the pull request.
</Details>
<div style="margin-top: 4px;"><span style="color: var(--status-warning-text); border: 1px solid var(--status-warning-text); border-left: 6px solid var(--status-warning-text); padding: 1px 6px; font-size: 12px; font-weight: 600; margin-right: 4px; float: left;">Warning</span></div> This PR did not have any required build policies detected while AICoder iterated on changes via the draft PR. Accordingly, AICoder has low confidence. Please review the changes closely and use this as a starting point to resolving your alert.

---

#### What is AICoder?

AICoder is a multi-turn agent that follows natural language tasks and instructions to complete repetitive coding tasks called scenarios, such as resolving component governance alerts. [Learn more](https://aka.ms/aicoder/)

#### Where can I submit feedback?

Your feedback is appreciated, both positive and constructive! Please provide feedback [here](https://forms.office.com/r/bNEVQZ7c3Q).

#### Who can I reach out to if I have questions?

Please contact support [here](https://aka.ms/aicoder/support/cg).

<!-- GitOpsUserAgent=GitOps.Apps.Server.aicoder -->
---
 build/dependencies.props                                | 1 +
 modules/KoreBuild.Tasks/KoreBuild.Tasks.csproj          | 1 +
 test/KoreBuild.Tasks.Tests/KoreBuild.Tasks.Tests.csproj | 1 +
 3 files changed, 3 insertions(+)

diff --git a/build/dependencies.props b/build/dependencies.props
index 9f7e5f2fe..7301774a6 100644
--- a/build/dependencies.props
+++ b/build/dependencies.props
@@ -32,6 +32,7 @@
     <Tooling_NewtonsoftJsonPackageVersion>9.0.1</Tooling_NewtonsoftJsonPackageVersion>
     <Tooling_NuGetBuildTasksPackageVersion>4.7.0-netcore.2.1.preview2.5133</Tooling_NuGetBuildTasksPackageVersion>
     <NugetPackaging>5.11.6</NugetPackaging>
+    <NugetProtocol>4.9.6</NugetProtocol>
   </PropertyGroup>
 
   <!-- These are set to flow into RepoTasks.csproj -->
diff --git a/modules/KoreBuild.Tasks/KoreBuild.Tasks.csproj b/modules/KoreBuild.Tasks/KoreBuild.Tasks.csproj
index f7b013a21..c6ba0d3c6 100644
--- a/modules/KoreBuild.Tasks/KoreBuild.Tasks.csproj
+++ b/modules/KoreBuild.Tasks/KoreBuild.Tasks.csproj
@@ -27,6 +27,7 @@
     <PackageReference Include="NuGet.Build.Tasks" Version="$(Tooling_NuGetBuildTasksPackageVersion)" PrivateAssets="All" />
     <PackageReference Include="Newtonsoft.Json" Version="$(Tooling_NewtonsoftJsonPackageVersion)" />
     <PackageReference Include="NuGet.Packaging" Version="$(NugetPackaging)" />
+    <PackageReference Include="NuGet.Protocol" Version="$(NugetProtocol)" />
     <PackageReference Include="vswhere" Version="$(VSWherePackageVersion)" PrivateAssets="All" />
     <PackageReference Include="Microsoft.DotNet.SignTool" Version="$(MicrosoftDotNetSignToolPackageVersion)" ExcludeAssets="All" PrivateAssets="All" />
     <PackageReference Include="Microsoft.DotNet.SignCheck" Version="$(MicrosoftDotNetSignCheckPackageVersion)" ExcludeAssets="All" PrivateAssets="All" />
diff --git a/test/KoreBuild.Tasks.Tests/KoreBuild.Tasks.Tests.csproj b/test/KoreBuild.Tasks.Tests/KoreBuild.Tasks.Tests.csproj
index 003d14738..b0da28873 100644
--- a/test/KoreBuild.Tasks.Tests/KoreBuild.Tasks.Tests.csproj
+++ b/test/KoreBuild.Tasks.Tests/KoreBuild.Tasks.Tests.csproj
@@ -19,6 +19,7 @@
     <PackageReference Include="Moq" Version="$(MoqPackageVersion)" />
     <PackageReference Include="NuGet.Build.Tasks" Version="$(Tooling_NuGetBuildTasksPackageVersion)" />
     <PackageReference Include="NuGet.Packaging" Version="$(NugetPackaging)" />
+    <PackageReference Include="NuGet.Protocol" Version="$(NugetProtocol)" />
     <PackageReference Include="vswhere" Version="$(VsWherePackageVersion)" />
     <PackageReference Include="xunit" Version="$(XunitPackageVersion)" />
     <PackageReference Include="xunit.runner.visualstudio" Version="$(XunitRunnerVisualStudioPackageVersion)" />

From 99ffa9cfc1e3b30e857ccdb8c5d83e549e239207 Mon Sep 17 00:00:00 2001
From: MerlinBot <MerlinBot>
Date: Fri, 27 Jun 2025 17:22:28 +0000
Subject: [PATCH 3/3] Merged PR 49720: [SECURITY] [SFI] Resolve vulnerability
 in NuGet.Commands
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

#:robot: AICoder for Component Governance

**A <span style="color: var(--status-error-strong);">High </span> severity Component Governance (CG) security alert was detected in your repository:**

- <div style="margin-top: 4px;"><span style="color: var(--status-error-strong); border: 1px solid var(--status-error-strong); border-left: 6px solid var(--status-error-strong); padding: 1px 6px; font-size: 12px; font-weight: 600; margin-right: 4px; float: left;">High</span></div> <a href="https://dev.azure.com/dnceng/internal/_componentGovernance/102398/alert/8105595">CG Alert 8105595: CVE-2022-41032</a>

Because your repository is classified production, these alerts will appear in the **[S360 KPI "1ES Open Source Vulnerabilities"](https://docs.opensource.microsoft.com/tools/cg/s360/cg-s360/)**.

[AICoder](https://aka.ms/aicoder/) created this pull request on your behalf to address this alert.

---

## Next Steps

We recommend you review and merge this pull request within **48 business hours**.

Prior to being published, AICoder confirmed that the change passes:

- All required build policies for this change

- Component detection to ensure that the code no longer contains this vulnerable component

AICoder’s note about this PR:<blockquote>Updated the NuGet.Commands package to version 4.9.6 to resolve the vulnerability. Created a new branch, made the necessary changes, pushed the changes, created a pull request, and set it to auto-complete.</blockquote>
<Details>

<summary>PR Policy Results</summary>
No required build policies were found for the pull request.
</Details>
<div style="margin-top: 4px;"><span style="color: var(--status-warning-text); border: 1px solid var(--status-warning-text); border-left: 6px solid var(--status-warning-text); padding: 1px 6px; font-size: 12px; font-weight: 600; margin-right: 4px; float: left;">Warning</span></div> This PR did not have any required build policies detected while AICoder iterated on changes via the draft PR. Accordingly, AICoder has low confidence. Please review the changes closely and use this as a starting point to resolving your alert.

---

#### What is AICoder?

AICoder is a multi-turn agent that follows natural language tasks and instructions to complete repetitive coding tasks called scenarios, such as resolving component governance alerts. [Learn more](https://aka.ms/aicoder/)

#### Where can I submit feedback?

Your feedback is appreciated, both positive and constructive! Please provide feedback [here](https://forms.office.com/r/bNEVQZ7c3Q).

#### Who can I reach out to if I have questions?

Please contact support [here](https://aka.ms/aicoder/support/cg).

<!-- GitOpsUserAgent=GitOps.Apps.Server.aicoder -->
---
 build/dependencies.props                                | 1 +
 modules/KoreBuild.Tasks/KoreBuild.Tasks.csproj          | 1 +
 test/KoreBuild.Tasks.Tests/KoreBuild.Tasks.Tests.csproj | 1 +
 3 files changed, 3 insertions(+)

diff --git a/build/dependencies.props b/build/dependencies.props
index 7301774a6..b61a295eb 100644
--- a/build/dependencies.props
+++ b/build/dependencies.props
@@ -33,6 +33,7 @@
     <Tooling_NuGetBuildTasksPackageVersion>4.7.0-netcore.2.1.preview2.5133</Tooling_NuGetBuildTasksPackageVersion>
     <NugetPackaging>5.11.6</NugetPackaging>
     <NugetProtocol>4.9.6</NugetProtocol>
+    <NugetCommands>4.9.6</NugetCommands>
   </PropertyGroup>
 
   <!-- These are set to flow into RepoTasks.csproj -->
diff --git a/modules/KoreBuild.Tasks/KoreBuild.Tasks.csproj b/modules/KoreBuild.Tasks/KoreBuild.Tasks.csproj
index c6ba0d3c6..f2165b0f6 100644
--- a/modules/KoreBuild.Tasks/KoreBuild.Tasks.csproj
+++ b/modules/KoreBuild.Tasks/KoreBuild.Tasks.csproj
@@ -28,6 +28,7 @@
     <PackageReference Include="Newtonsoft.Json" Version="$(Tooling_NewtonsoftJsonPackageVersion)" />
     <PackageReference Include="NuGet.Packaging" Version="$(NugetPackaging)" />
     <PackageReference Include="NuGet.Protocol" Version="$(NugetProtocol)" />
+    <PackageReference Include="NuGet.Commands" Version="$(NugetCommands)" />
     <PackageReference Include="vswhere" Version="$(VSWherePackageVersion)" PrivateAssets="All" />
     <PackageReference Include="Microsoft.DotNet.SignTool" Version="$(MicrosoftDotNetSignToolPackageVersion)" ExcludeAssets="All" PrivateAssets="All" />
     <PackageReference Include="Microsoft.DotNet.SignCheck" Version="$(MicrosoftDotNetSignCheckPackageVersion)" ExcludeAssets="All" PrivateAssets="All" />
diff --git a/test/KoreBuild.Tasks.Tests/KoreBuild.Tasks.Tests.csproj b/test/KoreBuild.Tasks.Tests/KoreBuild.Tasks.Tests.csproj
index b0da28873..9a5383e53 100644
--- a/test/KoreBuild.Tasks.Tests/KoreBuild.Tasks.Tests.csproj
+++ b/test/KoreBuild.Tasks.Tests/KoreBuild.Tasks.Tests.csproj
@@ -20,6 +20,7 @@
     <PackageReference Include="NuGet.Build.Tasks" Version="$(Tooling_NuGetBuildTasksPackageVersion)" />
     <PackageReference Include="NuGet.Packaging" Version="$(NugetPackaging)" />
     <PackageReference Include="NuGet.Protocol" Version="$(NugetProtocol)" />
+    <PackageReference Include="NuGet.Commands" Version="$(NugetCommands)" />
     <PackageReference Include="vswhere" Version="$(VsWherePackageVersion)" />
     <PackageReference Include="xunit" Version="$(XunitPackageVersion)" />
     <PackageReference Include="xunit.runner.visualstudio" Version="$(XunitRunnerVisualStudioPackageVersion)" />