[build] Update NuGet package versions (#196)

jonpryor · web-flow · commit fa3711b7ddac · 2022-11-17T15:25:01.000-05:00
Context: https://dev.azure.com/xamarin/public/_componentGovernance/115226/alert/3150206?typeId=5477311 Context: https://dev.azure.com/xamarin/public/_componentGovernance/115226/alert/6875331?typeId=5477311 Context: dotnet/java-interop@5318261 [Component Governance][0] is a Microsoft internal tool which checks for known security issues in product dependencies. It is currently reporting a defects in xamarin-android-tools due to use of older `System.Net.Http` packages ([CVE-2018-8292][0]) and older `System.Security.Cryptography.X509Certificates` packages ([CVE-2017-11770][1]): > **Location** > > * /s/packages/system.net.http/4.1.0/system.net.http.4.1.0.nupkg > * /s/packages/system.net.http/4.1.0/system.net.http.nuspec > * /s/packages/system.security.cryptography.x509certificates/4.1.0/system.security.cryptography.x509certificates.4.1.0.nupkg > * /s/packages/system.security.cryptography.x509certificates/4.1.0/system.security.cryptography.x509certificates.nuspec The "odd" thing is that xamarin-android-tools doesn't *use* either of these dependencies! They appear to be pulled in via package dependencies. Rework how we use `@(PackageReference)` so that `Directory.Build.targets` uses [the `Update` attribute][2] to centralize package version specification, except within `MSBuildReferences.projitems` as it's `<Import/>`ed by xamarin-android. Update most NuGet package versions to the latest versions provided by `dotnet-public` or `dotnet-eng` (which may not be the latest versions on NuGet.org). While stable versions are generally preferred, we use Microsoft.NET.Test.Sdk version 17.5.0-preview-20221003-04 to ensure that we avoid Newtonsoft.Json 9.0.1 issues a'la dotnet/java-interop@53182615. NuGet Package Version Bumps: * Microsoft.Build : `16.10.0` -> `17.3.2` * Microsoft.Build.Framework : `16.10.0` -> `17.3.2` * Microsoft.Build.Tasks.Core : `16.10.0` -> `17.3.2` * Microsoft.Build.Utilities.Core : `16.10.0` -> `17.3.2` * Microsoft.NET.Test.Sdk : `16.5.0` -> `17.5.0-preview-20221003-04` * nunit : `3.12.0` -> `3.13.2` * NUnit3TestAdapter : `3.16.1` -> `4.0.0` [0]: https://nvd.nist.gov/vuln/detail/CVE-2018-8292 [1]: https://nvd.nist.gov/vuln/detail/CVE-2017-11770 [2]: https://learn.microsoft.com/en-us/visualstudio/msbuild/item-element-msbuild?view=vs-2022#attributes-and-elements
diff --git a/Directory.Build.targets b/Directory.Build.targets
@@ -19,8 +19,13 @@
       Condition=" Exists('$([System.IO.Path]::GetDirectoryName($(MSBuildThisFileDirectory))).override.targets') "
   />
 
+  <!-- NuGet Dependencies -->
   <ItemGroup>
-    <PackageReference Update="Microsoft.SourceLink.GitHub" Version="1.1.1" />
+    <PackageReference Update="Microsoft.NET.Test.Sdk"                       Version="17.5.0-preview-20221003-04" />
+    <PackageReference Update="Microsoft.SourceLink.GitHub"                  Version="1.1.1" />
+    <PackageReference Update="Microsoft.VisualStudioEng.MicroBuild.Core"    Version="1.0.0" />
+    <PackageReference Update="nunit"                                        Version="3.13.2" />
+    <PackageReference Update="NUnit3TestAdapter"                            Version="4.0.0" />
   </ItemGroup>
 
 </Project>
diff --git a/src/Microsoft.Android.Build.BaseTasks/MSBuildReferences.projitems b/src/Microsoft.Android.Build.BaseTasks/MSBuildReferences.projitems
@@ -4,7 +4,7 @@
 <Project>
   <!--Import this file in projects needing to reference Microsoft.Build.*.dll -->
   <PropertyGroup>
-    <MSBuildPackageReferenceVersion>16.10.0</MSBuildPackageReferenceVersion>
+    <MSBuildPackageReferenceVersion>17.3.2</MSBuildPackageReferenceVersion>
     <LibZipSharpVersion Condition=" '$(LibZipSharpVersion)' == '' " >2.0.7</LibZipSharpVersion>
     <MonoUnixVersion>7.1.0-final.1.21458.1</MonoUnixVersion>
   </PropertyGroup>
diff --git a/src/Xamarin.Android.Tools.AndroidSdk/Xamarin.Android.Tools.AndroidSdk.csproj b/src/Xamarin.Android.Tools.AndroidSdk/Xamarin.Android.Tools.AndroidSdk.csproj
@@ -26,7 +26,7 @@
   </PropertyGroup>
 
   <ItemGroup>
-    <PackageReference Include="Microsoft.VisualStudioEng.MicroBuild.Core" Version="1.0.0">
+    <PackageReference Include="Microsoft.VisualStudioEng.MicroBuild.Core">
       <PrivateAssets>all</PrivateAssets>
       <IncludeAssets>runtime; build; native; contentfiles; analyzers</IncludeAssets>
     </PackageReference>
diff --git a/tests/Microsoft.Android.Build.BaseTasks-Tests/Microsoft.Android.Build.BaseTasks-Tests.csproj b/tests/Microsoft.Android.Build.BaseTasks-Tests/Microsoft.Android.Build.BaseTasks-Tests.csproj
@@ -14,9 +14,9 @@
   <Import Project="..\..\src\Microsoft.Android.Build.BaseTasks\MSBuildReferences.projitems" />
 
   <ItemGroup>
-    <PackageReference Include="NUnit" Version="3.12.0" />
-    <PackageReference Include="NUnit3TestAdapter" Version="3.16.1" />
-    <PackageReference Include="Microsoft.NET.Test.Sdk" Version="16.5.0"/>
+    <PackageReference Include="NUnit" />
+    <PackageReference Include="NUnit3TestAdapter" />
+    <PackageReference Include="Microsoft.NET.Test.Sdk" />
   </ItemGroup>
 
   <ItemGroup>
diff --git a/tests/Xamarin.Android.Tools.AndroidSdk-Tests/Xamarin.Android.Tools.AndroidSdk-Tests.csproj b/tests/Xamarin.Android.Tools.AndroidSdk-Tests/Xamarin.Android.Tools.AndroidSdk-Tests.csproj
@@ -13,9 +13,9 @@
   </PropertyGroup>
 
   <ItemGroup>
-    <PackageReference Include="NUnit" Version="3.12.0" />
-    <PackageReference Include="NUnit3TestAdapter" Version="3.16.1" />
-    <PackageReference Include="Microsoft.NET.Test.Sdk" Version="16.5.0"/>
+    <PackageReference Include="NUnit" />
+    <PackageReference Include="NUnit3TestAdapter" />
+    <PackageReference Include="Microsoft.NET.Test.Sdk" />
   </ItemGroup>
 
   <ItemGroup>
