[CG] Bump Microsoft.IO.Redist to 6.0.1#106102
Conversation
CG was flagging ILLink.Tasks and Microsoft.NETCore.Platforms as pulling in an older version of Microsoft.IO.Redist. This change pins the version we use to clear the alert.
ghost
added
the
|
Tagging subscribers to this area: @dotnet/area-infrastructure-libraries |
|
Do we need to backport this change? |
sbomer
left a comment
sbomer
left a comment
There was a problem hiding this comment.
For ILLink.Tasks, this is pulled in as a transitive dependency of Microsoft.Build.Tasks.Core. Could we fix it by bumping MicrosoftBuildVersion to pick up dotnet/msbuild#10375?
Has that shipped yet? I didn't think it did. |
|
Let's wait for MSBuild to move first. |
agocke
left a comment
agocke
left a comment
There was a problem hiding this comment.
Hold until we decide what to do for MSBuild
carlossanlop
added
the
NO-MERGE
|
consider porting fix to 8.0/9.0 branches since it also shows on CG alerts there |
agocke
dismissed
their stale review
This is causing CG errors, need to resolve ASAP
|
cc @ericstj |
steveisok
removed
the
NO-MERGE
|
We actually do need to push this forward and backport to release/8.0 and release/9.0. It's blocking SDL signoff for 9.0 and it's not clear how when MSBuild is going to bump. |
There was a problem hiding this comment.
We shouldn't need this. We don't reference the Microsoft.IO.Redist package at all in main.
That was fixed with the PackageDownloadAndReference to only reference MSBuild itself.
@steveisok main has no CG alerts for this package. I only see them in 8.0 and 9.0. Perhaps we should consider backporting a portion of the audit change from main so that we don't end up chasing these alerts for build tasks.
Which change are you referring to? |
|
This one: #107639 I ported it back to 9.0. We can do something similar for 8.0, though we can't enable audit there. |
7 participants
CG was flagging ILLink.Tasks and Microsoft.NETCore.Platforms as pulling in an older version of Microsoft.IO.Redist. This change pins the version we use to clear the alert.