NuGet security vulnerabilities breaking builds..

[bevanweiss]

Just recently my local test build has stopped working due to NuGet security vulnerability checks on nuget restore
https://learn.microsoft.com/en-us/nuget/concepts/auditing-packages

Not a WiX problem in itself, but it is a bit tricky with warnings as errors configured on the build.
I wonder if perhaps some of these NuGet audit warnings shouldn't be errors. Perhaps only the Critical issues, and not also High. Quite a lot of 'High' issues lately don't really seem that impactful. This particular one is only around DeserializeAsyncEnumerable, and that it is possible to DoS with malicious input data. Which doesn't seem like it would apply for the vast majority of WiX use cases.

...wix\src\setup\MetadataTask\MetadataTask.csproj : error NU1903: Package 'System.Text.Json' 4.6.0 has a known high severity vulnerability, https://github.com/advisories/GHSA-hh2w-p6rv-4g7w

Build failed with 1 error(s) in 1.4s

[barnson]

Confirmed on my machine. Could you open an issue? We should discuss at triage how to best handle these; blocking with an error is easy but given that most won't cause an issue at runtime, maybe we should keep them warnings.