[release/9.0.1xx] Update dependencies from dotnet/arcade

[dotnet-maestro]

This pull request updates the following dependencies

From https://github.com/dotnet/arcade

• Subscription: fb3f8aec-5167-4ffc-ab85-08dcc13e8b5d
• Build: 20250516.2
• Date Produced: May 16, 2025 10:30:49 PM UTC
• Commit: c62eeb5b5432f9eaa034fbd641ccd9fd0d928fb3
• Branch: refs/heads/release/9.0

• Updates:
  • Microsoft.SourceBuild.Intermediate.arcade: from 9.0.0-beta.25263.2 to 9.0.0-beta.25266.2
  • Microsoft.DotNet.Arcade.Sdk: from 9.0.0-beta.25263.2 to 9.0.0-beta.25266.2
  • Microsoft.DotNet.Build.Tasks.Installers: from 9.0.0-beta.25263.2 to 9.0.0-beta.25266.2
  • Microsoft.DotNet.Helix.Sdk: from 9.0.0-beta.25263.2 to 9.0.0-beta.25266.2
  • Microsoft.DotNet.SignTool: from 9.0.0-beta.25263.2 to 9.0.0-beta.25266.2
  • Microsoft.DotNet.XliffTasks: from 9.0.0-beta.25263.2 to 9.0.0-beta.25266.2
  • Microsoft.DotNet.XUnitExtensions: from 9.0.0-beta.25263.2 to 9.0.0-beta.25266.2

[v-wuzhai]

@dotnet/source-build Could you take a look at the failures here?

[NikolaMilosavljevic]

These are all NuGet Audit errors - @ViktorHofer do you know if these show up in repo builds in 9.0 branches?

Latest arcade CI or PR, 9.0, builds were on Tuesday, before the Audit errors were triggered. So, this explains why we have not seen this in arcade builds yet.

[ViktorHofer]

I'm not 100% sure which version of NuGet inserted into 9.0 but assuming it was 6.11, NuGetAudit is enabled by default for direct dependencies (not transitives): https://github.com/NuGet/NuGet.Client/blob/5469bd0d9de8108f15f21644759773b85471366c/src/NuGet.Core/NuGet.Build.Tasks/NuGet.targets#L71-L72

So any direct reference to i.e. the Microsoft.Build.Tasks.Core package that got marked as vulnerable yesterday will error.

[NikolaMilosavljevic]

Errors are very similar to those seen in 10.0 branches, i.e.:

    /vmr/src/arcade/src/Microsoft.DotNet.Build.Tasks.TargetFramework/src/Microsoft.DotNet.Build.Tasks.TargetFramework.csproj : error NU1901: Warning As Error: Package 'Microsoft.Build.Tasks.Core' 17.8.3 has a known low severity vulnerability, https://github.com/advisories/GHSA-h4j7-5rxr-p4wc [/vmr/src/arcade/Arcade.sln]
##[error]/vmr/src/arcade/src/Microsoft.DotNet.Build.Tasks.TargetFramework/src/Microsoft.DotNet.Build.Tasks.TargetFramework.csproj(0,0): error NU1901: (NETCORE_ENGINEERING_TELEMETRY=Restore) Warning As Error: Package 'Microsoft.Build.Tasks.Core' 17.8.3 has a known low severity vulnerability, https://github.com/advisories/GHSA-h4j7-5rxr-p4wc
    /vmr/src/arcade/src/Microsoft.DotNet.Build.Tasks.Packaging/src/Microsoft.DotNet.Build.Tasks.Packaging.csproj : error NU1901: Warning As Error: Package 'Microsoft.Build.Tasks.Core' 17.8.3 has a known low severity vulnerability, https://github.com/advisories/GHSA-h4j7-5rxr-p4wc [/vmr/src/arcade/Arcade.sln]
##[error]/vmr/src/arcade/src/Microsoft.DotNet.Build.Tasks.Packaging/src/Microsoft.DotNet.Build.Tasks.Packaging.csproj(0,0): error NU1901: (NETCORE_ENGINEERING_TELEMETRY=Restore) Warning As Error: Package 'Microsoft.Build.Tasks.Core' 17.8.3 has a known low severity vulnerability, https://github.com/advisories/GHSA-h4j7-5rxr-p4wc

[NikolaMilosavljevic]

Arcade uses packages from SBRP, version 17.8.3, which is considered vulnerable. Next up, in the same range, that isn't vulnerable is 17.8.29. I'll produce SBRP packages and flow them to arcade, so the version can be updated. This should eventually resolve the issue.

[NikolaMilosavljevic]

I've merged the fix in arcade repo - dotnet/arcade#15843. It should be picked up by this flow after successful build. That should resolve the source-build issue.

[NikolaMilosavljevic]

I've triggered the arcade->sdk flow for 9.0.1xx - it should update this PR shortly and start a rerun of the checks.