[oryx] - Fixing build issue#1680
Merged
Merged
Conversation
abdurriq
approved these changes
Jun 30, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
The Oryx feature fails to install because building the upstream
microsoft/Oryxsolution aborts during NuGet restore with a security-audit error:Recent .NET SDKs enable NuGet audit by default, which emits
NU1903warnings for dependencies with known advisories. The Oryx solution builds withTreatWarningsAsErrors, so this advisory is promoted to a hard error and the feature install fails:The flagged package (
Scriban.Signed 5.5.2) is a transitive dependency declared inside the upstream Oryx repository, so it cannot be fixed from this feature.Changes
-p:NuGetAudit=falseto thedotnet buildand bothdotnet publishinvocations insrc/oryx/install.shso the audit step no longer breaks the build. The flag is applied per-invocation because eachbuild/publishruns its own NuGet restore in a separate process.oryxfeature version2.0.0→2.0.1.Why disable audit instead of a narrower fix
NuGet audit findings change over time as new advisories are published. Disabling the audit for this build avoids the install breaking again whenever a different upstream dependency gets flagged. The audit is a build-time advisory check only; it does not change the produced
oryxbinary, and the vulnerable dependencies are owned by the upstream Oryx project, not this feature.Testing
oryxfeature installs successfully (build no longer fails onNU1903).Related