Skip to content

[oryx] - Fixing build issue#1680

Merged
abdurriq merged 1 commit into
devcontainers:mainfrom
Kaniska244:oryx-feature-inst-issue
Jun 30, 2026
Merged

[oryx] - Fixing build issue#1680
abdurriq merged 1 commit into
devcontainers:mainfrom
Kaniska244:oryx-feature-inst-issue

Conversation

@Kaniska244

@Kaniska244 Kaniska244 commented Jun 30, 2026

Copy link
Copy Markdown
Contributor

Summary

The Oryx feature fails to install because building the upstream microsoft/Oryx solution aborts during NuGet restore with a security-audit error:

error NU1903: Warning As Error: Package 'Scriban.Signed' 5.5.2 has a known high severity vulnerability, https://github.com/advisories/GHSA-24c8-4792-22hx

Recent .NET SDKs enable NuGet audit by default, which emits NU1903 warnings for dependencies with known advisories. The Oryx solution builds with TreatWarningsAsErrors, so this advisory is promoted to a hard error and the feature install fails:

ERROR: Feature "Oryx" (Unknown) failed to install!

The flagged package (Scriban.Signed 5.5.2) is a transitive dependency declared inside the upstream Oryx repository, so it cannot be fixed from this feature.

Changes

  • Pass -p:NuGetAudit=false to the dotnet build and both dotnet publish invocations in src/oryx/install.sh so the audit step no longer breaks the build. The flag is applied per-invocation because each build/publish runs its own NuGet restore in a separate process.
  • Bump the oryx feature version 2.0.02.0.1.

Why disable audit instead of a narrower fix

NuGet audit findings change over time as new advisories are published. Disabling the audit for this build avoids the install breaking again whenever a different upstream dependency gets flagged. The audit is a build-time advisory check only; it does not change the produced oryx binary, and the vulnerable dependencies are owned by the upstream Oryx project, not this feature.

Testing

  • oryx feature installs successfully (build no longer fails on NU1903).
  • Existing oryx test scenarios pass.

Related

@Kaniska244 Kaniska244 marked this pull request as ready for review June 30, 2026 16:09
@Kaniska244 Kaniska244 requested a review from a team as a code owner June 30, 2026 16:09
@abdurriq abdurriq merged commit 5e6a854 into devcontainers:main Jun 30, 2026
10 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

2 participants