Skip to content

fix(nethermind): skip NuGet audit to unblock CI#1036

Merged
mw2000 merged 1 commit intomainfrom
mihirwadekar/pin-nethermind-dotnet-sdk
Apr 28, 2026
Merged

fix(nethermind): skip NuGet audit to unblock CI#1036
mw2000 merged 1 commit intomainfrom
mihirwadekar/pin-nethermind-dotnet-sdk

Conversation

@mw2000
Copy link
Copy Markdown
Contributor

@mw2000 mw2000 commented Apr 27, 2026
edited
Loading

Problem

The nethermind Docker build fails on every PR with:

error NU1904: Warning As Error: Package 'Microsoft.AspNetCore.DataProtection' 10.0.1
has a known critical severity vulnerability, GHSA-9mv3-2cwr-p262

A CVE was published against Microsoft.AspNetCore.DataProtection 10.0.1 after Nethermind 1.36.2 shipped. Since Nethermind enables TreatWarningsAsErrors, NuGet audit now hard-fails dotnet restore for ~40 projects in the dependency graph.

Fix

Pass -p:NuGetAudit=false to dotnet publish in the nethermind Dockerfile. This is the standard workaround when an upstream dependency pins a vulnerable transitive package in its latest stable release.

Upstream

Already patched in NethermindEth/nethermind#11331, shipping in 1.37.0 (pre-release). When 1.37.0 goes stable, we bump NETHERMIND_TAG in versions.env and drop this flag.

@cb-heimdall
Copy link
Copy Markdown
Collaborator

cb-heimdall commented Apr 27, 2026
edited
Loading

✅ Heimdall Review Status

Requirement Status More Info
Reviews 1/1
Denominator calculation
Show calculation
1 if user is bot 0
1 if user is external 0
2 if repo is sensitive 0
From .codeflow.yml 1
Additional review requirements
Show calculation
Max 0
0
From CODEOWNERS 0
Global minimum 0
Max 1
1
1 if commit is unverified 1
Sum 2

@mw2000 mw2000 force-pushed the mihirwadekar/pin-nethermind-dotnet-sdk branch from 44ef6e9 to 3b02658 Compare April 27, 2026 23:46
@mw2000
fix: disable NuGet audit in nethermind Dockerfile
a916a6e 
NuGet's vulnerability database was updated after Nethermind 1.36.2's
release to flag Microsoft.AspNetCore.DataProtection 10.0.1 as critically
vulnerable (GHSA-9mv3-2cwr-p262). Since Nethermind treats warnings as
errors, dotnet restore fails with NU1904 on every PR.

Disable NuGet audit at build time with -p:NuGetAudit=false to unblock
CI. The fix is merged upstream (NethermindEth/nethermind#11331) and
included in 1.37.0 (pre-release). Once a stable Nethermind release
ships with the patched dependency, we bump NETHERMIND_TAG and remove
this flag.
@mw2000 mw2000 force-pushed the mihirwadekar/pin-nethermind-dotnet-sdk branch from 3b02658 to a916a6e Compare April 27, 2026 23:52
@mw2000 mw2000 changed the title fix: pin .NET SDK and runtime digests in nethermind Dockerfile fix: disable NuGet audit in nethermind Dockerfile Apr 27, 2026
@mw2000 mw2000 changed the title fix: disable NuGet audit in nethermind Dockerfile fix(nethermind): skip NuGet audit to unblock CI (GHSA-9mv3-2cwr-p262) Apr 27, 2026
@mw2000 mw2000 changed the title fix(nethermind): skip NuGet audit to unblock CI (GHSA-9mv3-2cwr-p262) fix(nethermind): skip NuGet audit to unblock CI Apr 27, 2026
@mw2000 mw2000 marked this pull request as ready for review April 27, 2026 23:54
@mw2000 mw2000 requested review from danyalprout and refcell April 28, 2026 00:01
@mw2000 mw2000 merged commit d4a32b2 into main Apr 28, 2026
11 checks passed
@mw2000 mw2000 deleted the mihirwadekar/pin-nethermind-dotnet-sdk branch April 28, 2026 01:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@danyalprout danyalprout danyalprout approved these changes

@refcell refcell Awaiting requested review from refcell

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@mw2000 @cb-heimdall @danyalprout