Stop failing the build on low/moderate NuGet audit advisories

angularsen · claude · angularsen · commit 407cd42183f0 · 2026-05-02T19:40:38.000+02:00
The default NuGetAuditLevel is "low", which combined with
TreatWarningsAsErrors=true causes restore-time NU1901/NU1902 warnings
for low- and moderate-severity transitive package advisories to fail
the build. We saw this with NuGet.Packaging/NuGet.Protocol 7.0.1
pulled in transitively by tooling - we cannot upgrade those without
breaking other constraints, and the advisories are not actionable.

Set NuGetAuditLevel=high so only high- and critical-severity audit
advisories surface (and still fail the build via TreatWarningsAsErrors).

Co-Authored-By: Claude Opus 4.7 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/Directory.Build.props b/Directory.Build.props
@@ -19,6 +19,14 @@
     <TreatWarningsAsErrors>true</TreatWarningsAsErrors>
     <!-- 612: obsolete, 618: obsolete with message -->
     <WarningsNotAsErrors>612,618</WarningsNotAsErrors>
+    <!--
+      NuGet audit severity floor. Default is "low" which fails restore on any disclosed CVE
+      regardless of impact (e.g. transitive packages with low-severity advisories that we
+      cannot upgrade away from). "high" only audits high and critical advisories, which
+      still surface as warnings and (via TreatWarningsAsErrors) still fail the build.
+      Low and moderate advisories are no longer reported.
+    -->
+    <NuGetAuditLevel>high</NuGetAuditLevel>
   </PropertyGroup>
 
   <!-- Build symbol package (.snupkg) to distribute the PDB file for debugging, in addition to Source Link per recommendation: https://learn.microsoft.com/en-us/dotnet/standard/library-guidance/sourcelink -->
