Don't fail CI builds on NuGet audit advisories#445
Conversation
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request updates the unit test project configuration to treat NuGet audit warnings (NU1901-NU1904) as non-errors during CI builds, preventing build failures while allowing Dependabot to handle updates. Feedback suggests also including NU1905 for unknown severity levels and applying these settings to the main project or a shared configuration file to ensure consistent behavior across the entire solution.
| <!-- In CI, don't fail the build on NuGet audit advisories (NU1901-NU1904). | ||
| Advisories still appear in build output, and Dependabot handles the | ||
| actual fix. Local builds keep the strict behavior. --> | ||
| <WarningsNotAsErrors Condition="'$(CI)' == 'true'">NU1901;NU1902;NU1903;NU1904</WarningsNotAsErrors> |
There was a problem hiding this comment.
Consider including NU1905 in the list to cover vulnerabilities with an 'Unknown' severity level. Without it, the build will still fail if such an advisory is reported.
Additionally, this change is currently limited to the unit test project. Since the main library project (MaxMind.GeoIP2.csproj) also has TreatWarningsAsErrors enabled, vulnerabilities in its dependencies will still cause CI failures. To fully address the issue and prevent future build blocks, consider applying this configuration to all projects or moving it to a shared Directory.Build.props file.
<!-- In CI, don't fail the build on NuGet audit advisories (NU1901-NU1905).
Advisories still appear in build output, and Dependabot handles the
actual fix. Local builds keep the strict behavior. -->
<WarningsNotAsErrors Condition="'$(CI)' == 'true'">NU1901;NU1902;NU1903;NU1904;NU1905</WarningsNotAsErrors>
Set WarningsNotAsErrors for NU1901-NU1904 when building in CI (CI=true). This keeps TreatWarningsAsErrors strict locally so developers still catch issues, but avoids every PR being blocked by a newly-published advisory on a dependency until Dependabot can merge an upgrade. The advisory still appears in the build output for visibility. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
horgh
force-pushed
the
wstorey/suppress-ci
branch
from
adf09e8 to
133516f
Compare
2 participants
Summary
WarningsNotAsErrorsentry forNU1901-NU1904in the unit-test csproj, so NuGet audit advisories on dependencies don't red-X every build while we wait for a Dependabot upgrade.TreatWarningsAsErrorsstays on, and local builds remain strict — the condition is keyed on theCI=trueenv var that GitHub Actions sets automatically. Advisories still appear in CI build output.Context: run 24902042979 failed on
OpenTelemetry.Exporter.OpenTelemetryProtocol1.14.0 advisories. A Dependabot bump to 1.15.3 has since merged, but the CI failure blocked unrelated PRs in the meantime.Test plan
CI=true) to confirm the build still fails locally