Skip to content

[oryx] - Fixing build issue#1680

Merged
abdurriq merged 1 commit into
devcontainers:mainfrom
Kaniska244:oryx-feature-inst-issue
Jun 30, 2026
Merged

[oryx] - Fixing build issue#1680
abdurriq merged 1 commit into
devcontainers:mainfrom
Kaniska244:oryx-feature-inst-issue

Conversation

@Kaniska244

@Kaniska244 Kaniska244 commented Jun 30, 2026

Copy link
Copy Markdown
Contributor

Summary

The Oryx feature fails to install because building the upstream microsoft/Oryx solution aborts during NuGet restore with a security-audit error:

error NU1903: Warning As Error: Package 'Scriban.Signed' 5.5.2 has a known high severity vulnerability, https://github.com/advisories/GHSA-24c8-4792-22hx

Recent .NET SDKs enable NuGet audit by default, which emits NU1903 warnings for dependencies with known advisories. The Oryx solution builds with TreatWarningsAsErrors, so this advisory is promoted to a hard error and the feature install fails:

ERROR: Feature "Oryx" (Unknown) failed to install!

The flagged package (Scriban.Signed 5.5.2) is a transitive dependency declared inside the upstream Oryx repository, so it cannot be fixed from this feature.

Changes

  • Pass -p:NuGetAudit=false to the dotnet build and both dotnet publish invocations in src/oryx/install.sh so the audit step no longer breaks the build. The flag is applied per-invocation because each build/publish runs its own NuGet restore in a separate process.
  • Bump the oryx feature version 2.0.02.0.1.

Why disable audit instead of a narrower fix

NuGet audit findings change over time as new advisories are published. Disabling the audit for this build avoids the install breaking again whenever a different upstream dependency gets flagged. The audit is a build-time advisory check only; it does not change the produced oryx binary, and the vulnerable dependencies are owned by the upstream Oryx project, not this feature.

Testing

  • oryx feature installs successfully (build no longer fails on NU1903).
  • Existing oryx test scenarios pass.

Related

@Kaniska244 Kaniska244 marked this pull request as ready for review June 30, 2026 16:09
@Kaniska244 Kaniska244 requested a review from a team as a code owner June 30, 2026 16:09
@abdurriq abdurriq merged commit 5e6a854 into devcontainers:main Jun 30, 2026
10 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants