Don't fail CI builds on NuGet audit advisories#391
Conversation
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request updates the unit test project configuration to treat NuGet audit advisories (NU1901-NU1904) as warnings rather than errors when running in CI environments. The review feedback recommends applying this setting globally or to the main library project for consistency, using additive syntax to avoid overwriting existing properties, and including NU1905 to cover retired packages.
| <!-- In CI, don't fail the build on NuGet audit advisories (NU1901-NU1904). | ||
| Advisories still appear in build output, and Dependabot handles the | ||
| actual fix. Local builds keep the strict behavior. --> | ||
| <WarningsNotAsErrors Condition="'$(CI)' == 'true'">NU1901;NU1902;NU1903;NU1904</WarningsNotAsErrors> |
There was a problem hiding this comment.
This change only applies to the unit test project. However, the main library project MaxMind.MinFraud.csproj also has TreatWarningsAsErrors set to true (line 32). If a NuGet audit advisory is triggered by a dependency in the library project, the CI build will still fail during the compilation of that project. To fully achieve the goal of not failing CI builds on these advisories, you should apply this configuration to MaxMind.MinFraud.csproj as well, or consider using a Directory.Build.props file in the repository root to apply this setting globally across the repository. Additionally, it is a best practice to use the additive syntax $(WarningsNotAsErrors);... to avoid overwriting any values that might be set in imported property files. Finally, since this project targets .NET 9 and .NET 10, you may also want to include NU1905 (Package is retired) in the list.
<WarningsNotAsErrors Condition="'$(CI)' == 'true'">$(WarningsNotAsErrors);NU1901;NU1902;NU1903;NU1904</WarningsNotAsErrors>
Set WarningsNotAsErrors for NU1901-NU1904 when building in CI (CI=true). This keeps TreatWarningsAsErrors strict locally so developers still catch issues, but avoids every PR being blocked by a newly-published advisory on a dependency until Dependabot can merge an upgrade. The advisory still appears in the build output for visibility. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
horgh
force-pushed
the
wstorey/suppress-ci
branch
from
3368599 to
a7ff8d9
Compare
2 participants
Summary
WarningsNotAsErrorsentry forNU1901-NU1904in the unit-test csproj, so NuGet audit advisories on dependencies don't red-X every build while we wait for a Dependabot upgrade.TreatWarningsAsErrorsstays on, and local builds remain strict — the condition is keyed on theCI=trueenv var that GitHub Actions sets automatically. Advisories still appear in CI build output.Companion change in GeoIP2-dotnet and MaxMind-DB-Reader-dotnet.
Test plan
CI=true) to confirm the build still fails locally