chore: fix vulnerable packages (#4757)

* chore: fix vulnerable packages

* chore: use NuGet feed for Microsoft.CodeAnalysis.Testing

* build: Package Source Mapping allows prefix-patterns only

* build: add missing "Microsoft.CodeAnalysis.Testing" package source mappings

* revert: use NuGet feed for Microsoft.CodeAnalysis.Testing

* chore: update Sentry.Analyzers.Tests to net10.0

* style: revert nuget.config

Author: Flash0ver

samples/Sentry.Samples.EntityFramework/Sentry.Samples.EntityFramework.csproj

@@ -17,9 +17,6 @@
 
     <PackageReference Include="EntityFramework" Version="6.5.1" />
     <PackageReference Include="Effort.EF6" Version="2.2.16" />
-
-    <!-- this is needed because the version that is brought in transitively has a vulnerability warning -->
-    <PackageReference Include="System.Drawing.Common" Version="6.0.0" />
   </ItemGroup>
 
 </Project>

src/Sentry/Sentry.csproj

@@ -83,13 +83,7 @@
 
   <!-- Ensure at least version 6 of System.Text.Json so we have JsonSerializationContext available -->
   <ItemGroup Condition="$(TargetFramework.StartsWith('net4')) or $(TargetFramework.StartsWith('netstandard'))">
-    <PackageReference Include="System.Text.Json" Version="8.0.5" >
-      <!--
-        Ignoring the vulnerability warning: https://github.com/advisories/GHSA-hh2w-p6rv-4g7w
-        The app can/should pin to the latest version. We will bump once a patch on v6 (still LTS until Nov 24) is out
-      -->
-      <NoWarn>NU1903</NoWarn>
-    </PackageReference>
+    <PackageReference Include="System.Text.Json" Version="8.0.5" />
   </ItemGroup>
 
   <!--

test/Directory.Build.props

@@ -72,12 +72,9 @@
     <PackageReference Include="coverlet.collector" Version="6.0.4" />
   </ItemGroup>
 
-  <!-- these are needed because the versions that are brought in transitively have vulnerability warnings -->
-  <ItemGroup>
-    <PackageReference Include="Newtonsoft.Json" Version="13.0.3"/>
-  </ItemGroup>
   <ItemGroup Condition="$(TargetFramework.StartsWith('net4'))">
     <PackageReference Include="System.Net.Http" Version="4.3.4" />
     <PackageReference Include="System.Text.RegularExpressions" Version="4.3.1" />
   </ItemGroup>
+
 </Project>

test/Sentry.Analyzers.Tests/Sentry.Analyzers.Tests.csproj

@@ -1,22 +1,22 @@
 <Project Sdk="Microsoft.NET.Sdk">
 
-    <PropertyGroup>
-        <TargetFramework>$(PreviousTfm)</TargetFramework>
-        <Nullable>enable</Nullable>
+  <PropertyGroup>
+    <TargetFramework>$(LatestTfm)</TargetFramework>
+    <Nullable>enable</Nullable>
 
-        <IsPackable>false</IsPackable>
-    </PropertyGroup>
+    <IsPackable>false</IsPackable>
+  </PropertyGroup>
 
-    <ItemGroup>
-        <PackageReference Include="Microsoft.CodeAnalysis.CSharp.Analyzer.Testing" Version="1.1.2"/>
-        <PackageReference Include="Microsoft.CodeAnalysis.CSharp.CodeFix.Testing" Version="1.1.2"/>
-        <PackageReference Include="Microsoft.CodeAnalysis.CSharp" Version="4.3.0"/>
-        <PackageReference Include="Microsoft.CodeAnalysis.CSharp.Workspaces" Version="4.3.0"/>
-    </ItemGroup>
+  <ItemGroup>
+    <PackageReference Include="Microsoft.CodeAnalysis.CSharp.Analyzer.Testing" Version="1.1.2" />
+    <PackageReference Include="Microsoft.CodeAnalysis.CSharp.CodeFix.Testing" Version="1.1.2" />
+    <PackageReference Include="Microsoft.CodeAnalysis.CSharp" Version="4.3.0" />
+    <PackageReference Include="Microsoft.CodeAnalysis.CSharp.Workspaces" Version="4.3.0" />
+  </ItemGroup>
 
-    <ItemGroup>
-      <ProjectReference Include="..\..\src\Sentry.Analyzers\Sentry.Analyzers.csproj" />
-    </ItemGroup>
+  <ItemGroup>
+    <ProjectReference Include="..\..\src\Sentry.Analyzers\Sentry.Analyzers.csproj" />
+  </ItemGroup>
 
   <ItemGroup>
     <Using Remove="Sentry.*" />

test/Sentry.DiagnosticSource.IntegrationTests/Sentry.DiagnosticSource.IntegrationTests.csproj

@@ -18,30 +18,35 @@
     <PackageReference Include="Verify.EntityFramework" Version="9.0.0" />
     <PackageReference Include="Microsoft.EntityFrameworkCore" Version="9.0.0" />
     <PackageReference Include="Microsoft.EntityFrameworkCore.SqlServer" Version="9.0.0" />
+    <!-- https://github.com/advisories/GHSA-m5vv-6r4h-3vj9 -->
+    <PackageReference Include="Azure.Identity" Version="1.11.4" />
   </ItemGroup>
 
   <!-- Test EF Core 8 on .NET 8 -->
   <ItemGroup Condition="'$(TargetFramework)' == 'net8.0'">
     <PackageReference Include="Verify.EntityFramework" Version="8.0.0" />
     <PackageReference Include="Microsoft.EntityFrameworkCore" Version="8.0.0" />
     <PackageReference Include="Microsoft.EntityFrameworkCore.SqlServer" Version="8.0.0" />
+    <!-- https://github.com/advisories/GHSA-m5vv-6r4h-3vj9 -->
+    <PackageReference Include="Azure.Identity" Version="1.11.4" />
+    <!-- https://github.com/advisories/GHSA-qj66-m88j-hmgj -->
+    <PackageReference Include="Microsoft.Extensions.Caching.Memory" Version="8.0.1" />
   </ItemGroup>
 
   <!-- Test EF Core 3.1 on .NET Framework -->
-  <ItemGroup Condition="'$(TargetFramework)' == 'net48' ">
+  <ItemGroup Condition="'$(TargetFramework)' == 'net48'">
     <ProjectReference Include="..\..\src\Sentry.DiagnosticSource\Sentry.DiagnosticSource.csproj" />
     <PackageReference Include="Microsoft.EntityFrameworkCore" Version="3.1.32" />
     <PackageReference Include="Microsoft.EntityFrameworkCore.SqlServer" Version="3.1.32" />
+    <!-- https://github.com/advisories/GHSA-m5vv-6r4h-3vj9 -->
+    <PackageReference Include="Azure.Identity" Version="1.11.4" />
   </ItemGroup>
 
   <ItemGroup>
     <PackageReference Include="LocalDb" Version="18.0.1" />
   </ItemGroup>
 
   <ItemGroup>
-    <!-- this is needed because the version that is brought in transitively has a vulnerability warning -->
-    <PackageReference Include="System.Drawing.Common" Version="6.0.0" />
-
     <ProjectReference Include="..\..\src\Sentry.Extensions.Logging\Sentry.Extensions.Logging.csproj" />
     <ProjectReference Include="..\Sentry.Testing\Sentry.Testing.csproj" />
     <ProjectReference Include="..\..\src\Sentry\Sentry.csproj" />

test/Sentry.DiagnosticSource.Tests/Sentry.DiagnosticSource.Tests.csproj

@@ -22,6 +22,8 @@
   <ItemGroup Condition="'$(TargetFramework)' == 'net8.0'">
     <PackageReference Include="Microsoft.EntityFrameworkCore" Version="8.0.0" />
     <PackageReference Include="Microsoft.EntityFrameworkCore.Sqlite" Version="8.0.0" />
+    <!-- https://github.com/advisories/GHSA-qj66-m88j-hmgj -->
+    <PackageReference Include="Microsoft.Extensions.Caching.Memory" Version="8.0.1" />
   </ItemGroup>
 
   <!-- Test .NET Framework -->

test/Sentry.Extensions.Logging.Tests/Sentry.Extensions.Logging.Tests.csproj

@@ -10,7 +10,7 @@
   </PropertyGroup>
 
   <ItemGroup>
-    <PackageReference Include="Microsoft.Extensions.Configuration.Json" Version="6.0.0" />
+    <PackageReference Include="Microsoft.Extensions.Configuration.Json" Version="6.0.1" />
     <ProjectReference Include="..\..\src\Sentry.Extensions.Logging\Sentry.Extensions.Logging.csproj" />
     <ProjectReference Include="..\Sentry.Testing\Sentry.Testing.csproj" />
   </ItemGroup>

test/Sentry.Maui.Device.TestApp/Sentry.Maui.Device.TestApp.csproj

@@ -73,9 +73,6 @@
     <PackageReference Include="Microsoft.Maui.Controls" Version="$(MauiVersion)"/>
     <PackageReference Include="Microsoft.Maui.Core" Version="$(MauiVersion)"/>
     <PackageReference Include="Microsoft.Maui.Essentials" Version="$(MauiVersion)"/>
-
-    <!-- https://github.com/advisories/GHSA-5f2m-466j-3848 -->
-    <PackageReference Include="System.Private.Uri" Version="4.3.2"/>
   </ItemGroup>
 
   <!-- Configure XUnit -->