Add updating vulnerable packages guidance to the docs #3493
Conversation
There was a problem hiding this comment.
Pull Request Overview
This PR moves guidance from a blog post into the official documentation for handling packages with known vulnerabilities. The changes update references to point to the new documentation location and expand the content with detailed instructions for resolving vulnerabilities in both direct and transitive package dependencies.
Key Changes:
- Replaced blog post references with links to expanded documentation
- Added comprehensive guidance on handling transitive package vulnerabilities
- Added instructions and screenshots for three methods to find transitive package paths
Reviewed Changes
Copilot reviewed 2 out of 6 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
| docs/reference/errors-and-warnings/NU1901-NU1904.md | Updated reference from blog post to new documentation section |
| docs/concepts/Auditing-Packages.md | Added detailed guidance on resolving vulnerabilities and finding transitive package paths, with visual examples |
PoliCheck Scan ReportThe following report lists PoliCheck issues in PR files. Before you merge the PR, you must fix all severity-1 issues. Other issues are also a high priority. The AI Review Details column lists suggestions for either removing or replacing the terms. If you find a false positive result, mention it in a PR comment and include this text: #policheck-false-positive. This feedback helps reduce false positives in future scans. ✅ No issues foundMore information about PoliCheckInformation: PoliCheck | Severity Guidance | Term |
|
Learn Build status updates of commit 848d388: 💡 Validation status: suggestions
docs/concepts/media/pmui-transitive-tooltip-1.png
For more details, please refer to the build report. Note: Your PR may contain errors or warnings or suggestions unrelated to the files you changed. This happens when external dependencies like GitHub alias, Microsoft alias, cross repo links are updated. Please use these instructions to resolve them. |
Co-authored-by: Copilot <[email protected]>
Co-authored-by: Copilot <[email protected]>
Co-authored-by: Copilot <[email protected]>
PoliCheck Scan ReportThe following report lists PoliCheck issues in PR files. Before you merge the PR, you must fix all severity-1 issues. Other issues are also a high priority. The AI Review Details column lists suggestions for either removing or replacing the terms. If you find a false positive result, mention it in a PR comment and include this text: #policheck-false-positive. This feedback helps reduce false positives in future scans. ✅ No issues foundMore information about PoliCheckInformation: PoliCheck | Severity Guidance | Term |
|
Learn Build status updates of commit 6dd8399: 💡 Validation status: suggestions
docs/concepts/media/pmui-transitive-tooltip-1.png
For more details, please refer to the build report. Note: Your PR may contain errors or warnings or suggestions unrelated to the files you changed. This happens when external dependencies like GitHub alias, Microsoft alias, cross repo links are updated. Please use these instructions to resolve them. |
PoliCheck Scan ReportThe following report lists PoliCheck issues in PR files. Before you merge the PR, you must fix all severity-1 issues. Other issues are also a high priority. The AI Review Details column lists suggestions for either removing or replacing the terms. If you find a false positive result, mention it in a PR comment and include this text: #policheck-false-positive. This feedback helps reduce false positives in future scans. ✅ No issues foundMore information about PoliCheckInformation: PoliCheck | Severity Guidance | Term |
|
Learn Build status updates of commit 42d66ea: 💡 Validation status: suggestions
docs/concepts/media/pmui-transitive-tooltip-1.png
For more details, please refer to the build report. Note: Your PR may contain errors or warnings or suggestions unrelated to the files you changed. This happens when external dependencies like GitHub alias, Microsoft alias, cross repo links are updated. Please use these instructions to resolve them. |
Co-authored-by: Copilot <[email protected]>
PoliCheck Scan ReportThe following report lists PoliCheck issues in PR files. Before you merge the PR, you must fix all severity-1 issues. Other issues are also a high priority. The AI Review Details column lists suggestions for either removing or replacing the terms. If you find a false positive result, mention it in a PR comment and include this text: #policheck-false-positive. This feedback helps reduce false positives in future scans. ✅ No issues foundMore information about PoliCheckInformation: PoliCheck | Severity Guidance | Term |
|
Learn Build status updates of commit 7af8fa8: 💡 Validation status: suggestions
docs/concepts/media/pmui-transitive-tooltip-1.png
For more details, please refer to the build report. Note: Your PR may contain errors or warnings or suggestions unrelated to the files you changed. This happens when external dependencies like GitHub alias, Microsoft alias, cross repo links are updated. Please use these instructions to resolve them. |
PoliCheck Scan ReportThe following report lists PoliCheck issues in PR files. Before you merge the PR, you must fix all severity-1 issues. Other issues are also a high priority. The AI Review Details column lists suggestions for either removing or replacing the terms. If you find a false positive result, mention it in a PR comment and include this text: #policheck-false-positive. This feedback helps reduce false positives in future scans. ✅ No issues foundMore information about PoliCheckInformation: PoliCheck | Severity Guidance | Term |
|
Learn Build status updates of commit 8ed6c58: ✅ Validation status: passed
For more details, please refer to the build report. |
PoliCheck Scan ReportThe following report lists PoliCheck issues in PR files. Before you merge the PR, you must fix all severity-1 issues. Other issues are also a high priority. The AI Review Details column lists suggestions for either removing or replacing the terms. If you find a false positive result, mention it in a PR comment and include this text: #policheck-false-positive. This feedback helps reduce false positives in future scans. ✅ No issues foundMore information about PoliCheckInformation: PoliCheck | Severity Guidance | Term |
|
Learn Build status updates of commit 2c7be46: ✅ Validation status: passed
For more details, please refer to the build report. |
|
Learn Build status updates of commit a822667: ✅ Validation status: passed
For more details, please refer to the build report. |
PoliCheck Scan ReportThe following report lists PoliCheck issues in PR files. Before you merge the PR, you must fix all severity-1 issues. Other issues are also a high priority. The AI Review Details column lists suggestions for either removing or replacing the terms. If you find a false positive result, mention it in a PR comment and include this text: #policheck-false-positive. This feedback helps reduce false positives in future scans. ✅ No issues foundMore information about PoliCheckInformation: PoliCheck | Severity Guidance | Term |
|
Learn Build status updates of commit 8a578ca: ✅ Validation status: passed
For more details, please refer to the build report. |
PoliCheck Scan ReportThe following report lists PoliCheck issues in PR files. Before you merge the PR, you must fix all severity-1 issues. Other issues are also a high priority. The AI Review Details column lists suggestions for either removing or replacing the terms. If you find a false positive result, mention it in a PR comment and include this text: #policheck-false-positive. This feedback helps reduce false positives in future scans. ✅ No issues foundMore information about PoliCheckInformation: PoliCheck | Severity Guidance | Term |
nkolev92
changed the title
PoliCheck Scan ReportThe following report lists PoliCheck issues in PR files. Before you merge the PR, you must fix all severity-1 issues. Other issues are also a high priority. The AI Review Details column lists suggestions for either removing or replacing the terms. If you find a false positive result, mention it in a PR comment and include this text: #policheck-false-positive. This feedback helps reduce false positives in future scans. ✅ No issues foundMore information about PoliCheckInformation: PoliCheck | Severity Guidance | Term |
|
Learn Build status updates of commit 6634758: ✅ Validation status: passed
For more details, please refer to the build report. |
|
Learn Build status updates of commit bf149c4: ✅ Validation status: passed
For more details, please refer to the build report. |
PoliCheck Scan ReportThe following report lists PoliCheck issues in PR files. Before you merge the PR, you must fix all severity-1 issues. Other issues are also a high priority. The AI Review Details column lists suggestions for either removing or replacing the terms. If you find a false positive result, mention it in a PR comment and include this text: #policheck-false-positive. This feedback helps reduce false positives in future scans. ✅ No issues foundMore information about PoliCheckInformation: PoliCheck | Severity Guidance | Term |
Co-authored-by: Copilot <[email protected]>
Co-authored-by: Copilot <[email protected]>
|
Learn Build status updates of commit 8727cf4:
|
| File | Status | Preview URL | Details |
|---|---|---|---|
| docs/concepts/Auditing-Packages.md | View | Details | |
| docs/concepts/media/dotnet-nuget-why-1.png | ✅Succeeded | View | |
| docs/concepts/media/pm-ui-transitive-tooltip-1.png | ✅Succeeded | View | |
| docs/concepts/media/vs-solution-explorer-search-options-1.png | ✅Succeeded | View | |
| docs/concepts/media/vs-solution-explorer-search-results-1.png | ✅Succeeded | View | |
| docs/reference/errors-and-warnings/NU1901-NU1904.md | ✅Succeeded | View |
docs/concepts/Auditing-Packages.md
- Line 28, Column 160: [Warning: bookmark-not-found - See documentation]
Cannot find bookmark '#security-vulnerabilities-found-with-updates' in 'concepts/Auditing-Packages.md'. - Line 190, Column 1: [Warning: code-block-unclosed - See documentation]
Unclosed code block. Code blocks must begin and end with triple backticks (```).
For more details, please refer to the build report.
Note: Your PR may contain errors or warnings or suggestions unrelated to the files you changed. This happens when external dependencies like GitHub alias, Microsoft alias, cross repo links are updated. Please use these instructions to resolve them.
PoliCheck Scan ReportThe following report lists PoliCheck issues in PR files. Before you merge the PR, you must fix all severity-1 issues. Other issues are also a high priority. The AI Review Details column lists suggestions for either removing or replacing the terms. If you find a false positive result, mention it in a PR comment and include this text: #policheck-false-positive. This feedback helps reduce false positives in future scans. ✅ No issues foundMore information about PoliCheckInformation: PoliCheck | Severity Guidance | Term |
|
Learn Build status updates of commit 803984c:
|
| File | Status | Preview URL | Details |
|---|---|---|---|
| docs/concepts/Auditing-Packages.md | View | Details | |
| docs/concepts/media/dotnet-nuget-why-1.png | ✅Succeeded | View | |
| docs/concepts/media/pm-ui-transitive-tooltip-1.png | ✅Succeeded | View | |
| docs/concepts/media/vs-solution-explorer-search-options-1.png | ✅Succeeded | View | |
| docs/concepts/media/vs-solution-explorer-search-results-1.png | ✅Succeeded | View | |
| docs/reference/errors-and-warnings/NU1901-NU1904.md | ✅Succeeded | View |
docs/concepts/Auditing-Packages.md
- Line 28, Column 160: [Warning: bookmark-not-found - See documentation]
Cannot find bookmark '#security-vulnerabilities-found-with-updates' in 'concepts/Auditing-Packages.md'. - Line 190, Column 1: [Warning: code-block-unclosed - See documentation]
Unclosed code block. Code blocks must begin and end with triple backticks (```).
For more details, please refer to the build report.
Note: Your PR may contain errors or warnings or suggestions unrelated to the files you changed. This happens when external dependencies like GitHub alias, Microsoft alias, cross repo links are updated. Please use these instructions to resolve them.
PoliCheck Scan ReportThe following report lists PoliCheck issues in PR files. Before you merge the PR, you must fix all severity-1 issues. Other issues are also a high priority. The AI Review Details column lists suggestions for either removing or replacing the terms. If you find a false positive result, mention it in a PR comment and include this text: #policheck-false-positive. This feedback helps reduce false positives in future scans. ✅ No issues foundMore information about PoliCheckInformation: PoliCheck | Severity Guidance | Term |
|
Learn Build status updates of commit c4c54c4: ✅ Validation status: passed
For more details, please refer to the build report. |
jebriede
left a comment
jebriede
left a comment
There was a problem hiding this comment.
Great guidance on updating vulnerable packages. I left one minor suggestion.
nkolev92
deleted the
dev-nkolev92-migrate-blog-post-guiidance-into-docs
branch
I tried to get copilot to do it, but it incorrectly assumed that all the content was actually include, but the instruction for the transitive paths wasn't.
Anyway, this PR is a start and we can iterate more.
Fixes: NuGet/Home#14612