From 32f158e1b42f4302feb0de16c8630f67bb357a36 Mon Sep 17 00:00:00 2001
From: Benjamin Michaelis <git@relay.benjamin.michaelis.net>
Date: Sun, 17 May 2026 17:38:34 -0700
Subject: [PATCH 1/3] Enable NuGet audit on public feed without private feed
 access

- Remove conditional that disabled NuGet audit when AccessToNugetFeed != true
- Add NuGetAuditSources property to restrict audit to 'nuget' source in CI
- This prevents NU1900 errors when private Azure DevOps feed is unavailable
- Audit now remains active during CI builds, detecting vulnerabilities in public packages
- Update getting-started.md to clarify private feed is optional
---
 Directory.Packages.props | 8 ++++----
 docs/getting-started.md  | 2 +-
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/Directory.Packages.props b/Directory.Packages.props
index 8a75027b..735e32d0 100644
--- a/Directory.Packages.props
+++ b/Directory.Packages.props
@@ -4,10 +4,10 @@
     <CentralPackageTransitivePinningEnabled>false</CentralPackageTransitivePinningEnabled>
     <ToolingPackagesVersion>1.1.1.19071</ToolingPackagesVersion>
     <AccessToNugetFeed Condition="'$(AccessToNugetFeed)' == ''">false</AccessToNugetFeed>
-    <!-- Disable NuGet vulnerability audit when the private feed is unavailable (e.g. CI without credentials).
-         NuGet audit queries all sources in nuget.config regardless of RestoreSources, causing NU1900 which is
-         escalated to an error by TreatWarningsAsErrors. -->
-    <NuGetAudit Condition="'$(AccessToNugetFeed)' != 'true'">false</NuGetAudit>
+    <!-- Enable NuGet vulnerability audit on public nuget.org feed. Restrict to 'nuget' source to avoid
+         NU1900 errors when the private Azure DevOps feed is unavailable (e.g. CI without credentials). -->
+    <NuGetAudit>true</NuGetAudit>
+    <NuGetAuditSources Condition="'$(AccessToNugetFeed)' != 'true'">nuget</NuGetAuditSources>
   </PropertyGroup>
   <ItemGroup Condition="$(AccessToNugetFeed)">
     <PackageVersion Include="ContentFeedNuget" Version="$(ToolingPackagesVersion)" />
diff --git a/docs/getting-started.md b/docs/getting-started.md
index a910f44e..90c8d9f6 100644
--- a/docs/getting-started.md
+++ b/docs/getting-started.md
@@ -12,7 +12,7 @@ This guide will help you set up your local development environment for working o
 For basic browsing and UI development, no secrets are needed. The database connection and HCaptcha test keys are already configured in `appsettings.Development.json`.
 
 1. Clone the repository.
-2. If you have access to the private NuGet feed, set `<AccessToNugetFeed>true</AccessToNugetFeed>` in [Directory.Packages.props](../Directory.Packages.props).
+2. (Optional) If you have access to the private NuGet feed, set `<AccessToNugetFeed>true</AccessToNugetFeed>` in [Directory.Packages.props](../Directory.Packages.props) to include internal packages. Without this, the app runs with placeholder content but security audits still function.
 3. Run the project.
 
 > **Tip:** Use the [dotnet secret manager](https://learn.microsoft.com/en-us/aspnet/core/security/app-secrets#set-a-secret) for any secrets below:

From 409c2da2c4158298594933cc8d3dbdf82ce4417d Mon Sep 17 00:00:00 2001
From: Benjamin Michaelis <git@relay.benjamin.michaelis.net>
Date: Sun, 17 May 2026 21:34:22 -0700
Subject: [PATCH 2/3] Fix NuGetAuditSources to use nuget.org service index

---
 Directory.Packages.props | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/Directory.Packages.props b/Directory.Packages.props
index 735e32d0..774d5cd2 100644
--- a/Directory.Packages.props
+++ b/Directory.Packages.props
@@ -4,10 +4,10 @@
     <CentralPackageTransitivePinningEnabled>false</CentralPackageTransitivePinningEnabled>
     <ToolingPackagesVersion>1.1.1.19071</ToolingPackagesVersion>
     <AccessToNugetFeed Condition="'$(AccessToNugetFeed)' == ''">false</AccessToNugetFeed>
-    <!-- Enable NuGet vulnerability audit on public nuget.org feed. Restrict to 'nuget' source to avoid
-         NU1900 errors when the private Azure DevOps feed is unavailable (e.g. CI without credentials). -->
+    <!-- Enable NuGet vulnerability audit on public nuget.org feed. Restrict to nuget.org's service index
+         to avoid NU1900 errors when the private Azure DevOps feed is unavailable (e.g. CI without credentials). -->
     <NuGetAudit>true</NuGetAudit>
-    <NuGetAuditSources Condition="'$(AccessToNugetFeed)' != 'true'">nuget</NuGetAuditSources>
+    <NuGetAuditSources Condition="'$(AccessToNugetFeed)' != 'true'">https://api.nuget.org/v3/index.json</NuGetAuditSources>
   </PropertyGroup>
   <ItemGroup Condition="$(AccessToNugetFeed)">
     <PackageVersion Include="ContentFeedNuget" Version="$(ToolingPackagesVersion)" />

From ef04e36b3bd5349f9163af369e1f9e6b034a048a Mon Sep 17 00:00:00 2001
From: Benjamin Michaelis <git@relay.benjamin.michaelis.net>
Date: Sun, 17 May 2026 22:16:05 -0700
Subject: [PATCH 3/3] Limit NuGet audit sources to nuget.org

---
 nuget.config | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/nuget.config b/nuget.config
index 65bcde44..27fac003 100644
--- a/nuget.config
+++ b/nuget.config
@@ -6,6 +6,10 @@
         <add key="nuget" value="https://api.nuget.org/v3/index.json" />
         <add key="EssentialCSharp" value="https://pkgs.dev.azure.com/intelliTect/_packaging/EssentialCSharp/nuget/v3/index.json" />
     </packageSources>
+    <auditSources>
+        <clear />
+        <add key="nuget" value="https://api.nuget.org/v3/index.json" />
+    </auditSources>
     <packageSourceMapping>
         <packageSource key="nuget">
             <package pattern="*" />