From 48ebd16fcb1c37c2884a9451ce8140b0f88b8ddc Mon Sep 17 00:00:00 2001
From: Johann Ungerer <johannu@1099.ventures>
Date: Tue, 26 May 2026 21:53:16 +0200
Subject: [PATCH] Import Packages.props so PackageVersion_* pins actually apply

src/Packages.props defines the central PackageVersion_* properties but was never imported by any build file. As a result every <PackageReference Version="$(PackageVersion_*)"/> resolved to an empty version, so NuGet selected the oldest version on the feed (e.g. Newtonsoft.Json 3.5.8, Azure.Identity 1.0.0, System.Formats.Asn1 5.0.0). These surface as security vulnerabilities in the solution and, via the nuspec $PackageVersion_*$ tokens, as missing dependency lower bounds in the published packages.

Importing Packages.props from src/Directory.Build.props makes the intended (non-vulnerable) pinned versions take effect. Restore no longer reports any NU1903/NU1902 (vulnerable) or NU1604/NU1602 (no lower bound) warnings; only the expected internal-feed NU1102 for Microsoft.Xrm.Sdk remains.

Also bumps global.json SDK 6.0.406 -> 8.0.100 (rollForward latestFeature) so the net8.0 targets restore on a supported SDK.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
---
 global.json               | 2 +-
 src/Directory.Build.props | 6 ++++++
 2 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/global.json b/global.json
index a4cba75..789bff3 100644
--- a/global.json
+++ b/global.json
@@ -1,6 +1,6 @@
 {
   "sdk": {
-    "version": "6.0.406",
+    "version": "8.0.100",
     "rollForward": "latestFeature",
     "allowPrerelease": false
   }
diff --git a/src/Directory.Build.props b/src/Directory.Build.props
index d370899..1e710fa 100644
--- a/src/Directory.Build.props
+++ b/src/Directory.Build.props
@@ -2,6 +2,12 @@
   <!-- See: https://docs.microsoft.com/en-us/visualstudio/msbuild/customize-your-build?view=vs-2019#directorybuildprops-and-directorybuildtargets -->
   <Import Project="$([MSBuild]::GetPathOfFileAbove($(MSBuildThisFile), '$(MSBuildThisFileDirectory)../'))" />
 
+  <!-- Central package version definitions (PackageVersion_* properties).
+       Without this import the $(PackageVersion_*) variables are empty, so every
+       PackageReference resolves to the oldest version on the feed (e.g. Newtonsoft.Json 3.5.8,
+       Azure.Identity 1.0.0), surfacing as security vulnerabilities in consuming projects. -->
+  <Import Project="$(MSBuildThisFileDirectory)Packages.props" />
+
   <PropertyGroup>
     <MSBuildAllProjects>$(MSBuildAllProjects);$(MSBuildThisFileFullPath)</MSBuildAllProjects>
   </PropertyGroup>