[release/9.0.2xx] Update dependencies from nuget/nuget.client

[dotnet-maestro]

This pull request updates the following dependencies

From https://github.com/nuget/nuget.client

• Subscription: a8a96eea-7948-4ef9-bb5a-debaa65eb629
• Build: 6.13.0.100
• Date Produced: December 18, 2024 10:40:37 AM UTC
• Commit: 8791d42fb1e7582f9a0b92d1708133c3b138732a
• Branch: dev

• Updates:
  • Microsoft.Build.NuGetSdkResolver: from 6.13.0-rc.98 to 6.13.0-rc.100
  • NuGet.Build.Tasks: from 6.13.0-rc.98 to 6.13.0-rc.100
  • NuGet.Build.Tasks.Console: from 6.13.0-rc.98 to 6.13.0-rc.100
  • NuGet.Build.Tasks.Pack: from 6.13.0-rc.98 to 6.13.0-rc.100
  • NuGet.CommandLine.XPlat: from 6.13.0-rc.98 to 6.13.0-rc.100
  • NuGet.Commands: from 6.13.0-rc.98 to 6.13.0-rc.100
  • NuGet.Common: from 6.13.0-rc.98 to 6.13.0-rc.100
  • NuGet.Configuration: from 6.13.0-rc.98 to 6.13.0-rc.100
  • NuGet.Credentials: from 6.13.0-rc.98 to 6.13.0-rc.100
  • NuGet.DependencyResolver.Core: from 6.13.0-rc.98 to 6.13.0-rc.100
  • NuGet.Frameworks: from 6.13.0-rc.98 to 6.13.0-rc.100
  • NuGet.LibraryModel: from 6.13.0-rc.98 to 6.13.0-rc.100
  • NuGet.Localization: from 6.13.0-rc.98 to 6.13.0-rc.100
  • NuGet.Packaging: from 6.13.0-rc.98 to 6.13.0-rc.100
  • NuGet.ProjectModel: from 6.13.0-rc.98 to 6.13.0-rc.100
  • NuGet.Protocol: from 6.13.0-rc.98 to 6.13.0-rc.100
  • NuGet.Versioning: from 6.13.0-rc.98 to 6.13.0-rc.100

[marcpopMSFT]

I'm a bit confused on this one. The helix image we claim to be using should have 17.12 on it but we're getting STJ errors:
C:\h\w\AE4A09C2\p\d\sdk\9.0.200-ci\Sdks\Microsoft.NET.Sdk\targets\Microsoft.PackageDependencyResolution.targets(266,5): error NETSDK1060: Error reading assets file: Error loading lock file 'C:\h\w\AE4A09C2\t\dotnetSdkTests\1wvmau3k.xca\Project_refer---586BCA64\Referencer\obj\project.assets.json' : Could not load file or assembly 'System.Text.Json, Version=8.0.0.5, Culture=neutral, PublicKeyToken=cc7b13ffcd2ddd51' or one of its dependencies. The system cannot find the file specified. [C:\h\w\AE4A09C2\t\dotnetSdkTests\1wvmau3k.xca\Project_refer---586BCA64\Referencer\Referencer.csproj]

Helix image: windows.amd64.vs2022.pre report as 17.12-p4

@rainersigwald @nkolev92 I assume nuget updated their STJ version. I'm not sure I understand why it's failing though if 17.12 is used.

[nkolev92]

I would've expected this to work yeah.

@zivkan Can you please take a look?

[zivkan]

Both System.Text.Json 8.0.5 and VS 17.12 preview 4 came out in October, so there's a good chance that the VS preview did not include the fixed version. Looking at https://helix.dot.net/, I don't see evidence that the windows.amd64.vs2022.pre image explicitly installs the .NET SDK or runtime. I assume it gets the .NET runtime that VS ships.

According to dnceng's VS upgrade schedule, they rolled out 17.12 preview 4 on the 13th of November (the day that 17.12 GA was released 😕 ), and 17.13 preview 1 was supposed to be in the image since the 4th of December. But evidently that hasn't happened yet.

@marcpopMSFT is the sdk repo able to temporarily switch to the windows.amd64.vs2022.pre.scout image? it has 17.13 preview 1. Alternatively, the windows.vs2022.scount.amd64.open image has 17.12.0

The only other options I can think of are NuGet to revert again, and start getting CG alerts again, or nag dnceng to find out what's going on. The last "ask mode" date for 17.13 isn't far off, so if we revert there's a chance we'll ship a nuget.exe with a vulnerable version of system.text.json in it, which isn't a good outcome for anyone.

[marcpopMSFT]

Ahh, maybe it wasn't fixed in preview 4 yet. Let's try the scouting version of the helix image and see if it works.