Bump Microsoft.Build* from 17.11.4 to 17.14.28 (security)

[Copilot]

Microsoft.Build, Microsoft.Build.Framework, Microsoft.Build.Tasks.Core, and Microsoft.Build.Utilities.Core at 17.11.4 have two known high-severity CVEs: a DoS (GHSA-w3q9-fxm7-j8fq) and a spoofing vulnerability (GHSA-h4j7-5rxr-p4wc). These packages are only consumed by the FAKE build toolchain, not the library itself.

Changes

• paket.dependencies — bumps all four Microsoft.Build* packages in the Fake group from 17.11.4 → 17.14.28
• paket.lock — regenerated via dotnet paket update --group Fake to resolve the new transitive dependency graph

Original prompt

---

This section details on the original issue you should resolve

<issue_title>[Repo Assist] Microsoft.Build 17.11.4 has known high-severity security vulnerabilities — needs update</issue_title>
<issue_description>🤖 This is an automated issue from Repo Assist.

The Microsoft.Build, Microsoft.Build.Framework, Microsoft.Build.Tasks.Core, and Microsoft.Build.Utilities.Core packages pinned at 17.11.4 in the Fake group of paket.dependencies have known high-severity vulnerabilities:

• GHSA-w3q9-fxm7-j8fq — affects Microsoft.Build, Microsoft.Build.Tasks.Core, Microsoft.Build.Utilities.Core
• GHSA-h4j7-5rxr-p4wc — affects Microsoft.Build.Tasks.Core

These packages are only used by the FAKE build toolchain (build/build.fsproj), so the production library itself is not affected at runtime. However the build environment is exposed.

Recommended Fix

Update to Microsoft.Build 17.14.28 (latest 17.x). Note that 17.14.x targets .NETFramework rather than net8.0 on NuGet, so compatibility with FAKE on .NET 8 should be tested. Alternatively, consider whether FAKE 6.1.4 supports Microsoft.Build 17.14.x.

These packages were intentionally skipped in the recent dependency bump PR to allow maintainers to review the upgrade path.

Generated by Repo Assist

To install this workflow, run gh aw add githubnext/agentics/workflows/repo-assist.md@0d6e8cf9db90470cd5477c6a40b350fd9f9e1422. View source at https://github.com/githubnext/agentics/tree/0d6e8cf9db90470cd5477c6a40b350fd9f9e1422/workflows/repo-assist.md.

[!WARNING]

⚠️ Firewall blocked 3 domains

The following domains were blocked by the firewall during workflow execution:

• schemas.microsoft.com
• tomasp.net
• www.google.com

Comments on the Issue (you are @copilot in this section)

• Fixes [Repo Assist] Microsoft.Build 17.11.4 has known high-severity security vulnerabilities — needs update #1615

---

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.