As of last night our nightly builds failed with this error:
error NU1902: Warning As Error: Package ‘Magick.NET-Q16-HDRI-AnyCPU’ 14.8.1 has a known moderate severity vulnerability, https://github.com/advisories/GHSA\-9pp9\-cfwx\-54rm
Obviously we can patch to an updated version of ImageMagick, but I would like to stop these errors for good. Is there any way we can do that?
In a previous post, Martin Sevigny pointed towards a commit on ue5-main which apparently disables the Nuget validation: [Content removed] Unfortunately we can’t really cherry pick this back into 5.6, because it’s just a change to Commit.gitdeps.xml which is full of opaque hashes, and on top of a ton of other changes on the ue5-main branch since 5.6. There’s no way to reasonably validate that we’ve merged this file correctly into 5.6, or what impact it’s had.
Is there a way we can make the equivalent change on a 5.6 branch ourselves, to turn off this validation? I have to admit I know next to nothing about NuGet.
Steps to Reproduce
Try to build UE5.6, see the following error:
error NU1902: Warning As Error: Package ‘Magick.NET-Q16-HDRI-AnyCPU’ 14.8.1 has a known moderate severity vulnerability, https://github.com/advisories/GHSA\-9pp9\-cfwx\-54rm
Hi,
We fixed it ‘again’ in UE5/Main. Feel free to integrate CL 47492463. (https://github.com/EpicGames/UnrealEngine/commit/f3c0b6508a9e1bfc233712fc10736c3698c69a24\) or just update the Magick version number in the 3 files.
Regards,
Patrick
Hi,
Sorry, when I read the first part about the error, I went to check if we fixed it and I didn’t read the second part. In the post, Martin provided the Perforce CL: 45240840. Your company has P4 access, so you can check P4 instead of github, but the change in the CL is trivial. It just the file/line below. This disable the error for Development target only, so if you want it disable for other configs, you will need to change the code below. Here the change if you personally don’t have P4 installed to check:
Engine\Source\Programs\Shared\UnrealEngine.csproj.props
<PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Development|AnyCPU' ">
<NuGetAudit>false</NuGetAudit>
</PropertyGroup>
Here the diff to find where to put the code above:
[Image Removed]Regards,
Patrick
We can patch the files with the ImageMagick dependency fine (and we already have), but this means it’s going to keep breaking every single time someone finds another security hole in that library. We really need a proper fix that won’t treat that warning as an error and fail out the entire build, or we’re going to keep getting these unpredictable build breakages. If we can’t go back and build historic branches, or if the build is going to break without warning the night before a critical milestone, that’s not really a long term fix.
The post I linked referred to a real fix:
“We have turned off the validation of NuGet package in the Main stream so things don’t break anymore.”
I’d just like some help in getting the same change applied onto 5.6, so we can stop worrying about this in future.
Brilliant, thanks! The linked Github commit only showed the change to Commit.gitdeps.xml, not the csproj change, so that’s exactly what we need. The help is appreciated 