[All] Pin transitive dependencies in Fable.Cli to avoid CVE warnings

[dbrattli]

Pin Microsoft.Build transitive dependencies for now to fix CVE-2025-55247 and avoid warnings, or should we instead do it in the Buildalyzer 8.0.0-fable-001? Not sure where that package comes from?

Fable/src/Fable.Cli/Fable.Cli.fsproj : warning NU1903: Package 'Microsoft.Build' 17.10.4 has a known high severity vulnerability, https://github.com/advisories/GHSA-w3q9-fxm7-j8fq
Fable/src/Fable.Cli/Fable.Cli.fsproj : warning NU1903: Package 'Microsoft.Build.Tasks.Core' 17.10.29 has a known high severity vulnerability, https://github.com/advisories/GHSA-w3q9-fxm7-j8fq
Fable/src/Fable.Cli/Fable.Cli.fsproj : warning NU1903: Package 'Microsoft.Build.Utilities.Core' 17.10.29 has a known high severity vulnerability, https://github.com/advisories/GHSA-w3q9-fxm7-j8fq
Fable/src/Fable.Cli/Fable.Cli.fsproj : warning NU1903: Package 'Microsoft.Build' 17.10.4 has a known high severity vulnerability, https://github.com/advisories/GHSA-w3q9-fxm7-j8fq
Fable/src/Fable.Cli/Fable.Cli.fsproj : warning NU1903: Package 'Microsoft.Build.Tasks.Core' 17.10.29 has a known high severity vulnerability, https://github.com/advisories/GHSA-w3q9-fxm7-j8fq
Fable/src/Fable.Cli/Fable.Cli.fsproj : warning NU1903: Package 'Microsoft.Build.Utilities.Core' 17.10.29 has a known high severity vulnerability, https://github.com/advisories/GHSA-w3q9-fxm7-j8fq

[ncave]

@dbrattli It's from the Buildalyzer, unfortunately their latest release 8.0.0 is still vulnerable.

[dbrattli]

Ok, but should we then just pin them for now?

[ncave]

@dbrattli Sure, perhaps we can do it as local package Buildalyzer 8.0.0-fable-002

[ncave]

@dbrattli I wonder if we can eventually drop Buildalyzer altogether as legacy. The less dependencies, the better.

[MangelMaxime]

If I remember correctly, in Fable 4 we decided to not fully commit to the new MSBuild cracker as it could have been unstable.

When crafting Fable 5, I decided to make the MSBuild Cracker the default, and inverted the flag to --legacyCracker in case some project had issues with the MSBuild cracker. At the time, it didn't seems like a big deal because Buildalyzer was working fine.

However, with .NET 10 Buildalyzer stopped working forcing me to make a local package as no release seemed to be happening anymore.

Since the beginning of Fable 5 and even before with Fable 4, I have been using the MSBuild cracker without issues. I think we can decide for the next release of Fable 5 to remove the Buildalyzer cracker.

If there are issues with MSBuild cracker we should fix them and have only 1 cracker to support.

I am aligned with @ncave here, what do you think @dbrattli ?

[dbrattli]

Sounds like a good idea. The less dependencies the better 😊

[MangelMaxime]

Replaced by #4321, in which I am removing BuildAlyzer cracker