Fix Component Governance warnings

[davidfowl]

Description

AzDO pipeline 1602 was still reporting Component Governance and CFS warnings after the previous cleanup because a few build inputs were still pinned to flagged versions or resolving vulnerable transitives from upstream dependency metadata.

This change updates those inputs without adding new direct dependencies:

• Bumps the repo-local .NET SDK/toolset from 10.0.201 to 10.0.300 so CG no longer reports the older SDK/runtime component.
• Removes unused Swashbuckle from the JavaScript playground project, which removes the associated SwaggerUI component alert. The project does not call Swashbuckle APIs such as AddSwaggerGen, UseSwagger, UseSwaggerUI, or WithOpenApi; it only retains the template Swagger comment and the existing Microsoft.AspNetCore.OpenApi reference.
• Pins the MongoDB.Driver compression transitives (SharpCompress and Snappier) through NuGet Central Package Management transitive pinning, with comments explaining why they are present.
• Updates the Java playground dependency management to use the Netty BOM and Azure-compatible Reactor Netty 1.2 line, removes the stale Nimbus override, and removes explicit Maven Central repository declarations so CI relies on the configured feed/mirror policy.

Validation:

• restore.cmd
• build.cmd /p:SkipNativeBuild=true
• dotnet build playground\AspireWithJavaScript\AspireJavaScript.MinimalApi\AspireJavaScript.MinimalApi.csproj --no-restore /p:SkipNativeBuild=true
• dotnet list Aspire.slnx package --include-transitive confirmed SharpCompress 1.0.0 and Snappier 1.3.1 resolve.

Fixes # (issue)

Checklist

• Is this feature complete?
  • Yes. Ready to ship.
  • No. Follow-up changes expected.
• Are you including unit tests for the changes and scenario tests if relevant?
  • Yes
  • No
• Did you add public API?
  • Yes
    • If yes, did you have an API Review for it?
      • Yes
      • No
    • Did you add <remarks /> and <code /> elements on your triple slash comments?
      • Yes
      • No
  • No
• Does the change make any security assumptions or guarantees?
  • Yes
    • If yes, have you done a threat model and had a security review?
      • Yes
      • No
  • No

[github-actions]

🚀 Dogfood this PR with:

⚠️ WARNING: Do not do this without first carefully reviewing the code of this PR to satisfy yourself it is safe.

curl -fsSL https://raw.githubusercontent.com/microsoft/aspire/main/eng/scripts/get-aspire-cli-pr.sh | bash -s -- 17190

Or

• Run remotely in PowerShell:

iex "& { $(irm https://raw.githubusercontent.com/microsoft/aspire/main/eng/scripts/get-aspire-cli-pr.ps1) } 17190"

[Copilot]

Pull request overview

Addresses Component Governance alerts by bumping the local .NET SDK, removing an unused NuGet from a JavaScript playground project, adding central transitive pins for MongoDB.Driver's compression dependencies, and modernizing the Java playground POM (Netty BOM, Reactor Netty 1.2, dropped explicit Maven Central repos).

Changes:

• Bump local SDK + bundled dotnet tools to 10.0.300 in global.json.
• Add transitive CG pins (SharpCompress, Snappier) and drop the unused Swashbuckle.AspNetCore entry in Directory.Packages.props; remove the PackageReference from AspireJavaScript.MinimalApi.csproj.
• In the Java playground POM: import netty-bom, move pinned versions to properties, upgrade Reactor Netty to 1.2.17, and remove explicit <repositories>/<pluginRepositories> blocks so CI uses the configured mirror policy.

Show a summary per file

File	Description
global.json	Updates SDK and bundled dotnet tool versions to 10.0.300.
Directory.Packages.props	Removes Swashbuckle.AspNetCore; adds transitive CG pins for SharpCompress and Snappier.
playground/AspireWithJavaScript/AspireJavaScript.MinimalApi/AspireJavaScript.MinimalApi.csproj	Drops the now-unused Swashbuckle.AspNetCore reference.
playground/PostgresEndToEnd/PostgresEndToEnd.JavaService/pom.xml	Switches to Netty BOM, bumps Reactor Netty to 1.2.17, removes explicit Maven Central repo declarations.

Copilot's findings

• Files reviewed: 4/4 changed files
• Comments generated: 0

[github-actions]

❓ CLI E2E Tests unknown — 86 passed, 0 failed, 1 unknown (commit 8a51b61)

View all recordings

Status	Test	Recording
✅	AddPackageInteractiveWhileAppHostRunningDetached	✅ ▶️ View recording
✅	AddPackageWhileAppHostRunningDetached	✅ ▶️ View recording
✅	AgentCommands_AllHelpOutputs_AreCorrect	✅ ▶️ View recording
✅	AgentInitCommand_DefaultSelection_InstallsSkillOnly	✅ ▶️ View recording
✅	AgentInitCommand_MigratesDeprecatedConfig	✅ ▶️ View recording
✅	AspireAddPackageVersionToDirectoryPackagesProps	✅ ▶️ View recording
✅	AspireInitSingleFileAppHostRunsViaDotnetRunAppHost	✅ ▶️ View recording
✅	AspireInitWithExistingAppHostDirRecreatesMissingNuGetConfigAndPreservesFiles	✅ ▶️ View recording
❔	AspireInitWithSolutionFileGeneratesAppHostThatBuildsAgainstChannelHive	❔ ▶️ View recording
✅	AspireUpdateRemovesAppHostPackageVersionFromDirectoryPackagesProps	✅ ▶️ View recording
✅	AspireUpdateRemovesOrphanAppHostPackageVersionWhenSdkAlreadyCurrent	✅ ▶️ View recording
✅	Banner_DisplayedOnFirstRun	✅ ▶️ View recording
✅	Banner_DisplayedWithExplicitFlag	✅ ▶️ View recording
✅	Banner_NotDisplayedWithNoLogoFlag	✅ ▶️ View recording
✅	CertificatesClean_RemovesCertificates	✅ ▶️ View recording
✅	CertificatesTrust_WithNoCert_CreatesAndTrustsCertificate	✅ ▶️ View recording
✅	CertificatesTrust_WithUntrustedCert_TrustsCertificate	✅ ▶️ View recording
✅	ConfigSetGet_CreatesNestedJsonFormat	✅ ▶️ View recording
✅	CreateAndRunAspireStarterProject	✅ ▶️ View recording
✅	CreateAndRunAspireStarterProjectWithBundle	✅ ▶️ View recording
✅	CreateAndRunEmptyAppHostProject	✅ ▶️ View recording
✅	CreateAndRunJavaEmptyAppHostProject	✅ ▶️ View recording
✅	CreateAndRunJsReactProject	✅ ▶️ View recording
✅	CreateAndRunPythonReactProject	✅ ▶️ View recording
✅	CreateAndRunTypeScriptEmptyAppHostProject	✅ ▶️ View recording
✅	CreateAndRunTypeScriptStarterProject	✅ ▶️ View recording
✅	CreateJavaAppHostWithViteApp	✅ ▶️ View recording
✅	CreateTypeScriptAppHostWithViteApp_UsesConfiguredToolchain	✅ ▶️ View recording
✅	DashboardRunWithOtelTracesReturnsNoTraces	✅ ▶️ View recording
✅	DeployK8sBasicApiService	✅ ▶️ View recording
✅	DeployK8sWithExternalHelmChart	✅ ▶️ View recording
✅	DeployK8sWithGarnet	✅ ▶️ View recording
✅	DeployK8sWithMongoDB	✅ ▶️ View recording
✅	DeployK8sWithMySql	✅ ▶️ View recording
✅	DeployK8sWithPostgres	✅ ▶️ View recording
✅	DeployK8sWithRabbitMQ	✅ ▶️ View recording
✅	DeployK8sWithRedis	✅ ▶️ View recording
✅	DeployK8sWithSqlServer	✅ ▶️ View recording
✅	DeployK8sWithValkey	✅ ▶️ View recording
✅	DeployTypeScriptAppToKubernetes	✅ ▶️ View recording
✅	DescribeCommandResolvesReplicaNames	✅ ▶️ View recording
✅	DescribeCommandShowsRunningResources	✅ ▶️ View recording
✅	DetachFormatJsonProducesValidJson	✅ ▶️ View recording
✅	DetachFormatJsonProducesValidJsonWhenRestartingExistingInstance	✅ ▶️ View recording
✅	DoListStepsShowsPipelineSteps	✅ ▶️ View recording
✅	DocsCommand_RendersInteractiveMarkdownFromLocalSource	✅ ▶️ View recording
✅	DoctorCommand_DetectsDeprecatedAgentConfig	✅ ▶️ View recording
✅	DoctorCommand_TypeScriptAppHostReportsMissingConfiguredToolchain	✅ ▶️ View recording
✅	DoctorCommand_WithSslCertDir_ShowsTrusted	✅ ▶️ View recording
✅	DoctorCommand_WithoutSslCertDir_ShowsPartiallyTrusted	✅ ▶️ View recording
✅	GlobalMigration_HandlesCommentsAndTrailingCommas	✅ ▶️ View recording
✅	GlobalMigration_HandlesMalformedLegacyJson	✅ ▶️ View recording
✅	GlobalMigration_PreservesAllValueTypes	✅ ▶️ View recording
✅	GlobalMigration_SkipsWhenNewConfigExists	✅ ▶️ View recording
✅	GlobalSettings_MigratedFromLegacyFormat	✅ ▶️ View recording
✅	InitTypeScriptAppHost_AugmentsExistingViteRepoAtRoot	✅ ▶️ View recording
✅	InteractiveCSharpInitCreatesExpectedFiles	✅ ▶️ View recording
✅	InvalidAppHostPathWithComments_IsHealedOnRun	✅ ▶️ View recording
✅	LatestCliCanStartStableChannelAppHost	✅ ▶️ View recording
✅	LatestCliCanStartStableChannelTypeScriptAppHost	✅ ▶️ View recording
✅	LegacySettingsMigration_AdjustsRelativeAppHostPath	✅ ▶️ View recording
✅	LogLevelTrace_ProducesTraceEntriesInCliLogFile	✅ ▶️ View recording
✅	LogsCommandShowsResourceLogs	✅ ▶️ View recording
✅	OtelLogsReturnsStructuredLogsFromStarterApp	✅ ▶️ View recording
✅	OtelLogsReturnsStructuredLogsFromStarterAppIsolated	✅ ▶️ View recording
✅	PsCommandListsRunningAppHost	✅ ▶️ View recording
✅	PsFormatJsonOutputsOnlyJsonToStdout	✅ ▶️ View recording
✅	PublishWithConfigureEnvFileUpdatesEnvOutput	✅ ▶️ View recording
✅	PublishWithDockerComposeServiceCallbackSucceeds	✅ ▶️ View recording
✅	PublishWithoutOutputPathUsesAppHostDirectoryDefault	✅ ▶️ View recording
✅	ResourceCommand_FailedExecution_DisplaysAppHostLogPathAndLogContainsEntries	✅ ▶️ View recording
✅	ResourceCommand_FailsWhenInteractionServiceIsRequired	✅ ▶️ View recording
✅	ResourceCommand_SetAndDeleteParameterUpdatesDescribeOutput	✅ ▶️ View recording
✅	RestoreGeneratesSdkFiles	✅ ▶️ View recording
✅	RestoreGeneratesSdkFiles_WithConfiguredToolchain	✅ ▶️ View recording
✅	RestoreRefreshesGeneratedSdkAfterAddingIntegration	✅ ▶️ View recording
✅	RestoreSupportsConfigOnlyHelperPackageAndCrossPackageTypes	✅ ▶️ View recording
✅	RunFromParentDirectory_UsesExistingConfigNearAppHost	✅ ▶️ View recording
✅	SecretCrudOnDotNetAppHost	✅ ▶️ View recording
✅	SecretCrudOnTypeScriptAppHost	✅ ▶️ View recording
✅	StagingChannel_ConfigureAndVerifySettings_ThenSwitchChannels	✅ ▶️ View recording
✅	StartAndWaitForTypeScriptSqlServerAppHostWithNativeAssets	✅ ▶️ View recording
✅	StopAllAppHostsFromAppHostDirectory	✅ ▶️ View recording
✅	StopNonInteractiveSingleAppHost	✅ ▶️ View recording
✅	StopWithNoRunningAppHostExitsSuccessfully	✅ ▶️ View recording
✅	UnAwaitedChainsCompileWithAutoResolvePromises	✅ ▶️ View recording
✅	UpdateProjectChannelToStable_TypeScript_PicksUpStablePackages	✅ ▶️ View recording

---

_{📹 Recordings uploaded automatically from CI run #25994596730}

[aspire-repo-bot]

✅ No documentation update needed.

docs_required → already documented by name (both triggered signals are false positives; no user-facing surface was introduced)

Triggered signals (2): pr_body_has_cli_flag_mention, pr_body_has_security_marker

Signal analysis:

• pr_body_has_cli_flag_mention — evidence hint: `/p:SkipNativeBuild=true` (from the PR's validation steps section). This is an MSBuild build property used in a dotnet build command, not a new user-facing CLI option flag (e.g., --search, --output). The PR introduces no new user-facing CLI flags. There is no identifier to search for or document in microsoft/aspire.dev.

• pr_body_has_security_marker — evidence hint: "vulnerable transitives from upstream dependency metadata". This refers to internal Component Governance (CG) compliance — the AzDO pipeline's automated scan for flagged transitive dependency versions. No CVE, GHSA, or user-facing security advisory was issued. The fix (pinning SharpCompress 1.0.0, Snappier 1.3.1, bumping SDK to 10.0.300, updating Java Netty BOM) is purely internal build maintenance. There is no security advisory to document.

Supporting evidence: Advisory signal only_test_or_build_changes = true — all 4 changed files are in playground/ (playground/AspireWithJavaScript/AspireJavaScript.MinimalApi/AspireJavaScript.MinimalApi.csproj, playground/PostgresEndToEnd/PostgresEndToEnd.JavaService/pom.xml) and top-level build config (Directory.Packages.props, global.json). No src/ files were modified.