workaround known high severity vulnerabilities

[adamsitnik]

I've tried to build and run our samples today and got following errors:

PS D:\projects\BenchmarkDotNet\samples\BenchmarkDotNet.Samples> dotnet run -c Release -f net8.0 --filter *Counters* --list flat
C:\Program Files\dotnet\sdk\9.0.100-preview.7.24402.8\Sdks\Microsoft.NET.Sdk\targets\Microsoft.NET.TargetFrameworkInference.targets(187,5): warning NETSDK1215: Targeting .NET Standard prior to 2.0 is no longer recommended. See https://aka.ms/dotnet/dotnet-standard-guidance for more details.
D:\projects\BenchmarkDotNet\src\BenchmarkDotNet.Annotations\BenchmarkDotNet.Annotations.csproj : error NU1903: Warning As Error: Package 'System.Text.RegularExpressions' 4.3.0 has a known high severity vulnerability, https://github.com/advisories/GHSA-cmhx-cq75-c4mj
D:\projects\BenchmarkDotNet\samples\BenchmarkDotNet.Samples\BenchmarkDotNet.Samples.csproj : error NU1903: Warning As Error: Package 'System.Net.Http' 4.3.0 has a known high severity vulnerability, https://github.com/advisories/GHSA-7jgj-8wvc-jh57
D:\projects\BenchmarkDotNet\samples\BenchmarkDotNet.Samples\BenchmarkDotNet.Samples.csproj : error NU1903: Warning As Error: Package 'System.Text.RegularExpressions' 4.3.0 has a known high severity vulnerability, https://github.com/advisories/GHSA-cmhx-cq75-c4mj
D:\projects\BenchmarkDotNet\src\BenchmarkDotNet.Diagnostics.dotMemory\BenchmarkDotNet.Diagnostics.dotMemory.csproj : error NU1903: Warning As Error: Package 'System.Net.Http' 4.3.0 has a known high severity vulnerability, https://github.com/advisories/GHSA-7jgj-8wvc-jh57
D:\projects\BenchmarkDotNet\src\BenchmarkDotNet.Diagnostics.dotTrace\BenchmarkDotNet.Diagnostics.dotTrace.csproj : error NU1903: Warning As Error: Package 'System.Net.Http' 4.3.0 has a known high severity vulnerability, https://github.com/advisories/GHSA-7jgj-8wvc-jh57
D:\projects\BenchmarkDotNet\src\BenchmarkDotNet.Diagnostics.dotMemory\BenchmarkDotNet.Diagnostics.dotMemory.csproj : error NU1903: Warning As Error: Package 'System.Text.RegularExpressions' 4.3.0 has a known high severity vulnerability, https://github.com/advisories/GHSA-cmhx-cq75-c4mj
D:\projects\BenchmarkDotNet\src\BenchmarkDotNet.Diagnostics.dotTrace\BenchmarkDotNet.Diagnostics.dotTrace.csproj : error NU1903: Warning As Error: Package 'System.Text.RegularExpressions' 4.3.0 has a known high severity vulnerability, https://github.com/advisories/GHSA-cmhx-cq75-c4mj

My first thought was that the fix will be straightforward: just update System.Text.RegularExpressions and System.Net.Http to most recent versions. I've quickly realized that these are transitive dependencies.

In case of BenchmarkDotNet.Annotations, this project targets netstandard1.0 (it's just a project with attributes, almost no logic at all and we wanted to target lowest tfm possible). This gives us a dependency to https://www.nuget.org/packages/NETStandard.Library/1.6.1. Can we just update it? No, because it has not been updated since 2018. The following warning suggests that it's on purpose:

warning NETSDK1215: Targeting .NET Standard prior to 2.0 is no longer recommended.

I could just remove the netstandard1.0 TFM from BenchmarkDotNet.Annotations, but BenchmarkDotNet.Diagnostics.dotTrace and BenchmarkDotNet.Diagnostics.dotMemory both depend on https://www.nuget.org/packages/JetBrains.Profiler.SelfApi/, which depends on https://www.nuget.org/packages/JetBrains.HabitatDetector/ which depends on https://www.nuget.org/packages/JetBrains.FormatRipper/ which has the same dependency:

As a quick workaround I've decided to just add a dependency to these two packages (System.Text.RegularExpressions and System.Net.Http) to BenchmarkDotNet.Annotations, which all BDN packages depend on.

The alternatives I've considered:

• Open an issue and send a PR to https://www.nuget.org/packages/JetBrains.FormatRipper/ to add these explicit dependencies to System.Text.RegularExpressions and System.Net.Http.
• Open an issue and send a PR to https://www.nuget.org/packages/JetBrains.Profiler.SelfApi/ to change the supported monikers: from net46 to net462 (this would pick up the netstandard2.0 dependency of JetBrains.HabitatDetector and solve the problem). But this would be a breaking change (cc @AndreyAkinshin).

cc @ericstj