Bump Microsoft.NETCore.App.Runtime to 10.0.8 (CVE-2026-32175)

[benhillis]

Summary of the Pull Request

Bumps Microsoft.NETCore.App.Runtime.win-x64 and Microsoft.NETCore.App.Runtime.win-arm64 from 10.0.6 to 10.0.8 to address CVE-2026-32175 (.NET Core Tampering Vulnerability, high severity).

PR Checklist

• Closes: Dependabot alerts .bashrc not used when bash.exe -c "echo $ENV" #24 and htop not working #25
• Communication: N/A (security patch)
• Tests: No code changes; existing tests cover the runtime
• Localization: No user-facing string changes
• Dev docs: N/A
• Documentation updated: N/A

Detailed Description of the Pull Request / Additional comments

Two open Dependabot alerts flagged the bundled .NET 10 runtime packages at 10.0.6 as vulnerable to CVE-2026-32175 (vulnerable range >= 10.0.0, <= 10.0.7; patched in 10.0.8). Both x64 and arm64 variants are updated in lockstep.

Verified 10.0.8 is published on nuget.org for both Microsoft.NETCore.App.Runtime.win-x64 and ...win-arm64. No other files in the repo reference the old version (packages.config is the only consumer; CMakeLists.txt resolves the package generically via find_nuget_package).

Validation Steps Performed

• git grep confirmed packages.config is the only place pinning these runtime versions.
• Confirmed 10.0.8 exists on nuget.org for both architectures.
• Full build will be exercised by CI.

[Copilot]

Pull request overview

Security patch bumping the bundled .NET 10 runtime packages from 10.0.6 to 10.0.8 to remediate CVE-2026-32175 (.NET Core tampering vulnerability) flagged by Dependabot alerts #24 and #25.

Changes:

• Bump Microsoft.NETCore.App.Runtime.win-arm64 to 10.0.8
• Bump Microsoft.NETCore.App.Runtime.win-x64 to 10.0.8

[benhillis]

/azp run wsl-github-pr

[azure-pipelines]

Azure Pipelines successfully started running 1 pipeline(s).