SBRP currently defines NuGet.Packaging.6.6.1 and NuGet.Packaging.6.7.0, both of which are defined as vulnerable versions: GHSA-68w7-72jg-6qpp. This triggers component governance alerts on this repo. These should be updated to the next non-vulnerable patch version.