dotnet: force evaluation of sdk nuget packages

This causes evaluation of the nuget packages to fail when the SDK is
insecure, without requiring the individual packages to be permitted.

pkgs/development/compilers/dotnet/build-dotnet.nix

@@ -98,7 +98,7 @@ let
 
 in
 mkWrapper type (
-  stdenv.mkDerivation rec {
+  stdenv.mkDerivation (finalAttrs: {
     inherit pname version;
 
     # Some of these dependencies are `dlopen()`ed.
@@ -194,19 +194,29 @@ mkWrapper type (
       {
         inherit icu hasILCompiler;
       }
-      // lib.optionalAttrs (type == "sdk") {
-        packages = commonPackages ++ hostPackages.${hostRid} ++ targetPackages.${targetRid};
-        inherit targetPackages runtime aspnetcore;
-
-        updateScript =
-          let
-            majorVersion = lib.concatStringsSep "." (lib.take 2 (lib.splitVersion version));
-          in
-          [
-            ./update.sh
-            majorVersion
-          ];
-      };
+      // lib.optionalAttrs (type == "sdk") (
+        let
+          # force evaluation of the SDK package to ensure evaluation failures
+          # (e.g. due to vulnerabilities) propagate to the nuget packages
+          forceSDKEval = builtins.seq finalAttrs.finalPackage.drvPath;
+        in
+        {
+          packages = map forceSDKEval (
+            commonPackages ++ hostPackages.${hostRid} ++ targetPackages.${targetRid}
+          );
+          targetPackages = lib.mapAttrs (_: v: map forceSDKEval v) targetPackages;
+          inherit runtime aspnetcore;
+
+          updateScript =
+            let
+              majorVersion = lib.concatStringsSep "." (lib.take 2 (lib.splitVersion version));
+            in
+            [
+              ./update.sh
+              majorVersion
+            ];
+        }
+      );
 
     meta = with lib; {
       description = builtins.getAttr type descriptions;
@@ -239,5 +249,5 @@ mkWrapper type (
             "Dotnet SDK ${version} is EOL, please use 8.0 (LTS) or 9.0 (Current)"
           ];
     };
-  }
+  })
 )