Bump directly dotnet vulnerable packages (#2870)

* Bump directly dotnet vulnerable packages

* Use just single file sdk upgrade for vulnerable dependencies

* Save with UTF8-BOM

* Trim down sdk to only Sdk.csproj upgrade

---------

Co-authored-by: Ferenc Hammerl  <fhammerl@github.com>

src/Sdk/Sdk.csproj

@@ -22,6 +22,8 @@
         <PackageReference Include="System.Security.Cryptography.ProtectedData" Version="4.4.0" />
         <PackageReference Include="Minimatch" Version="2.0.0" />
         <PackageReference Include="YamlDotNet.Signed" Version="5.3.0" />
+        <PackageReference Include="System.Net.Http" Version="4.3.4" />
+        <PackageReference Include="System.Text.RegularExpressions" Version="4.3.1" />
     </ItemGroup>
 
     <ItemGroup>