NuGet 6.8 Release Notes (original) (raw)

NuGet distribution vehicles:

1 Installed with Visual Studio 2022 with any .NET workload

Summary: What's New in 6.8.1

• [Security]: Microsoft Security Advisory CVE-2024-0057 | NuGet Client Security Feature bypass Vulnerability - #12653

Summary: What's New in 6.8

• NuGetAudit - notifications for package vulnerabilities
  • Warn when vulnerabilities are detected during PackageReference restore - #12289
  • Show vulnerabilities in transitive packages for PackageReference type projects in PMUI - #8756
  • Show an infobar in Solution Explorer for any detected security vulnerabilities in a project or solution - #12398
• Add allowInsecureConnections property for package sources in NuGet.config, allowing opt-out of "HTTPs everywhere" warnings - #12786
• Create Package Source Mappings during Installation/update through PM UI - #11366
• Conditional package updating is respected in Visual Studio #5420
• Add protocolVersion argument to nuget source add - #9170
• Signed package verification is enabled by default on Linux in .NET 8 SDK - #11262

Known issues

• NuGetAuditMode doesn't work for SDK style projects in VS 17.8 - #13003

NuGet SDK breaking changes

The following is a list of breaking changes in the NuGet SDK. If you are using NuGet tooling, such as Visual Studio or .NET SDK, you are not affected.

• Remove the NuGetOperationType from NuGet.PackageManagement, use NuGetProjectActionType instead - #12866
• Changing PackageVulnerabilityInfo severity from int to enum - #12781
• Add nullable annotations to NuGet.Common - #12775
• Obsolete Clone methods on immutable types - #12669

Issues fixed in this release

• NuGetAudit should not warn when no vulnerability data is available - #12875
• NuGetAudit: read vulnerability files with System.Text.Json - #12855
• PackageSourceMapping API doesn't follow best practices for returning lists - #12794
• Signing: enable X509Chain.Build(...) retry behavior by default - #12592
• NuGetAudit should check direct PackageReferences by default - #12590
• NuGetAudit should be on by default with the .NET 8 SDK - #12568
• Remove "Checking compatibility..." log messages from RestoreTask - #10383
• 16.10: remove package source 1.0 service. remove obsolete APIs (in nuget.configuration that we added in 16.8) - #10015
• Add more logging to NuGetSdkResolver - #11445
• Upgrade Newtonsoft.Json reference to 13.0.3 - #12858
• Add an API for checking vulnerability during packages.config restore - #12852
• VS Options add/remove package source icons aren't using VS2022 styling - #12840
• Package Source Mapping utility always appends package ID - #12839
• NuGetSdkResolver loads global.json multiple times during project load - #12819
• dotnet list package doesn't list requested versions when using CPM - #12765
• Fix case sensitivity of runtime dependency sets during merge - #12757
• dotnet list package errors with Object reference not set to an instance of an object - #12755
• Improve hashing and equality allocations/performance - #12746
• NuGetAudit severity bugs - #12743
• Lock contention thread pool issues caused by LoadSettings not passing settingsLoadingContext to LoadSettingsForSpecificConfigs - #12737
• NuGetAuditMode all warns about package versions that were upgraded (rejected) - #12730
• An error “unable to find metadata of PackageName.1.0.0” occurs when installing package with “packages.config” format - #12723
• WalkTreeRejectNodesOfRejectedNodes constantly triggering resizes of its tracker collection - #12719
• Reduce RuntimeGraph allocations as it's immutable - #12717
• Heavy allocations in NuGet.Commands.RestoreRunner.ExecuteAndCommitAsync|nuget.packaging.dll!NuGet.RuntimeModel.RuntimeDescription - #12714
• Heavy allocations in NuGet.Commands.RestoreRunner.ExecuteAndCommitAsync|nuget.versioning.dll!NuGet.Versioning.VersionFormatter.Format - #12707
• Remove allocations from PackageSource.Source setter - #12692
• ContentItemCollection.FindBestItemGroup boxing enumerator - #12689
• FrameworkNameProvider.GetVersionString boxing enumerator - #12685
• NuGet.Client allocates many instances of comparers - #12680
• GetContentFileFolderRelativeToFramework allocates too much - #12668
• Deprecated info will flash for less than one second in the right penal when clicking package “Microsoft.Net.Http” with a non-deprecated version in the package list - #12661
• CreateGraphNode has a high number of allocations - #12641
• The vulnerable label doesn’t show in the “version” dropdown box of “Browse” tab when searching for vulnerable packages - #12623
• NuGet.Commands.LockFileBuilder KeyNotFoundException Exception - #12464
• A PackageDownload without a version causes a NullReferenceException - #12212
• [Bug]: View License dialog does not display license content - #12060
• [Bug Bash] Only the embedded license content of the latest version can be loaded correctly in PM UI when there are multiple versions in the same package from local feeds - #10670

List of commits in this release

Thank you to all the contributors who helped make this NuGet release awesome!

• drewnoakes
  • 5311 Null annotate PackageDependencyInfo
  • 5310 Reduce size of LockFileTargetLibrary
  • 5304 Improve hashing and equality allocations/performance
  • 5267 Reduce allocations in NuGet.DependencyResolver.Tracker
  • 5232 Reduce allocations in RuntimeGraph
  • 5279 Reduce allocations in VersionRangeFormatter
  • 5248 Reduce allocations in RuntimeDescription and RuntimeDependencySet
  • 5269 Don't box enumerators in ContentItemCollection
  • 5250 Don't allocate temporaries in FrameworkNameProvider.GetVersionString
  • 5271 Remove allocations from PackageSource.Source setter
• MichaelSimons
  • 5418 Fix source-build CI regression
  • 5414 Remove unnecessary source-build patch
• mthalman
  • 5385 Update Newtonsoft.Json from 13.0.1 to 13.0.3
• timheuer
  • 5375 Update VS Options add/remove package source icons to VS2022 styling
• dotnokato
  • 5002 CLI: Add -protocolVersion option to nuget sources add/update commands
• oleksandr-didyk
  • 5352 allow empty sb intermediate
• drolevar
  • 5346 Add .vdproj to the exclusion list
• Greybird
  • 5335 Remove projects from list package output
• NikolaMilosavljevic
  • 5322 Fix incorrect package version property for System.Security.Cryptograp…
• vishavpandhi
  • 5283 [DartLab B2B feature] dropname for base VS should be retrieved using the baseline.
• v-chayan
  • 5278 Remove redundant SourceBuildTrimNetFrameworkTargets property
• marcin-krystianc
  • 5293 DetectAndMarkAmbiguousCentralTransitiveDependencies should be exhaustive and deterministic
• Erarndt
  • 5218 Reduce some allocations in CreateGraphNode.