diff --git a/.github/copilot-instructions.md b/.github/copilot-instructions.md new file mode 100644 index 000000000..344d2e2ad --- /dev/null +++ b/.github/copilot-instructions.md @@ -0,0 +1,56 @@ +# .NET Documentation Guidelines + +## Disclosure + +For any Markdown files generated by AI, always disclose that they were created with the assistance of AI. Add the following frontmatter key/value pair: + +```markdown +ai-usage: ai-generated +``` + +## Terminology + +Unless otherwise specified, all .NET content refers to modern .NET (not .NET Framework). + +## Writing Style + +Follow [Microsoft Writing Style Guide](https://learn.microsoft.com/en-us/style-guide/welcome/) with these specifics: + +### Voice and Tone + +- Active voice, second person addressing reader directly. +- Conversational tone with contractions. +- Present tense for instructions/descriptions. +- Imperative mood for instructions ("Call the method" not "You should call the method"). +- Use "might" instead of "may" for possibility. +- Use "can" instead of "may" for permissible actions. +- Avoid "we"/"our" referring to documentation authors or product teams. + +### Structure and Format + +- Sentence case headings (no gerunds in titles). +- Be concise, break up long sentences. +- Oxford comma in lists. +- Use bullets for unordered lists. +- Number all ordered list items as "1." (not sequential numbering like "1.", "2.", "3.", etc.) +- Ordered and unordered lists should use complete sentences with proper punctuation, ending with a period if it's more than three words. +- Avoid "etc." or "and so on" - provide complete lists or use "for example". +- Use "for example" instead of "e.g.". +- Use "that is" instead of "i.e.". +- No consecutive headings without content between them. + +### Formatting Conventions + +- **Bold** for UI elements. +- `Code style` for file names, folders, custom types, non-localizable text. +- Raw URLs in angle brackets. +- Use relative links for files in this repo. +- Remove `https://learn.microsoft.com/en-us` from learn.microsoft.com links. + +## File Naming + +New Markdown files: lowercase with hyphens, omit filler words (the, a, etc.). + +## Special Cases + +- When you (Copilot) are assigned an issue in GitHub, after you've completed your work and the workflows (status checks) have run, check to make sure there are no build warnings under the OpenPublishing.Build status check. If there are, open the build report (under View Details) and resolve any build warnings you introduced. diff --git a/.github/stale.yml b/.github/stale.yml deleted file mode 100644 index f838ad04f..000000000 --- a/.github/stale.yml +++ /dev/null @@ -1,16 +0,0 @@ -# Number of days of inactivity before an issue becomes stale -daysUntilStale: 360 -# Number of days of inactivity before a stale issue is closed -daysUntilClose: 1 -# Issues with these labels will never be considered stale -exemptLabels: - - pinned - - security -# Label to use when marking an issue as stale -staleLabel: autoclose -# Comment to post when marking an issue as stale. Set to `false` to disable -markComment: false -# Comment to post when closing a stale issue. Set to `false` to disable -closeComment: > - This issue has been automatically marked as stale and closed because it has not had - recent activity. Thank you for your contributions. diff --git a/.openpublishing.build.ps1 b/.openpublishing.build.ps1 deleted file mode 100644 index aadef7620..000000000 --- a/.openpublishing.build.ps1 +++ /dev/null @@ -1,17 +0,0 @@ -param( - [string]$buildCorePowershellUrl = "https://opbuildstorageprod.blob.core.windows.net/opps1container/.openpublishing.buildcore.ps1", - [string]$parameters -) -# Main -$errorActionPreference = 'Stop' - -# Step-1: Download buildcore script to local -echo "download build core script to local with source url: $buildCorePowershellUrl" -$repositoryRoot = Split-Path -Parent $MyInvocation.MyCommand.Definition -$buildCorePowershellDestination = "$repositoryRoot\.openpublishing.buildcore.ps1" -Invoke-WebRequest $buildCorePowershellUrl -OutFile "$buildCorePowershellDestination" - -# Step-2: Run build core -echo "run build core script with parameters: $parameters" -& "$buildCorePowershellDestination" "$parameters" -exit $LASTEXITCODE diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index c78eb1b0b..be80d09e9 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -99,7 +99,7 @@ "source_path": "docs/Quickstart/Create-and-publish-a-package.md", "redirect_url": "/nuget/quickstart/create-and-publish-a-package-using-visual-studio", "redirect_document_id": false - }, + }, { "source_path": "docs/Quickstart/Use-a-Package.md", "redirect_url": "/nuget/quickstart/install-and-use-a-package-in-visual-studio", @@ -364,6 +364,31 @@ "source_path": "docs/tools/ps-ref-update-package.md", "redirect_url": "/nuget/reference/ps-reference/ps-ref-update-package", "redirect_document_id": false + }, + { + "source_path": "docs/reference/errors-and-warnings/NU1901.md", + "redirect_url": "/nuget/reference/errors-and-warnings/NU1901-NU1904", + "redirect_document_id": false + }, + { + "source_path": "docs/reference/errors-and-warnings/NU1902.md", + "redirect_url": "/nuget/reference/errors-and-warnings/NU1901-NU1904", + "redirect_document_id": false + }, + { + "source_path": "docs/reference/errors-and-warnings/NU1903.md", + "redirect_url": "/nuget/reference/errors-and-warnings/NU1901-NU1904", + "redirect_document_id": false + }, + { + "source_path": "docs/reference/errors-and-warnings/NU1904.md", + "redirect_url": "/nuget/reference/errors-and-warnings/NU1901-NU1904", + "redirect_document_id": false + }, + { + "source_path": "docs/guides/create-packages-for-xamarin.md", + "redirect_url": "/nuget", + "redirect_document_id": false } ] } diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 4dc8c6b90..2f1b58d08 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -1,3 +1,5 @@ +# Contributing + No contribution is too big or too small. 1. Visit the page to edit in the [NuGet documentation](https://learn.microsoft.com/nuget/), then click the **Edit** button on the top right. This brings you to the appropriate markdown page in the repo. diff --git a/README.md b/README.md index 0fc54465b..36a0aa314 100644 --- a/README.md +++ b/README.md @@ -23,14 +23,12 @@ No contribution is too big or too small. 1. Visit the page to edit in [NuGet documentation](https://learn.microsoft.com/nuget/), then click the **Edit** button on the top right. This brings you to the appropriate markdown page in the repo. 1. Edit the markdown: 1. If you're including images (use PNGs, generally), place them in the media folder that's in the topic's folder. Links are then `media/.png`. - 1. Relative links to other pages in this docset should be in the form `..//.md` including the training `.md`. If you're linking to another topic in the same folder, then `..//` can be omitted. When using anchors, always remember to include the `.md` before the `#`. + 1. Relative links to other pages in this docset should be in the form `..//.md` including the trailing `.md`. If you're linking to another topic in the same folder, then `..//` can be omitted. When using anchors, always remember to include the `.md` before the `#`. 1. When using external links, especially to Microsoft Learn, omit any language tag like "en-us" so that a reader in another language lands on a target page in that same language if it's available. 1. When you're done, enter a commit message below, and click **Propose file change**. -1. Send a pull request for your change. We review PRs on a regular basis. +1. Send a pull request for your change. Review requests are automatic and we review PRs on a regular basis. 1. Thank you! -> **If your content is not live yet, there is a manual `main` -> `live` pull request that is needed to pick-up the changes. Please create a PR or ping a content owner to do so on your behalf.** - If you're creating a new topic, keep the following in mind as well: 1. Always place the new topic in an appropriate subfolder, and follow the conventions for filenames as you see them used here. @@ -58,6 +56,13 @@ If you're creating a new topic, keep the following in mind as well: | reference | Any reference-type article that isn't auto-generated. | | article | Use for community-contributed content (that is, anything from outside the engineering team or the content team at Microsoft. | +## Merging to the live branch + +NuGet team members have permissions to merge to `live` branch manually, at their own discretion. +Otherwise, a regular (about once a month) Reverse Integration (RI) will be performed from `main` -> `live` branch. +Based on the urgency of the docs, this may happen frequently. +It is very important that the RI pull requests are *merged* and *not squashed*. + ## Conventions In general, if you don't see something described here, look in editing markdown files for examples, with the exception of files in the Release Notes which are legacy content and haven't been as thoroughly edited. diff --git a/docs.sln b/docs.sln new file mode 100644 index 000000000..a90cea1da --- /dev/null +++ b/docs.sln @@ -0,0 +1,38 @@ + +Microsoft Visual Studio Solution File, Format Version 12.00 +# Visual Studio Version 18 +VisualStudioVersion = 18.3.11122.13 +MinimumVisualStudioVersion = 10.0.40219.1 +Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "docs", "docs\docs.csproj", "{718966AB-D840-C99F-BC8C-757012BE68AA}" +EndProject +Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "Solution Items", "Solution Items", "{C2962E4E-20FC-4C00-858E-D0C62611CBFB}" + ProjectSection(SolutionItems) = preProject + .gitignore = .gitignore + .openpublishing.publish.config.json = .openpublishing.publish.config.json + .openpublishing.redirection.json = .openpublishing.redirection.json + CONTRIBUTING.md = CONTRIBUTING.md + global.json = global.json + LICENSE = LICENSE + LICENSE-CODE = LICENSE-CODE + README.md = README.md + ThirdPartyNotices = ThirdPartyNotices + EndProjectSection +EndProject +Global + GlobalSection(SolutionConfigurationPlatforms) = preSolution + Debug|Any CPU = Debug|Any CPU + Release|Any CPU = Release|Any CPU + EndGlobalSection + GlobalSection(ProjectConfigurationPlatforms) = postSolution + {718966AB-D840-C99F-BC8C-757012BE68AA}.Debug|Any CPU.ActiveCfg = Debug|Any CPU + {718966AB-D840-C99F-BC8C-757012BE68AA}.Debug|Any CPU.Build.0 = Debug|Any CPU + {718966AB-D840-C99F-BC8C-757012BE68AA}.Release|Any CPU.ActiveCfg = Release|Any CPU + {718966AB-D840-C99F-BC8C-757012BE68AA}.Release|Any CPU.Build.0 = Release|Any CPU + EndGlobalSection + GlobalSection(SolutionProperties) = preSolution + HideSolutionNode = FALSE + EndGlobalSection + GlobalSection(ExtensibilityGlobals) = postSolution + SolutionGuid = {C4A337AF-69A4-496C-97FF-300C3489A718} + EndGlobalSection +EndGlobal diff --git a/docs/TOC.md b/docs/TOC.md index 1ee1c9177..a49bb6178 100644 --- a/docs/TOC.md +++ b/docs/TOC.md @@ -17,6 +17,8 @@ ### [nuget.exe CLI](consume-packages/install-use-packages-nuget-cli.md) ### [Package Manager Console (PowerShell)](consume-packages/install-use-packages-powershell.md) ## Configure NuGet +### [Visual Studio options](consume-packages/nuget-visual-studio-options.md) +### [NuGet HTTPS Everywhere](consume-packages/nuget-https-everywhere.md) ### Package restore options #### [Restore packages](consume-packages/package-restore.md) #### [Troubleshooting](consume-packages/package-restore-troubleshooting.md) @@ -48,17 +50,18 @@ ### [Select assemblies referenced by projects](create-packages/select-assemblies-referenced-by-projects.md) ### [Set package type](create-packages/set-package-type.md) ### [Create a localized package](create-packages/creating-localized-packages.md) +### [.NET Packages containing native libraries](create-packages/native-files-in-net-packages.md) ## Guides for specific content ### [Create a UWP package (C++)](guides/create-uwp-packages.md) ### [Create a UWP package (C#)](guides/create-uwp-packages-CS.md) ### [Create a native package](guides/native-packages.md) ### [Create UI controls as a NuGet package](guides/create-UI-controls.md) ### [Create an analyzer as a NuGet package](guides/analyzers-conventions.md) -### [Create a package for Xamarin with Visual Studio 2017 or 2019](guides/create-packages-for-xamarin.md) ### [Create a package with COM interop assemblies](create-packages/author-packages-with-COM-interop-assemblies.md) ## Sign packages ### [Sign a package](create-packages/sign-a-package.md) -### [Signed package signatures and requirements](reference/signed-packages-reference.md) +### [Signed-package signatures and requirements](reference/signed-packages-reference.md) +### [Signed-package verification options](reference/Signed-Package-Verification-Options.md) # Publish packages ## Publish to NuGet.org ### [Publish a package](nuget-org/publish-a-package.md) @@ -72,9 +75,12 @@ ## [Package installation process](concepts/package-installation-process.md) ## [Package versioning](concepts/package-versioning.md) ## [Dependency resolution](concepts/dependency-resolution.md) +## [Auditing package dependencies for security vulnerabilities](concepts/Auditing-Packages.md) ## [Best practices for a secure software supply chain](concepts/Security-Best-Practices.md) ## [MSBuild .props and .targets](concepts/MSBuild-props-and-targets.md) ## [Troubleshooting Installed Packages](concepts/troubleshooting-installed-packages.md) +## [MCP servers in NuGet packages](concepts/nuget-mcp.md) +## [Configuring the NuGet MCP Server](concepts/NuGet-MCP-Server.md) # Reference ## [.nuspec](reference/nuspec.md) ## [nuget.config file](reference/nuget-config-file.md) @@ -116,6 +122,7 @@ ### [Update-Package](reference/ps-reference/ps-ref-update-package.md) ## NuGet Server API ### [Overview](api/overview.md) +### [Server Implementation Guide](api/implementation-guide.md) ### Resources #### [Autocomplete](api/search-autocomplete-service-resource.md) #### [Catalog](api/catalog-resource.md) @@ -124,10 +131,12 @@ #### [Package metadata](api/registration-base-url-resource.md) #### [Push and delete](api/package-publish-resource.md) #### [Push symbol packages](api/symbol-package-publish-resource.md) +#### [README URI](api/readme-template-resource.md) #### [Report abuse URL](api/report-abuse-resource.md) #### [Repository signatures](api/repository-signatures-resource.md) #### [Search](api/search-query-service-resource.md) #### [Service index](api/service-index.md) +#### [Vulnerability info](api/vulnerability-info.md) ### [How-to: query for all packages using the API](guides/api/query-for-all-published-packages.md) ### [Rate limits](api/rate-limits.md) ### [nuget.org protocols](api/nuget-protocols.md) @@ -147,6 +156,8 @@ ### [NU1010](reference/errors-and-warnings/NU1010.md) ### [NU1011](reference/errors-and-warnings/NU1011.md) ### [NU1012](reference/errors-and-warnings/NU1012.md) +### [NU1014](reference/errors-and-warnings/NU1014.md) +### [NU1015](reference/errors-and-warnings/NU1015.md) ### [NU1100](reference/errors-and-warnings/NU1100.md) ### [NU1101](reference/errors-and-warnings/NU1101.md) ### [NU1102](reference/errors-and-warnings/NU1102.md) @@ -157,6 +168,7 @@ ### [NU1107](reference/errors-and-warnings/NU1107.md) ### [NU1108](reference/errors-and-warnings/NU1108.md) ### [NU1109](reference/errors-and-warnings/NU1109.md) +### [NU1110](reference/errors-and-warnings/NU1110.md) ### [NU1201](reference/errors-and-warnings/NU1201.md) ### [NU1202](reference/errors-and-warnings/NU1202.md) ### [NU1203](reference/errors-and-warnings/NU1203.md) @@ -165,6 +177,7 @@ ### [NU1212](reference/errors-and-warnings/NU1212.md) ### [NU1213](reference/errors-and-warnings/NU1213.md) ### [NU1301](reference/errors-and-warnings/NU1301.md) +### [NU1302](reference/errors-and-warnings/NU1302.md) ### [NU1401](reference/errors-and-warnings/NU1401.md) ### [NU1402](reference/errors-and-warnings/NU1402.md) ### [NU1403](reference/errors-and-warnings/NU1403.md) @@ -175,6 +188,11 @@ ### [NU1504](reference/errors-and-warnings/NU1504.md) ### [NU1505](reference/errors-and-warnings/NU1505.md) ### [NU1506](reference/errors-and-warnings/NU1506.md) +### [NU1507](reference/errors-and-warnings/NU1507.md) +### [NU1508](reference/errors-and-warnings/NU1508.md) +### [NU1509](reference/errors-and-warnings/NU1509.md) +### [NU1510](reference/errors-and-warnings/NU1510.md) +### [NU1511](reference/errors-and-warnings/NU1511.md) ### [NU1601](reference/errors-and-warnings/NU1601.md) ### [NU1602](reference/errors-and-warnings/NU1602.md) ### [NU1603](reference/errors-and-warnings/NU1603.md) @@ -182,7 +200,14 @@ ### [NU1605](reference/errors-and-warnings/NU1605.md) ### [NU1608](reference/errors-and-warnings/NU1608.md) ### [NU1701](reference/errors-and-warnings/NU1701.md) +### [NU1702](reference/errors-and-warnings/NU1702.md) ### [NU1703](reference/errors-and-warnings/NU1703.md) +### [NU1900](reference/errors-and-warnings/NU1900.md) +### [NU1901](reference/errors-and-warnings/NU1901-NU1904.md) +### [NU1902](reference/errors-and-warnings/NU1901-NU1904.md) +### [NU1903](reference/errors-and-warnings/NU1901-NU1904.md) +### [NU1904](reference/errors-and-warnings/NU1901-NU1904.md) +### [NU1905](reference/errors-and-warnings/NU1905.md) ### [NU1801](reference/errors-and-warnings/NU1801.md) ### [NU1802](reference/errors-and-warnings/NU1802.md) ### [NU1803](reference/errors-and-warnings/NU1803.md) @@ -226,6 +251,8 @@ ### [NU3037](reference/errors-and-warnings/NU3037.md) ### [NU3038](reference/errors-and-warnings/NU3038.md) ### [NU3040](reference/errors-and-warnings/NU3040.md) +### [NU3042](reference/errors-and-warnings/NU3042.md) +### [NU3043](reference/errors-and-warnings/NU3043.md) ### [NU5000](reference/errors-and-warnings/NU5000.md) ### [NU5001](reference/errors-and-warnings/NU5001.md) ### [NU5002](reference/errors-and-warnings/NU5002.md) @@ -325,6 +352,16 @@ ### [Known Issues](release-notes/known-issues.md) ### NuGet 6.x +#### [NuGet 6.14](release-notes/NuGet-6.14.md) +#### [NuGet 6.13](release-notes/NuGet-6.13.md) +#### [NuGet 6.12](release-notes/NuGet-6.12.md) +#### [NuGet 6.11](release-notes/NuGet-6.11.md) +#### [NuGet 6.10](release-notes/NuGet-6.10.md) +#### [NuGet 6.9](release-notes/NuGet-6.9.md) +#### [NuGet 6.8](release-notes/NuGet-6.8.md) +#### [NuGet 6.7](release-notes/NuGet-6.7.md) +#### [NuGet 6.6](release-notes/NuGet-6.6.md) +#### [NuGet 6.5](release-notes/NuGet-6.5.md) #### [NuGet 6.4](release-notes/NuGet-6.4.md) #### [NuGet 6.3](release-notes/NuGet-6.3.md) #### [NuGet 6.2](release-notes/NuGet-6.2.md) diff --git a/docs/api/NuGet-Protocols.md b/docs/api/NuGet-Protocols.md index 0a027b5c2..ab00ae0cd 100644 --- a/docs/api/NuGet-Protocols.md +++ b/docs/api/NuGet-Protocols.md @@ -4,7 +4,7 @@ description: The evolving nuget.org protocols to interact with NuGet clients. author: anangaur ms.author: anangaur ms.date: 01/21/2021 -ms.topic: conceptual +ms.topic: article ms.reviewer: kraigb --- diff --git a/docs/api/_data/repository-signatures-index.json b/docs/api/_data/repository-signatures-index.json index 99df60be9..b80fc8d76 100644 --- a/docs/api/_data/repository-signatures-index.json +++ b/docs/api/_data/repository-signatures-index.json @@ -20,6 +20,16 @@ "notBefore": "2021-02-16T00:00:00.0000000Z", "notAfter": "2024-05-15T23:59:59.0000000Z", "contentUrl": "https://api.nuget.org/v3-index/repository-signatures/certificates/5a2901d6ada3d18260b9c6dfe2133c95d74b9eef6ae0e5dc334c8454d1477df4.crt" + }, + { + "fingerprints": { + "2.16.840.1.101.3.4.2.1": "1f4b311d9acc115c8dc8018b5a49e00fce6da8e2855f9f014ca6f34570bc482d" + }, + "subject": "CN=NuGet.org Repository by Microsoft, O=NuGet.org Repository by Microsoft, L=Redmond, S=Washington, C=US", + "issuer": "CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O=\"DigiCert, Inc.\", C=US", + "notBefore": "2024-02-23T00:00:00.0000000Z", + "notAfter": "2027-05-18T23:59:59.0000000Z", + "contentUrl": "https://api.nuget.org/v3-index/repository-signatures/certificates/1f4b311d9acc115c8dc8018b5a49e00fce6da8e2855f9f014ca6f34570bc482d.crt" } ] } \ No newline at end of file diff --git a/docs/api/implementation-guide.md b/docs/api/implementation-guide.md new file mode 100644 index 000000000..6bc08aa28 --- /dev/null +++ b/docs/api/implementation-guide.md @@ -0,0 +1,153 @@ +--- +title: NuGet Server Implementation Guide +description: Guidelines and recommendations to anyone implementing the NuGet Server API in their own package repository +author: zivkan +ms.author: zivkan +ms.date: 07/29/2023 +ms.topic: article +--- + +# NuGet Server Implementation Guide + +In some cases, you may want to implement your own NuGet package feed. +Many [existing implementations exist](../hosting-packages/Overview.md) which allow you to host your own feed in a variety way, but the protocol between the official NuGet client software and a package feed is documented allowing you to build your own feed implementation from scratch. + +The protocol does evolve over time and this guide is aimed at those that wish to or already have implemented a NuGet package server. + +Since the initial release of the NuGet V3 protocol in 2015, NuGet has evolved to provide developers with a richer experience, and this requires package repositories to do additional work in order to provide the additional value their package consumers, beyond simply exacting metadata from hosted packages and returning the metadata in various forms. +For example, the search and package metadata endpoints contain more than just metadata found in the nupkg's nuspec file. + +Note that this guide is focused on the NuGet V3 protocol since the V2 protocol is essentially undocumented and, since 2015, the recommended protocol for NuGet client and server communication is the V3 protocol. For more information read about protocol versioning. + +## Chronology + +To assist authors of existing NuGet repositories keep up to date with NuGet's newest features, here is the chronology of the relevant features mentioned in the remainder of the document. + +|Year|Feature| +|--|--| +|2013|[A blog post explaining how to manage package owners on nuget.org](https://devblogs.microsoft.com/nuget/managing-package-owners/) clarified the owners shown on the website are the accounts that have permission to upload new versions, and therefore [the `owners` metadata in the package is ignored](#owner-field)| +|2017|[Added `verified` to `SearchQueryService` responses.](#verified-search-response-field)| +||[Semantic Versioning 2.0.0 support](#semantic-versioning-200-support) +|2018|[Embedded licenses](#embedded-files)| +|2019|[Embedded icons](#embedded-files)| +||[Package deprecation in `RegistrationBaseUrl` (package metadata resource)](#known-vulnerability-and-deprecation-data)| +|2020|[Package vulnerability information in `RegistrationsBaseUrl` (package metadata resource)](#known-vulnerability-and-deprecation-data)| +||Added `packageTypes` query parameter to `SearchQueryService` requests| +|2021|[Embedded readme](#embedded-files)| +|2023|[PreAuthenticate authenticated requests](#url-structure-for-authenticated-feeds)
[`VulnerabilityInfo` resource](#known-vulnerabilities-database-vulnerabilityinfo)| +|2025|[Enable embedded README downloads](#enable-embedded-readme-downloads)| + +## Owner field + +Consider two of the [package manifest file (`.nuspec`)](../reference/nuspec.md) fields, `` and ``. +Package authors who are packaging third-party content often put the third-party name in the `` field. +The `` field was intended to denote who published the package on a repository, and therefore who should be contacted in case of packing issues or questions. + +This was explained in [a blog post from 2013](https://devblogs.microsoft.com/nuget/managing-package-owners/), so the `` field is considered deprecated in the `.nuspec` file. +If package's manifest contain this metadata, it should be ignored. +Do not return the value of the `.nuspec` file's `` field in the `owners` property in the [search resource](./search-query-service-resource.md) or [package metadata resource](./registration-base-url-resource.md) JSON response. + +If your repository has per-package permissions, it is recommended to report the accounts that have permissions to publish new versions in the `owner` metadata for search and package metadata resources JSON responses. + +## `verified` search response field + +Visual Studio's Package Manager UI shows a blue checkmark next to packages in [search service](./search-query-service-resource.md) results, when a new field `verified` is set to `true`. + +NuGet.org uses this with package prefix data (server side data, not part of the NuGet API), so that this checkmark is only shown to customers when the account that owns the package uploaded the package. +For example, any package with prefix `microsoft.*` is verified only when the package is owned by [the Microsoft account on nuget.org](https://www.nuget.org/profiles/Microsoft). +Anyone who uploaded a package with package id starting with `microsoft.` before reserved prefixes were implemented, will not have this verified checkmark. +NuGet.org also allows prefixes not to be exclusive, so that anyone can upload a package under `Contoso.ToolWithPlugins.Community.*`, but will not get a verified checkmark. + +## Semantic Versioning 2.0.0 support + +NuGet supports [a hybrid between `System.Version` and Semantic Version](../concepts/Package-Versioning.md#where-nugetversion-diverges-from-semantic-versioning), but support for Semantic Version 2.0.0 was added in 2017. +Therefore, NuGet API resources that return versions to client versions lower than 3.6.0 must not return packages that use Semantic 2.0.0 features that are incompatible with Semantic Versioning 1.0.0. + +The most important differences between the two versions are the pre-release labels, and metadata string. +The [Semantic Versioning 1.0.0 spec](https://semver.org/spec/v1.0.0.html) provides `[0-9A-Za-z-]` as a sample Regular Expression string for the only characters allowed as part of the pre-release label, and does not support metadata strings. +The [Semantic Versioning 2.0.0 spec](https://semver.org/spec/v2.0.0.html) allows pre-release identifiers to be separated by `.` characters (and forbids a numeric identifier from having a leading zero), and additionally allows build metadata to be added following a `+`. + +In the [package metadata resource (`RegistrationsBaseUrl`)](./registration-base-url-resource.md), resource versions below 3.6.0 must only return packages that comply with .NET's `System.Version` or Semantic Versioning 1.0.0. +This means packages whose versions are only compliant with Semantic Versioning 2.0.0 are invisible to these client versions. + +Similarly, the [search query service (`SearchQueryService`)](./search-query-service-resource.md) and [autocomplete service (`SearchAutocompleteService`)](./search-autocomplete-service-resource.md) added `&semVerLevel={version}` query parameters. +When `semVerLevel` is missing, assume the value `1.0.0`. +Like the package metadata resource, packages whose version is compatible only with Semantic Versioning 2.0.0 must not be returned when the `semVerLevel` value is below 2.0.0. + +## Embedded files + +Package [icons](../reference/nuspec.md#icon), [license](../reference/nuspec.md#license), and [readme](../reference/nuspec.md#readme) files can be (and are recommended to be) embedded in the package. +These files need a URL endpoint, either extracted and put on a static file server, or a URL that dynamically extracts the files from the `.nupkg` on request, so that they can be viewed without downloading the entire `nupkg`. +If your package repository provides package browsing and viewing package details, you can use the URLs to show customers the embedded content on your website. + +Finally, the [package metadata resource](./registration-base-url-resource.md) and [search resource](./search-query-service-resource.md) must contain the hosted URL in the `iconUrl`, `licenseUrl`, and/or `readmeUrl` properties of the JSON response. +Packages (`.nupkg` files) must not be modified, as client features (lock files and signed packages) will detect modifications as the package having been tampered with. + +Note that the license could be an SPDX expression, or an embedded file (but not both). +Packages that use a license expression, when represented in search and package metadata results, can have the `licenseUrl` set to the license expression, URL encoded, and appended to the end of https://licenses.nuget.org/. +For example, https://licenses.nuget.org/Apache-2.0. +The NuGet.org server team have additional [documentation on licenses.nuget.org](../nuget-org/licenses.nuget.org.md). + +## Known vulnerability and deprecation data + +### Package Metadata Resource (`RegistrationsBaseUrl`) + +The [Package Metadata Resource](./registration-base-url-resource.md) can contain [deprecation](./registration-base-url-resource.md#package-deprecation) and [vulnerability](./registration-base-url-resource.md#vulnerabilities) information. +This allows customers browsing packages in Visual Studio's Package Manager User Interface, or equivalent in other IDEs, to be notified of important security or maintenance issues. + +If your package repository is "up-sourcing" packages from another repository, in order to mirror packages in your own feed, we recommend periodically checking the original source if there is deprecation or vulnerability data, and mirror that metadata in your own repository. +If your package repository is up-sourcing from nuget.org specifically, by keeping state of the last time you checked (a "cursor"), you can use [the `Catalog` resource](./catalog-resource.md) to efficiently check if there are any package updates for packages you're mirroring, without having to download a large number of package metadata JSON files from the upstream feed. +There is [a guide on using the catalog resource](../guides/api/query-for-all-published-packages.md) with sample code that can help you get started. + +### Known Vulnerabilities Database (`VulnerabilityInfo`) + +In order to provide high-performance vulnerability scanning during package restore, NuGet downloads the full list of known vulnerabilities from [the `VulnerabilityInfo` resource](./vulnerability-info.md). +Nuget.org provides vulnerability data for all GitHub reviewed advisories from the [GitHub Advisories database](https://github.com/advisories), which includes packages that are not hosted on nuget.org. + +If your package repository is hosting first-party packages, and you would like to provide vulnerability information to customers using your own feed, but don't yet have any disclosed package vulnerabilities, you should provide a [vulnerability index](./vulnerability-info.md#vulnerability-index) with one or more [vulnerability pages](./vulnerability-info.md#vulnerability-page) whose contents are an empty JSON array (`[]`). + +#### Reusing nuget.org's vulnerability data + +NuGet does not require that resources in the [service index](./service-index.md), or [the vulnerability index](./vulnerability-info.md#vulnerability-index), must be on the same server as the service index itself. +However, there are several reasons why some companies choose to block nuget.org at the firewall, or have on-prem feeds on a disconnected network. +To avoid connectivity issues, we recommend serving vulnerability data from your own web app, so that NuGet clients only make HTTP connections to the host the feed is installed on. + +✔️ DO cache or proxy the vulnerability pages in your own web app + +❌ DO NOT advertise api.nuget.org in your service index or vulnerability index without a configuration to turn this off. + +## `packageTypes` search query + +The .NET CLI allows searching for .NET tool packages with the `dotnet tool search` command. +This is implemented by adding a `&packageTypes={value}` query parameter to the [search query resource](./search-query-service-resource.md), that reads values from the package's `.nuspec` file `` field. + +## URL structure for authenticated feeds + +As described in [the overview of the NuGet API](./overview.md), the starting URL for all NuGet server communication is [the service index](./service-index.md). +This document contains the URLs for all other resources that NuGet clients will query. +As of NuGet 6.7 (Visual Studio & MSBuild 17.7, and .NET SDK 7.0.400), NuGet uses [.NET's `HttpClientHandler.PreAuthenticate`](/dotnet/api/system.net.http.httpclienthandler.preauthenticate), which only avoids anonymous HTTP requests when subsequent URLs are in the same virtual directory, or a subdirectory, of a URL that has previously been authenticated. +This will dramatically reduce the number of unauthenticated HTTP requests sent to the server, and therefore will reduce your server workload. + +Here are some examples: + +|URL|Will PreAuthenticate?| +|--|--| +|https://pkgs.contoso.com/nuget/v3/feed/index.json|N/A, this is the service index.| +|https://pkgs.contoso.com/nuget/v3/search|No, not in the same or sub-directory as the service index.| +|https://search.pkgs.contoso.com/nuget/v3/feed/|No, not on the same host name as the service index.| +|https://pkgs.contoso.com/nuget/v3/feed/search|Yes, in the same directory as the service index.| +|https://pkgs.contoso.com/nuget/v3/registration/|No, not in a subdirectory of the service index.| +|https://pkgs.contoso.com/nuget/v3/feed/registration/|Yes, in a subdirectory of the service index.| +|https://pkgs.contoso.com/nuget/v3/{guid}/registration/|See below| + +In the last example, the server might have a canonical (in this example a guid) name, and have one or more aliases. +If the service index request was authenticated on a non-canonical URL (the "friendly" name, in our example `feed`), then no, any requests to resources under the canonical URL will not match `HttpClientHandler`'s rules for `PreAuthenticate`. +However, if the non-canonical URL is an HTTP redirection to the canonical URL, https://pkgs.contoso.com/nuget/v3/{guid}/index.json, then this URL will be used in `HttpClientHandler`'s credential cache. +In this case, every request to the service index will have additional latency, due to the redirection. + +While NuGet's V3 API was designed to work on a static file server, the search resource is the exception that always requires a dynamic web service to process requests. +If you wish to host search, or indeed any other NuGet API resource, on different servers, in order to benefit from `HttpClientHandler`'s `PreAuthenticate`, you will need to use a reverse proxy to ensure all customer facing URLs in the service index meet the "same or subdirectory" rule. + +## Enable embedded README downloads + +A [new resource](./readme-template-resource.md) was documented for constructing a URL that can be used to download a README for a given package. This will allow client, like the Package Management UI in VS, to display the embedded README for packages which haven't been previously installed by the user. The client will construct this URL and attempt to download the README, using the response to the request to determine if a README is available. This means servers should expect multiple requests to the constructed endpoint as users navigate the PM UI. diff --git a/docs/api/overview.md b/docs/api/overview.md index 7201f6431..ecf2fd22c 100644 --- a/docs/api/overview.md +++ b/docs/api/overview.md @@ -20,6 +20,8 @@ Note in some cases, nuget.org has additional requirements that are not enforced For a simple enumeration and download of available nuget.exe versions, see the [tools.json](tools-json.md) endpoint. +If you are implementing a NuGet package repository, also see [the implementation guide](./implementation-guide.md) for additional requirements and recommendations. + ## Service index The entry point for the API is a JSON document in a well known location. This document is called the **service index**. The location of the service index for nuget.org is `https://api.nuget.org/v3/index.json`. @@ -59,12 +61,14 @@ Resource name | Required [PackageBaseAddress](package-base-address-resource.md) | yes | Get package content (.nupkg). [PackageDetailsUriTemplate](package-details-template-resource.md) | no | Construct a URL to access a package details web page. [PackagePublish](package-publish-resource.md) | yes | Push and delete (or unlist) packages. +[ReadmeUriTemplate](readme-template-resource.md) | no | Construct a URL to access a package's README. [RegistrationsBaseUrl](registration-base-url-resource.md) | yes | Get package metadata. [ReportAbuseUriTemplate](report-abuse-resource.md) | no | Construct a URL to access a report abuse web page. [RepositorySignatures](repository-signatures-resource.md) | no | Get certificates used for repository signing. [SearchAutocompleteService](search-autocomplete-service-resource.md) | no | Discover package IDs and versions by substring. [SearchQueryService](search-query-service-resource.md) | yes | Filter and search for packages by keyword. [SymbolPackagePublish](symbol-package-publish-resource.md) | no | Push symbol packages. +[VulnerabilityInfo](vulnerability-info.md) | no | Packages with known vulnerabilities. In general, all non-binary data returned by a API resource are serialized using JSON. The response schema returned by each resource in the service index is defined individually for that resource. For more information about diff --git a/docs/api/package-base-address-resource.md b/docs/api/package-base-address-resource.md index f2bc08624..56416a5d6 100644 --- a/docs/api/package-base-address-resource.md +++ b/docs/api/package-base-address-resource.md @@ -36,9 +36,9 @@ All URLs found in the package content resource support the HTTP methods `GET` an ## Enumerate package versions -If the client knows a package ID and wants to discover which package versions the package source has available, the -client can construct a predictable URL to enumerate all package versions. This list is meant to be a "directory -listing" for the package content API mentioned below. +If the client knows a package ID and wants to discover which package versions the package source has available, the client can construct a predictable URL to enumerate all package versions. +Every version listed in this list must be available for download. +This list is meant to be a "directory listing" for the package content API mentioned below. > [!Note] > This list contains both listed and unlisted package versions. diff --git a/docs/api/readme-template-resource.md b/docs/api/readme-template-resource.md new file mode 100644 index 000000000..565789ea7 --- /dev/null +++ b/docs/api/readme-template-resource.md @@ -0,0 +1,62 @@ +--- +title: README Uri Template, NuGet API +description: The README uri template allows clients to download the readme for a package, if available. +author: jgonz120 +ms.author: jongonza +ms.date: 1/6/2025 +ms.topic: reference +ms.reviewer: +--- + +# README Uri Template + +It is possible for a client to build a URL that can be used to download a README for a specific package. +This will enable the clients to render the package's README without downloading the entire package. + +The resource used for building this URL is the `ReadmeUriTemplate` resource found in the +[service index](service-index.md). + +## Versioning + +The following `@type` values are used: + +@type value | Notes +--------------------------------- | ----- +ReadmeUriTemplate/6.13.0 | The initial release + +## URL template + +The URL for the following API is the value of the `@id` property associated with one of the aforementioned +resource `@type` values. + +## HTTP methods + +The constructed URL must support the HTTP method `GET` + +## Construct the URL + +Given a known package ID and version, the client implementation can construct a URL to download the README. + +The value of the `@id` is a URL string containing any of the following placeholder tokens: + +### URL placeholders + +Name | Type | Required | Notes +----------- | ------- | -------- | ----- +`{lower_id}` | string | yes | The package ID, lowercased +`{lower_version}` | string | yes | The package version, lowercased + +Both `lower_id` and `lower_version` are lowercased using the rules implemented by .NET's +[`System.String.ToLowerInvariant()`](/dotnet/api/system.string.tolowerinvariant?view=netstandard-2.0#System_String_ToLowerInvariant&preserve-view=true) +method. + +The `lower_version` is the desired package version normalized using NuGet's version +[normalization rules](../concepts/package-versioning.md#normalized-version-numbers). This means that build metadata +that is allowed by the SemVer 2.0.0 specification must be excluded in this case. + +### Response body + +If the package has a readme, a 200 status code is returned. The response body will be the readme +content itself. + +If the package does not have a readme, a 404 status code is returned. diff --git a/docs/api/repository-signatures-resource.md b/docs/api/repository-signatures-resource.md index 1b67ccdc3..4d8befdd0 100644 --- a/docs/api/repository-signatures-resource.md +++ b/docs/api/repository-signatures-resource.md @@ -110,7 +110,7 @@ All hash values must be lowercase, hex-encoded string representations of the has ### Sample request ``` -GET https://api.nuget.org/v3-index/repository-signatures/index.json +GET https://api.nuget.org/v3-index/repository-signatures/5.0.0/index.json ``` ### Sample response diff --git a/docs/api/search-query-service-resource.md b/docs/api/search-query-service-resource.md index 7ad5b2cf4..e4466d5e1 100644 --- a/docs/api/search-query-service-resource.md +++ b/docs/api/search-query-service-resource.md @@ -111,7 +111,7 @@ versions | array of objects | yes | All of the versions of authors | string or array of strings | no | iconUrl | string | no | licenseUrl | string | no | -owners | string or array of strings | no | +owners | string or array of strings | no | A string represents a single owner's username projectUrl | string | no | registration | string | no | The absolute URL to the associated [registration index](registration-base-url-resource.md#registration-index) summary | string | no | diff --git a/docs/api/service-index.md b/docs/api/service-index.md index faacd9351..369bdbc16 100644 --- a/docs/api/service-index.md +++ b/docs/api/service-index.md @@ -65,6 +65,10 @@ There is no requirement that each resource has a unique `@id` or `@type`. It is determine which resource to prefer over another. One possible implementation is that resources of the same or compatible `@type` can be used in a round-robin fashion in case of connection failure or server error. +A resource can use a different host or domain than the service index, but this may cause issues in environments with strict network rules. +In particular, if your service index adds resources that point directly to nuget.org (rather than proxying or caching through your own feed), your feed will not work where access to nuget.org is blocked. +If your feed is going to delegate particular resources to nuget.org, we recommend adding a configuration so that when your feed is deployed, the direct nuget.org reference can be removed from the service index. + ### Sample request ``` diff --git a/docs/api/tools-json.md b/docs/api/tools-json.md index 692e45b0e..f42b5c70c 100644 --- a/docs/api/tools-json.md +++ b/docs/api/tools-json.md @@ -4,7 +4,7 @@ description: The endpoint for author: jver ms.author: jver ms.date: 08/16/2018 -ms.topic: conceptual +ms.topic: article ms.reviewer: kraigb --- diff --git a/docs/api/vulnerability-info.md b/docs/api/vulnerability-info.md new file mode 100644 index 000000000..abddc2eaf --- /dev/null +++ b/docs/api/vulnerability-info.md @@ -0,0 +1,128 @@ +--- +title: Vulnerability Info, NuGet API +description: The data that allows clients to check packages for known vulnerabilities. +author: zivkan +ms.author: zivkan +ms.date: 06/16/2023 +ms.topic: reference +--- + +# Vulnerability information + +NuGet client, starting from version 6.7, can download known package vulnerability information to use in scenarios such as checking packages during restore operations. +While the [package metadata resource](./registration-base-url-resource.md) also contains known vulnerability information, if an app needs to check a large number of packages for known vulnerabilities, it's much faster to download a file of known vulnerabilities and lookup locally, rather than making a large number of HTTP requests. +For example, this enables NuGet Restore to quickly check restored packages for known vulnerabilities, which historically never downloaded package details from the package metadata resource. + +The API consists of at least two files, the [vulnerability index](#vulnerability-index) and one or more [vulnerability page files](#vulnerability-page). +Known vulnerability data can be partitioned into multiple files, and the vulnerability index provides clients with information needed to cache files, and update the cache, efficiently. + +The resource used for building this URL is the `VulnerabilityInfo` resource found in the [service index](service-index.md). + +## Suggested partitioning strategy + +The pages listed in the vulnerability index should ideally be optimized to maximize caching, and therefore minimize updates to large files. +This will allow clients to minimize the frequency it needs to download updates. + +A suggested strategy for vulnerability data partitioning is to have two pages, `base.json` and `updates.json`. +The `base.json` file is updated periodically (for example once a month), and contains all known vulnerabilities at the time the file is regenerated. +The `updates.json` file should contain any new advisories published since `base.json` was last regenerated. +This will allow clients to download the large `base.json` infrequently, while the frequently changing `updates.json` file is always relatively small. + +NuGet clients combine the data from multiple files additively, and may load the files in any order. +The data file schema does not allow for modification or redaction of known vulnerability from another file. +Therefore if a server's vulnerability data source (for example the [GitHub Advisories Database](https://github.com/advisories)) modifies an existing advisory, the NuGet server must modify the page that the vulnerability information was previously reported. +One way to achieve this with the suggested partition scheme is to treat all vulnerability modifications and deletions as a trigger to regenerate the complete `base.json` file, and empty `updates.json`. + +If you intend to use nuget.org's vulnerability data in your own NuGet server implementation, you should take into consideration developers who do not have direct access to nuget.org. +[See our implementation guide for more details](./implementation-guide.md#reusing-nugetorgs-vulnerability-data). + +## Versioning + +The following `@type` values are used: + +@type value | Notes +--------------------------------- | ----- +VulnerabilityInfo/6.7.0 | The initial release + +## Vulnerability index + +The vulnerability index is a JSON array of objects with the following properties: + +Name | Type | Required | Notes +-------- | ---------| -------- | ----- +@name | string | yes | A short name for the file, used as a cache key. +@id | string | yes | The full (absolute) URL to a vulnerability data file. +@updated | string | yes | An ISO 8601 string representing the date and time the file was last updated, ideally with the UTC timezone. +comment | string | no | A optional descriptive string. + +The following restrictions apply: + +* The index must be an array of objects with between 1 and 16 items. + If the server does not have any vulnerability data (zero pages), then must remove the `VulnerabilityInfo` resource from the `ServiceIndex`. +* `@name` must be unique within the index, must be between 1 and 32 characters long, and can only use the characters `A` to `Z`, `a` to `z`, `0` to `9`, `-`, or `_`. +* `@id` must be an absolute URL, not a relative URL. + +## Vulnerability page + +Vulnerability page files are a JSON object used as a dictionary. +Property keys are the lower-case package id and property values are an array of the following object with the following properties: + +Name | Type | Required | Notes +-------- | ------- | -------- | ----- +severity | integer | yes | 0 means low, 1 means medium, 2 means high, 3 means critical. +url | string | yes | URL where users can get more information about the vulnerability. +versions | string | yes | The version range that is vulnerable, using [NuGet's version range syntax](../concepts/package-versioning.md#version-ranges). + +Package IDs (the root object's keys) must be lowercased with [`String.ToLowerInvariant`](/dotnet/api/system.string.tolowerinvariant). + +The list of known vulnerabilities for a package should be sorted in descending order of the max version of the version range, followed by descending version of the min version, followed by the ascending order of the URL. +Ranges with null min or max versions (unbounded) in a version range should be sorted to before non-null (bounded) versions. + +An empty page, one that does not provide any known vulnerabilities, must be an empty JSON array (`[]`). + +## Samples + +Here is a sample of a vulnerability index: + +```json +[ + { + "@name": "base", + "@id": "https://nuget.contoso.com/v3/vulnerabilities/3bb6b300-2f74-45bc-af06-746fd21c024b.json", + "@updated": "2023-06-01T06:14:58.4159909Z", + "comment": "The base data for vulnerability update periodically" + }, + { + "@name": "update", + "@id": "https://nuget.contoso.com/v3/vulnerabilities/ffd572cd-33f3-4372-8714-a9cab2e86b45.json", + "@updated": "2023-06-14T11:35:30.3155764Z", + "comment": "The patch data for the vulnerability. Contains all the vulnerabilities since base was last updated." + } +] +``` + +Here is a sample of a vulnerability data file: + +```json +{ + "contoso.library": [ + { + "url": "https://cve.contoso.com/advisories/1", + "severity": 1, + "versions": "(, 2.0.0)" + }, + { + "url": "https://cve.contoso.com/advisories/2", + "severity": 2, + "versions": "(1.0.0, 2.0.0)" + } + ], + "contoso.utilities": [ + { + "url": "https://cve.contoso.com/advisories/3", + "severity": 3, + "versions": "(, 1.0.0)" + } + ] +} +``` diff --git a/docs/archive/media/project-json-migrator.png b/docs/archive/media/project-json-migrator.png new file mode 100644 index 000000000..4328dfa7f Binary files /dev/null and b/docs/archive/media/project-json-migrator.png differ diff --git a/docs/archive/project-json-and-uwp.md b/docs/archive/project-json-and-uwp.md index b36ab5d20..898f98a53 100644 --- a/docs/archive/project-json-and-uwp.md +++ b/docs/archive/project-json-and-uwp.md @@ -4,13 +4,16 @@ description: Description of how the project.json file is used to track NuGet dep author: JonDouglas ms.author: jodou ms.date: 07/17/2017 -ms.topic: conceptual +ms.topic: article --- # project.json and UWP > [!Important] -> This content is deprecated. Projects should use either the `packages.config` or PackageReference formats. +> This content is deprecated. Projects should use the PackageReference formats. +> Learn how to [migrate your project.json project to PackageReference](./project-json.md#migrate-projectjson-to-packagereference). +> Visual Studio 2026 automatically migrates project.json at solution load time. +> [.NET 10 SDK & NuGet.exe 7.0](../release-notes/NuGet-7.0.md) do not support project.json projects. This document describes the package structure that employs features in NuGet 3+ (Visual Studio 2015 and later). The `minClientVersion` property of your `.nuspec` can be used to state that you require the features described here by setting it to 3.1. diff --git a/docs/archive/project-json-impact.md b/docs/archive/project-json-impact.md index 3f171f019..98569678f 100644 --- a/docs/archive/project-json-impact.md +++ b/docs/archive/project-json-impact.md @@ -4,13 +4,16 @@ description: Details on how the implementation of project.json in NuGet 3.x affe author: JonDouglas ms.author: jodou ms.date: 01/18/2018 -ms.topic: conceptual +ms.topic: concept-article --- # Impact of project.json when creating packages > [!Important] -> This content is deprecated. Projects should use either the `packages.config` or PackageReference formats. +> This content is deprecated. Projects should use the PackageReference formats. +> Learn how to [migrate your project.json project to PackageReference](./project-json.md#migrate-projectjson-to-packagereference). +> Visual Studio 2026 automatically migrates project.json at solution load time. +> [.NET 10 SDK & NuGet.exe 7.0](../release-notes/NuGet-7.0.md) do not support project.json projects. The `project.json` system used in NuGet 3+ affects package authors in several ways as described in the following sections. diff --git a/docs/archive/project-json.md b/docs/archive/project-json.md index ec21cf7e0..6e039d251 100644 --- a/docs/archive/project-json.md +++ b/docs/archive/project-json.md @@ -10,9 +10,12 @@ ms.topic: reference # project.json reference > [!Important] -> This content is deprecated. Projects should use either the `packages.config` or PackageReference formats. +> This content is deprecated. Projects should use the PackageReference formats. +> Learn how to [migrate your project.json project to PackageReference](#migrate-projectjson-to-packagereference). +> Visual Studio 2026 automatically migrates project.json at solution load time. +> [.NET 10 SDK & NuGet.exe 7.0](../release-notes/NuGet-7.0.md) do not support project.json projects. -*NuGet 3.x+* +*NuGet 3.x* The `project.json` file maintains a list of packages used in a project, known as a package management format. It supersedes `packages.config` but is in turn superseded by [PackageReference](../consume-packages/package-references-in-project-files.md) with NuGet 4.0+. @@ -37,6 +40,38 @@ The [`project.lock.json`](#projectlockjson) file (described below) is also used } ``` +## Migrate project.json to PackageReference + +The migration between project.json and PackageReference is straightforward. + +### Automatic migration in Visual Studio 2026 + +Visual Studio 2026 and later automatically migrates project.json projects to PackageReference when you open a solution containing project.json projects. +The migration happens at solution load time: + +1. Open a solution containing project.json projects in Visual Studio 2026 or later. +1. Visual Studio automatically detects project.json files and migrates them to PackageReference format. +1. To check migration status, open the [Output Window](/visualstudio/ide/output-window) and select Show output from "Package Manager". +You should see messages like "Migrating project.json project..." followed by "Migration Succeeded" for each project. +Any errors will appear in the Error List. +1. A backup of the original project file and project.json file is created in a `Backup` folder in the root of the project directory. +1. The migration converts all package dependencies to PackageReference format in the project file. + + +### Manual migration in Visual Studio 2022 + +For Visual Studio 2022 and earlier, you can use the built-in migrator: + +1. Load the project.json project in Visual Studio. +1. Go to the solution explorer of the project.json project and find the dependencies node. +1. Right-click and select `Migrate project.json to PackageReference...` + +![Migrating from project.json to PackageReference](media/project-json-migrator.png) + +### Alternative migration methods + +Alternatively, you may use the [dotnet migrate](/dotnet/core/tools/dotnet-migrate) command-line tool, or do the migration manually by taking all of the content from the project.json file and replacing it with the equivalent [PackageReference syntax](../consume-packages/Package-References-in-Project-Files.md). + ## Dependencies Lists the NuGet package dependencies of your project in the following form: diff --git a/docs/concepts/Auditing-Packages.md b/docs/concepts/Auditing-Packages.md new file mode 100644 index 000000000..72d185b5a --- /dev/null +++ b/docs/concepts/Auditing-Packages.md @@ -0,0 +1,295 @@ +--- +title: Auditing package dependencies for security vulnerabilities +description: How to audit package dependencies for security vulnerabilities and acting on security audit reports. +author: JonDouglas +ms.author: jodou +ms.topic: how-to +ms.date: 10/01/2025 +--- + +# Auditing package dependencies for security vulnerabilities + +## About security audits + +A security audit for package managers like NuGet is a process that involves analyzing the security of the packages that are included in a software project. +This involves identifying vulnerabilities, evaluating risks, and making recommendations for improving security. +The audit can include a review of the packages themselves, as well as any dependencies and their associated risks. +The goal of the audit is to identify and mitigate any security vulnerabilities that could be exploited by attackers, such as code injection or cross-site scripting attacks. + +### Feature availability + +| NuGet | .NET SDK | Visual Studio | Feature | +|-------|----------|---------------|---------| +| [5.9](../release-notes/NuGet-5.9.md) | .NET 5 SDK (5.0.200) | N/A | [`dotnet list package --vulnerable`](#dotnet-list-package---vulnerable) | +| [6.8](../release-notes/NuGet-6.8.md) | .NET 8 SDK (8.0.100) | Visual Studio 2022 17.8 | [NuGetAudit](#running-a-security-audit-with-restore) for PackageReference | +| [6.10](../release-notes/NuGet-6.10.md) | N/A | Visual Studio 2022 17.10 | [NuGetAudit](#running-a-security-audit-with-restore) for packages.config| +| [6.11](../release-notes/NuGet-6.11.md) | .NET 8 SDK (8.0.400) | Visual Studio 2022 17.11 | [NuGetAuditSuppress](#excluding-advisories) for PackageReference | +| [6.12](../release-notes/NuGet-6.12.md) | .NET 9 SDK (9.0.100) | Visual Studio 2022 17.12 | [Audit sources](#audit-sources). [NuGetAuditSuppress](#excluding-advisories) for packages.config. | +| [7.0](../release-notes/NuGet-7.0.md) | .NET 10 SDK (10.0.100) | Visual Studio 2026 | [NuGetAuditMode default changes for .NET 10](#configuring-nuget-audit). [`dotnet package update --vulnerable`](#security-vulnerabilities-found-with-updates) | + +## Running a security audit with `restore` + +The `restore` command automatically runs when you do a common package operation such as loading a project for the first time, adding a new package, updating a package version, or removing a package from your project in your favorite IDE. +Your dependencies are checked against a list of known vulnerabilities provided by your [audit sources](#audit-sources). + +1. On the command line, navigate to your project or solution directory. +1. Run `restore` using your preferred tooling (i.e. dotnet, MSBuild, NuGet.exe, VisualStudio etc). +1. Review the warnings and address the known security vulnerabilities. + +### Configuring NuGet Audit + +Audit can be configured via MSBuild properties in a `.csproj` or MSBuild file being evaluated as part of your project. +We recommend that audit is configured at a repository level. + +| MSBuild Property | Default | Possible values | Notes | +|------------------|---------|-----------------|-------| +| NuGetAuditMode | See 1 below | `direct` and `all` | If you'd like to audit top-level dependencies only, you can set the value to `direct`. NuGetAuditMode is not applicable for packages.config projects. | +| NuGetAuditLevel | low | `low`, `moderate`, `high`, and `critical` | The minimum severity level to report. If you'd like to see `moderate`, `high`, and `critical` advisories (exclude `low`), set the value to `moderate` | +| NuGetAudit | true | `true` and `false` | If you wish to not receive security audit reports, you can opt-out of the experience entirely by setting the value to `false` | + +1. `NuGetAuditMode` defaults to `all` when a project targets `net10.0` or higher. + Otherwise `NuGetAuditMode` defaults to `direct`. + When a project multi-targets, if any one target framework selects `all`, then audit will use this value for all target frameworks. + +#### Audit Sources + +Restore downloads a server's [`VulnerabilityInfo` resource](../api/vulnerability-info.md) to check against the list of packages each project is using. +The list of sources are defined by [the `auditSources` element in NuGet.Config](../reference/nuget-config-file.md#auditsources), and [warning NU1905](#warning-codes) is raised if any of the audit sources do not provide any vulnerability info. +If `auditSources` is not defined or is cleared without adding any sources, then `packageSources` will be used and warning NU1905 is suppressed. + +Since a common mitigation for package substitution attacks is [to use a single package source that upstreams from nuget.org, so that NuGet is not configured to use nuget.org as a package source](Security-Best-Practices.md#nuget-feeds), audit sources can be used to use nuget.org (or any other source that provides vulnerability information) without also using it as a package source. + +The data source for nuget.org's vulnerability database is [GitHub Advisory Database](https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anuget). +Note that the [V2 protocol is deprecated](../nuget-org/overview-nuget-org.md#api-endpoint-for-nugetorg), so if your nuget.config is still using the V2 endpoint, you must migrate to the V3 endpoint. + +```xml + + + + + + +``` + +**Note**: The table below lists features that support Audit Sources. + +| Introduced In | Feature Supporting Audit Sources | +| -------------------------------------------------------------------------------------------- | ------------------------------------------------------------------ | +| [NuGet 6.12, .NET 9.0.100 SDK, and Visual Studio 2022 17.12](../release-notes/NuGet-6.12.md) | Restore | +| [NuGet 6.14, .NET 9.0.300 SDK](../release-notes/NuGet-6.14.md) | `dotnet package list --vulnerable` | +| [NuGet 7.0 and Visual Studio 2026](../release-notes/NuGet-7.0.md) | NuGet AuditSources support in the Visual Studio Package Manager UI | + +### Warning codes + +| Warning Code | Reason | +|--------------|----------| +| [NU1900](../reference/errors-and-warnings/NU1900.md) | Error communicating with package source, while getting vulnerability information. | +| [NU1901](../reference/errors-and-warnings/NU1901-NU1904.md) | Package with low severity detected | +| [NU1902](../reference/errors-and-warnings/NU1901-NU1904.md) | Package with moderate severity detected | +| [NU1903](../reference/errors-and-warnings/NU1901-NU1904.md) | Package with high severity detected | +| [NU1904](../reference/errors-and-warnings/NU1901-NU1904.md) | Package with critical severity detected | +| [NU1905](../reference/errors-and-warnings/NU1905.md) | An audit source does not provide a vulnerability database | + +You can customize your build to treat these warnings as errors to [treat warnings as errors, or treat warnings not as errors](/dotnet/csharp/language-reference/compiler-options/errors-warnings#warningsaserrors-and-warningsnotaserrors). +For example, if you're already using `` to treat all (C#, NuGet, MSBuild, etc) warnings as errors, you can use `$(WarningsNotAsErrors);NU1901;NU1902;NU1903;NU1904` to prevent vulnerabilities discovered in the future from breaking your build. +Alternatively, if you want to keep low and moderate vulnerabilities as warnings, but treat high and critical vulnerabilities as errors, and you're not using `TreatWarningsAsErrors`, you can use `$(WarningsAsErrors);NU1903;NU1904`. + +> [!NOTE] +> MSBuild properties for message severity such as `NoWarn` and `TreatWarningsAsErrors` are not supported for packages.config projects. + +#### Excluding advisories + +You can exclude advisories by adding a new `NuGetAuditSuppress` MSBuild item for each advisory. +Define a `NuGetAuditSuppress` item with the `Include=` metadata set to the advisory URL you wish to suppress. + +```xml + + + +``` + +Similar to the other NuGet audit configuration properties, `NuGetAuditSuppress` items can be defined at the project or repository level. + +`NuGetAuditSuppress` is available for PackageReference projects starting from [NuGet 6.11, Visual Studio 17.11, and the .NET 8.0.400 SDK](../release-notes/NuGet-6.11.md). +It is available for packages.config from [Visual Studio 17.12 and NuGet 6.12](../release-notes/NuGet-6.12.md). + +##### When to exclude advisories + +In scenarios where you have analyzed a specific advisory and have determined that it either does not apply to your scenario, or you are comfortable with the risks it imposes, you can choose to exclude specific advisories from the audit report. +Note that this would completely suppress the advisories, even for packages that share the advisory that may not be part of your project. +`NuGetAuditSuppress` should be considered a last resort for managing advisories. + +## Actions when packages with known vulnerabilities are reported + +Getting a warning about packages with known vulnerabilities is only part of the process. +Once discovered, action needs to be taken to remove the potential vulnerability from your solution. + +The easiest case is when a package you reference directly has the known vulnerability. +In this situation, update the package version to one that fixes the vulnerability. + +Package vulnerabilities may be reported in both direct and transitive package references. +The action you take to resolve may be different because of that. + +### Security vulnerabilities found with updates + +If security vulnerabilities are found and updates are available for the package, you can do one of the following: + +- Edit the `.csproj` or other package version location (`Directory.Packages.props`) with a newer version containing a security fix. +- Use the NuGet package manager user interface in Visual Studio to update the individual package. +- Run the `dotnet package update --vulnerable` command to update all vulnerable packages in a project to the first version without known vulnerabilities. +- Run the `dotnet package update` or `dotnet package add` commands with the respective package ID to update to the latest version. Use [`dotnet add package` when using .NET 9 or earlier](/dotnet/core/whats-new/dotnet-10/sdk#more-consistent-command-order). +- Use the NuGet Model Context Protocol (MCP) server that has the ability to update packages in your project to versions that resolve known vulnerabilities. +See [Fixing package vulnerabilities](NuGet-MCP-Server.md#fixing-package-vulnerabilities) for more information. + +#### Transitive Packages + +Often a vulnerability will be in a transitive dependency. +Our recommendation is to prefer updates to packages "closest" to your direct references. +Though, there's nothing wrong with just upgrading the package with known vulnerability either. + +For example, say your project references package A. +Package A has a dependency on package B, which in turn has a dependency on package C. +In this example, we'll consider that package C version 1.0.0 has a known vulnerability, fixed in version 2.0.0. +Our recommendation is to first try upgrading package A. +If that doesn't resolve the audit warning, then try upgrading package B. +If that doesn't resolve the audit warning, then upgrade C directly. +To aid with this, you'll [need to find the transitive package path](#finding-the-transitive-package-path). + +In summary, if a known vulnerability exists in a top-level package's transitive dependencies, you have these options: + +- Check if the top-level package contains an update that does not have a transitive vulnerability and update that instead. +- Update the closest package to your direct references that does not reference a vulnerability. +- Add the fixed package version as a direct package reference. **Note:** Be sure to remove this reference when a new package version update becomes available and be sure to maintain the defined attributes for the expected behavior. +- Use [Central Package Management with the transitive pinning functionality](../consume-packages/Central-Package-Management.md#transitive-pinning). + Note that if you pack your project into your own package to share with others, [CPM with transitive pinning will cause packages to become dependencies](../consume-packages/Central-Package-Management.md#transitive-pinning-and-pack), even if your project doesn't directly call APIs on that package. +- [Suppress the advisory](#excluding-advisories) until it can be addressed. +- File an issue in the top-level package's tracker to request an update. + +##### Finding the transitive package path + +There are several ways to find the package path. +Which method you prefer depends on what tools you normally use during your development. + +###### dotnet nuget why + +On the command line, you can use the [`dotnet nuget why` command](/dotnet/core/tools/dotnet-nuget-why) to understand why transitive packages are being included in your project's package graph. + +![dotnet nuget why example](media/dotnet-nuget-why-1.png) + +###### Visual Studio Solution Explorer + +SDK style projects also provide the full package graph under the project's Dependency node. +It's also searchable! +Expand search options and enable “search external files”. + +![Visual Studio Solution Explorer Search Options](media/vs-solution-explorer-search-options-1.png) + +Search the package name, and it will show you all instances under each project's Dependencies node. + +![Visual Studio Solution Explorer Search Results](media/vs-solution-explorer-search-results-1.png) + +###### Visual Studio NuGet Package Manager UI + +When you look at the Installed tab in Visual Studio's package manager UI, when the project uses PackageReference for package management, it will show both direct and transitive packages. +Currently, this only happens when you manage packages for a project, not for the solution. + +If you mouse hover over a package in the package list, the tooltip will include the name of one direct package that has caused that transitive package to be included in the project. + +![Visual Studio Package Manager UI tooltip](media/pm-ui-transitive-tooltip-1.png) + +### Security vulnerabilities found with no updates + +In the case that a known vulnerability exists in a package without a security fix, you can do the following. + +- Check for any mitigating factors outlined in the advisory report. +- Use a suggested package if the package is marked deprecated or is abandoned. +- If the package is open source, consider contributing a fix. +- Open an issue in the package's issue tracker. + +#### Check for mitigating factors + +Review the security advisor for any mitigating factors that may allow you to continue using the package with the vulnerability. +The vulnerability may only exist when the code is used on a specific framework, operating system, or a special function is called. + +#### Use a suggested package + +In the case that a security advisory is reported for the package you're using and the package is marked deprecated or seems abandoned, consider using any suggested alternate package the package author has declared or a package comprising of similar functionality that is maintained. + +#### Contribute a fix + +If a fix does not exist for the security advisory, you may want to suggest changes that addresses the vulnerability in a pull request on package's open source repository or contact the author through the `Contact owners` section on the NuGet.org package detail page. + +#### Open an issue + +If you do not want to fix the vulnerability or are unable to update or replace the package, open an issue in the package's issue tracker or preferred contact method. +On NuGet.org, you can navigate to the package details page and click `Report package` which will guide you to get in contact with the author. + +### No security vulnerabilities found + +If no security vulnerabilities are found, this means that packages with known vulnerabilities were not found in your package graph at the present moment of time you checked. +Since the advisory database can be updated at any time, we recommend regularly checking your `dotnet restore` output and ensuring the same in your continuous integration process. + +## Running NuGet Audit in CI + +### Separating Errors from Warnings with a Dedicated Auditing Pipeline + +You can use MSBuild's conditional statements to configure a dedicated CI pipeline for running audits, without audit warnings being treated as errors in other pipelines or on local builds. +Depending on your CI system and team processes, you can have failed runs of the audit pipeline email the team, or you may have a dashboard where you can show a badge of the most recent run of the pipeline. + +Like many things in programming, there are multiple ways to achieve the outcome. +One option is to treat NuGet Audit warnings as errors only in an audit pipeline. + +```xml + + NU1900;NU1901;NU1902;NU1903;NU1904;NU1905 + $(WarningsAsErrors);$(NuGetAuditCodes) + $(WarningsNotAsErrors);$(NuGetAuditCodes) + +``` + +Then in your pipeline, you run restore specifying the property used by the condition. +For example, using GitHub Actions syntax: + +```yml +- name: Restore with NuGet Auditing + run: dotnet restore -p:AuditPipeline=true +``` + +The property name `AuditPipeline` is only an example, and you can customize it as you wish, as long as the name is the same in both the MSBuild condition and the command line. +MSBuild also uses environment variables when reading a property that has not yet been defined, so an environment variable is an alternative to the command line parameter. + +By using conditions to selectively cause NuGet Audit warnings to fail a restore, you can have a dedicated pipeline to check packages for known vulnerabilities, while preventing new security advisories from blocking your bug fixes at inconvenient times. +Keeping NuGet Audit warnings enabled for local builds allows developers to get a non-blocking notification about new security advisories and can encourage upgrading package versions to fix the vulnerabilities more quickly than waiting for someone to check the audit pipeline status. + +### Ensure restore audited projects + +NuGet in MSBuild 17.13 and .NET 9.0.200 added output properties `RestoreProjectCount`, `RestoreSkippedCount` and `RestoreProjectsAuditedCount` on the restore task. +This can be used to enforce that audit ran during a restore. +Note that these output properties are not available with [static graph restore](../reference/msbuild-targets.md#restoring-with-msbuild-static-graph-evaluation). + +Since MSBuild is a scripting language, this can be achieved a number of different ways, but also has the same restrictions as MSBuild has. +One example is to create a file *Directory.Solution.targets* in the same directory as your solution file, whose contents has a target similar to the following. +Note that *Directory.Build.props* is commonly used, but is imported by projects. +However, NuGet's restore target and task runs at the solution level, so needs to be in MSBuild's solution extensibility file, not the project/build file. + +```xml + + + + + +``` + +Depending on your use-case, you may wish to use condition `'$(RestoreProjectCount)' != '$([MSBuild::Add($(RestoreProjectsAuditedCount), $(RestoreSkippedCount))'` on the error message, to account for projects that restore skipped because they were already up to date. +Similarly, think about if you want this error to happen everywhere, or only in CI pipelines, and what environment variables are defined in your CI environment, and factor this into the target's condition. +Again, since MSBuild is a scripting language, you can use any of its capabilities to customize your repo however you want. +Viewing [MSBuild's metaproj](/visualstudio/msbuild/how-to-build-specific-targets-in-solutions-by-using-msbuild-exe#troubleshooting) and [binlogs](/visualstudio/msbuild/msbuild-command-line-reference#switches-for-loggers) are useful to develop and troubleshoot solution level targets. + +## `dotnet list package --vulnerable` + +[`dotnet list package`](/dotnet/core/tools/dotnet-list-package) has a `--vulnerable` argument to filter the packages based on which packages have known vulnerabilities. +Note that `--include-transitive` is not default, so should be included. diff --git a/docs/concepts/Dependency-Resolution.md b/docs/concepts/Dependency-Resolution.md index bdbd205e6..97f63ebae 100644 --- a/docs/concepts/Dependency-Resolution.md +++ b/docs/concepts/Dependency-Resolution.md @@ -4,7 +4,7 @@ description: Details on the process through which a NuGet package's dependencies author: JonDouglas ms.author: jodou ms.date: 08/14/2017 -ms.topic: conceptual +ms.topic: article --- # How NuGet resolves package dependencies @@ -57,15 +57,24 @@ When using a floating version, NuGet resolves the highest version of a package t ![Choosing version 6.0.1 when a floating version 6.0.* is requested](media/floating-versions-1.png) +| Version | Versions present on server | Resolution | Reason | Notes | +|----------|--------------|-------------|-------------|-------------| +| * | 1.1.0
1.1.1
1.2.0
1.3.0-alpha | 1.2.0 | The highest stable version. | +| 1.1.* | 1.1.0
1.1.1
1.1.2-alpha
1.2.0-alpha | 1.1.1 | The highest stable version that respects the specified pattern.| +| \*-\* | 1.1.0
1.1.1
1.1.2-alpha
1.3.0-beta | 1.3.0-beta | The highest version including the not stable versions. | Available in Visual Studio version 16.6, NuGet version 5.6, .NET Core SDK version 3.1.300 | +| 1.1.\*-\* | 1.1.0
1.1.1
1.1.2-alpha
1.1.2-beta
1.3.0-beta | 1.1.2-beta | The highest version respecting the pattern and including the not stable versions. | Available in Visual Studio version 16.6, NuGet version 5.6, .NET Core SDK version 3.1.300 | +| 1.2.0-rc.* | 1.1.0
1.2.0-rc.1
1.2.0-rc.2
1.2.0 | 1.2.0 | Despite this being a version range with a prerelease part, stables are allowed if they match the stable part. Given that 1.2.0 > 1.2.0-rc.2, it is chosen. | | + > [!Note] -> For information on the behavior of floating versions and pre-release versions, see [Package versioning](package-versioning.md#version-ranges). +> Floating version resolution does not take into account whether or not a package is listed. +> Floating version resolution will be resolved locally if the conditions can be satisfied with packages in the Global Package Folder. #### Direct dependency wins When the package graph for an application contains different versions of a package in the same subgraph, and one of those versions is a direct dependency in that subgraph, that version would be chosen for that subgraph and the rest will be ignored. This behavior allows an application to override any particular package version in the dependency graph. -In the example below, the application depends directly on Package B with a version constraint of >=2.0. The application also depends on Package A which in turn also depends on Package B, but with a >=1.0 constraint. Because the dependency on Package B 2.0 is direct dependency to the application in the graph, that version is used: +In the example below, the application depends directly on Package B with a version constraint of >=2.0.0. The application also depends on Package A which in turn also depends on Package B, but with a >=1.0.0 constraint. Because the dependency on Package B 2.0.0 is direct dependency to the application in the graph, that version is used: ![Application using the Direct dependency wins rule](media/direct-dependency-1.png) @@ -73,14 +82,14 @@ In the example below, the application depends directly on Package B with a versi > The Direct dependency wins rule can result in a downgrade of the package version, thus potentially breaking other dependencies in the graph. When a package is downgraded, NuGet adds a [warning to alert the user](..\reference\errors-and-warnings\NU1605.md). This rule also results in greater efficiency with a large dependency graph. -When a closer dependency in the same subgraph has a higher version than a further one, then NuGet ignores that dependency, NuGet also ignores all remaining dependencies on that branch of the graph. +When a closer dependency in the same subgraph has a higher version than a further one, then NuGet ignores that dependency, and NuGet also ignores all remaining dependencies on that branch of the graph. -In the diagram below, for example, because Package C 2.0 is used, NuGet ignores any branches in that subgraph that refer to an earlier version of Package C: +In the diagram below, for example, because Package C 2.0.0 is used, NuGet ignores any branches in that subgraph that refer to an earlier version of Package C: ![When NuGet ignores a package in the graph, it ignores that entire branch](media/direct-dependency-2.png) Through this rule, NuGet tries to honor the intent of the package author. -In the diagram below, the author of Package A has explicitly downgraded to Package C 1.0.0 from Package B 2.0.0. +In the diagram below, the author of Package A has explicitly downgraded to Package C 1.0.0 from Package C 2.0.0. ![When a package author explicitly downgrades, NuGet honors that.](media/direct-dependency-3.png) @@ -90,7 +99,7 @@ The application owner can choose to upgrade Package C to a version higher than 2 #### Cousin dependencies -When different package versions are referred in different subgraphs in the graph from the application, NuGet uses the lowest version that satisfies all version requirements (as with the [lowest applicable version](#lowest-applicable-version) and [floating versions](#floating-versions) rules). In the image below, for example, version 2.0 of Package B satisfies the other >=1.0 constraint, and is thus used: +When different package versions are referred in different subgraphs in the graph from the application, NuGet uses the lowest version that satisfies all version requirements (as with the [lowest applicable version](#lowest-applicable-version) and [floating versions](#floating-versions) rules). In the image below, for example, version 2.0.0 of Package B satisfies the other >=1.0.0 constraint, and is thus used: ![Resolving cousin dependencies using the lower version that satisfies all constraints](media/cousin-dependencies-1.png) @@ -98,12 +107,27 @@ Note that the packages do not need to be on the same distance for the cousin dep ![Resolving cousin dependencies using the lower version that satisfies all constraints at different distances](media/cousin-dependencies-2.png) -In some cases, it's not possible to meet all version requirements. As shown below, if Package A requires exactly Package B 1.0 and Package C requires Package B >=2.0, then NuGet cannot resolve the dependencies and gives an error. +In some cases, it's not possible to meet all version requirements. As shown below, if Package A requires exactly Package B 1.0.0 and Package C requires Package B >=2.0.0, then NuGet cannot resolve the dependencies and gives an error. ![Unresolvable dependencies due to an exact version requirement](media/cousin-dependencies-3.png) In these situations, the top-level consumer (the application or package) should add its own direct dependency on Package B so that the [Direct dependency wins](#direct-dependency-wins) rule applies. +### Version ranges and prerelease versions with PackageReference + +It is not unusual for a package to have both stable and prerelease versions available. +When resolving a dependency graph, NuGet decides whether to consider prerelease versions for a package based on a single rule: +`If the project or any packages within the graph request a prerelease version of a package, then include both prerelease or stable versions, otherwise consider stable versions only.` + +In practice, under the lowest applicable rule, this means: + +| Version Range | Available versions | Selected version | +|---------------|--------------------|------------------| +| [1.0.0, 2.0.0) | 1.2.0-beta.1, 1.2.0, | 1.2.0 | +| [1.0.0, 2.0.0-0) | 1.2.0-beta.1, 1.2.0, | 1.2.0-beta.1 | +| [1.0.0, 2.0.0) | 1.2.0-beta.1, 2.0.0-beta.3 | None, [NU1103](../reference/errors-and-warnings/NU1103.md) is raised. | +| [1.0.0, 2.0.0-rc) | 1.2.0-beta.1, 2.0.0-beta.3 | 1.2.0-beta.1 | + ## Dependency resolution with packages.config With `packages.config`, a project's dependencies are written to `packages.config` as a flat list. Any dependencies of those packages are also written in the same list. When packages are installed, NuGet might also modify the `.csproj` file, `app.config`, `web.config`, and other individual files. @@ -114,6 +138,11 @@ By default, NuGet 2.8 looks for the lowest patch version (see [NuGet 2.8 release The `packages.config` process for resolving dependencies gets complicated for larger dependency graphs. Each new package installation requires a traversal of the whole graph and raises the chance for version conflicts. When a conflict occurs, installation is stopped, leaving the project in an indeterminate state, especially with potential modifications to the project file itself. This is not an issue when using other package management formats. +### Version ranges and prerelease versions with packages.config + +packages.config resolution does not allow mixing of stable and pre-release dependency in a graph. +If a dependency is expressed with a range like `[1.0.0, 2.0.0)`, pre-release packages are not allowed in the graph. + ## Managing dependency assets When using the PackageReference format, you can control which assets from dependencies flow into the top-level project. For details, see [PackageReference](../consume-packages/package-references-in-project-files.md#controlling-dependency-assets). @@ -164,3 +193,5 @@ To resolve incompatibilities, do one of the following: - Retarget your project to a framework that is supported by the packages you want to use. - Contact the author of the packages and work with them to add support for your chosen framework. Each package listing page on [nuget.org](https://www.nuget.org/) has a **Contact Owners** link for this purpose. + +[!INCLUDE [nugetsolver-tool](../includes/nugetsolver-tool.md)] diff --git a/docs/concepts/MSBuild-props-and-targets.md b/docs/concepts/MSBuild-props-and-targets.md index 10e630270..1f40da97a 100644 --- a/docs/concepts/MSBuild-props-and-targets.md +++ b/docs/concepts/MSBuild-props-and-targets.md @@ -4,7 +4,7 @@ description: Describes MSBuild props and targets in NuGet packages author: nkolev92 ms.author: nikolev ms.date: 07/13/2022 -ms.topic: conceptual +ms.topic: article --- # MSBuild .props and .targets in a package diff --git a/docs/concepts/NuGet-MCP-Server.md b/docs/concepts/NuGet-MCP-Server.md new file mode 100644 index 000000000..ccbd97e63 --- /dev/null +++ b/docs/concepts/NuGet-MCP-Server.md @@ -0,0 +1,182 @@ +--- +title: Using the NuGet Model Context Protocol (MCP) Server +description: How to configure and use the NuGet Model Context Protocol (MCP) server. +author: jeffkl +ms.author: jeffkl +ms.topic: conceptual +ms.date: 10/01/2025 +--- + +# Using the NuGet Model Context Protocol (MCP) Server + +## Requirements + +To run the MCP server, you must have **[.NET 10 SDK or later](https://dotnet.microsoft.com/en-us/download/dotnet/10.0)** installed. +This version of .NET adds a command, `dnx`, which is used to download, install, and run the MCP server from [nuget.org](https://nuget.org). + +To verify your .NET version, run the following command in your terminal: +```bash +dotnet --info +``` + +## Getting started in Visual Studio 2026 + +In Visual Studio 2026, the NuGet MCP server is built-in but must be enabled once in order to use its functionality. + +To enable the NuGet MCP server, follow these steps: +1. Open Visual Studio 2026. +1. Open the GitHub Copilot Chat window and make sure you are signed in. +1. Click the tools icon in the bottom toolbar to bring up the Tools menu. +1. Find the MCP server named "nuget" and check the box to enable it. + +![GitHub Copilot Chat Tools window in Visual Studio 2026](./media/copilot-tools-menu.png) + +## Getting started in Visual Studio 2022 + +> [!NOTE] +> You must have Visual Studio 2022 17.14 or later in order to configure an MCP server. + +In Visual Studio 2022, you must manually add the NuGet MCP server to your configuration. +There are several configuration files that Visual Studio 2022 uses to define MCP servers. +See [Use MCP Servers](/visualstudio/ide/mcp-servers) for more information on which file to configure. + +Once you have identified the correct configuration file, add the following JSON snippet to your `mcp.json`: +```json +{ + "servers": { + "nuget": { + "type": "stdio", + "command": "dnx", + "args": [ "NuGet.Mcp.Server", "--source", "https://api.nuget.org/v3/index.json", "--yes" ] + } + } +} +``` + +This will configure Visual Studio 2022 to use the latest version of the NuGet MCP server from nuget.org. +To verify that the MCP server is working correctly, open the GitHub Copilot Chat window and make sure you are signed in. +Then click the Tools icon in the bottom toolbar to bring up the Tools menu. +You should see the MCP server named "nuget" in the list of available servers. + +![GitHub Copilot Chat Tools window in Visual Studio 2022](./media/copilot-tools-menu-2022.png) + +## Getting started in VS Code + +To configure the NuGet MCP server in VS Code click the appropriate button below and it will be set up. + +[![Install in VS Code](https://img.shields.io/badge/VS_Code-Install_Server-0098FF?style=flat-square&logo=visualstudiocode&logoColor=white)]( +https://vscode.dev/redirect/mcp/install?name=NuGet&config=%7B%22name%22%3A%22NuGet.Mcp.Server%22%2C%22command%22%3A%22dnx%22%2C%22args%22%3A%5B%22NuGet.Mcp.Server%22%2C%22https%3A%2F%2Fapi.nuget.org%2Fv3%2Findex.json%22%2Cnull%2Cnull%5D%7D) [![Install in VS Code Insiders](https://img.shields.io/badge/VS_Code_Insiders-Install_Server-24bfa5?style=flat-square&logo=visualstudiocode&logoColor=white)](https://vscode.dev/redirect/mcp/install?name=NuGet&config=%7B%22name%22%3A%22NuGet.Mcp.Server%22%2C%22command%22%3A%22dnx%22%2C%22args%22%3A%5B%22NuGet.Mcp.Server%22%2C%22https%3A%2F%2Fapi.nuget.org%2Fv3%2Findex.json%22%2Cnull%2Cnull%5D%7D&quality=insiders) + +> ![GitHub Copilot Chat Tools window in VS Code](./media/copilot-tools-menu-vs-code.png) + +To verify that the MCP server is working correctly, open the GitHub Copilot Chat window and make sure you are signed in. +Then click the Tools icon in the bottom toolbar to bring up the Tools menu. +You should see the MCP server named "nuget" in the list of available servers. + +## Getting started in GitHub Copilot Agent + +You can also configure the MCP Server to work with GitHub Copilot as a Coding Agent in your repositories. +Ensure that you configured your repository to use [GitHub Copilot Coding Agents](https://github.com/settings/copilot/coding_agent). + +Browse to your repository and click the Settings tab. +Expand the Copilot section and click on Coding Agents. + +![GitHub Copilot coding agent settings](./media/github-copilot-agent-settings.png) + +Scroll down to the **Model Context Protocol (MCP)** section and add the following JSON snippet to your `mcpServers` configuration: + +```json +{ + "mcpServers": { + "NuGet": { + "type": "local", + "command": "dnx", + "args": ["NuGet.Mcp.Server", "--yes"], + "tools": ["*"], + "env": {} + } + } +} +``` + +This will make all of NuGet's MCP server tools available. If you want specific tools, you can list them in the `"tools"` parameter array. + +Finally, click the **Save MCP configuration** button to save your changes. + +Now that the NuGet MCP is configured, you will also need to create a GitHub Actions workflow to install .NET 10 Preview 6 or higher so that the `dnx` command is available to run the MCP server. +You can do this by creating the following workflow file in your repository at + +`.github/workflows/copilot-setup-steps.yml` + +The contents of this workflow file should be as follows: + +```yml +name: "Copilot Setup Steps" + +# Automatically run the setup steps when they are changed to allow for easy validation, and +# allow manual testing through the repository's "Actions" tab +on: + workflow_dispatch: + push: + paths: + - .github/workflows/copilot-setup-steps.yml + pull_request: + paths: + - .github/workflows/copilot-setup-steps.yml + +jobs: + # The job MUST be called `copilot-setup-steps` or it will not be picked up by Copilot. + copilot-setup-steps: + runs-on: ubuntu-latest + + # Set the permissions to the lowest permissions possible needed for your steps. + # Copilot will be given its own token for its operations. + permissions: + # If you want to clone the repository as part of your setup steps, for example to install dependencies, you'll need the `contents: read` permission. If you don't clone the repository in your setup steps, Copilot will do this for you automatically after the steps complete. + contents: read + + # You can define any steps you want, and they will run before the agent starts. + # If you do not check out your code, Copilot will do this for you. + steps: + - name: Install .NET 10.x + uses: actions/setup-dotnet@v5 + with: + dotnet-version: | + 10.x + dotnet-quality: preview + + - name: dotnet --info + run: dotnet --info +``` + +This will ensure that the `dnx` command is available to run the NuGet MCP server when GitHub Copilot runs as a coding agent in your repository. + +## Fixing package vulnerabilities + +The NuGet MCP server can help you identify and fix package vulnerabilities in your project. +To use the MCP server to fix vulnerabilities, enter the following prompt in the GitHub Copilot Chat window: + +> Fix my package vulnerabilities + +The MCP server will analyze your project's dependencies and suggest updates to packages that have known vulnerabilities. + +## Updating all packages + +The NuGet MCP server can also update your packages to the latest compatible versions. +To use the MCP server to update all packages, enter the following prompt in the GitHub Copilot Chat window: + +> Update all my packages to the latest compatible versions + +The MCP server will analyze your project's target framework(s) and suggest updates to the latest version of packages that are compatible with your project. + +## Update a package to a specific version + +The NuGet MCP server can update a specific package to a version you specify. +To do so, enter the following prompt in the GitHub Copilot Chat window: + +> Update the package [PackageName] to version [VersionNumber] + +## Support + +If you experience an issue with the NuGet MCP server or have any other feedback, please open an issue on the [NuGet GitHub repository](https://github.com/NuGet/Home/issues/new?template=MCPSERVER.yml). +Please provide the requested information in the issue template so that we can better understand and address your issue or suggestion. \ No newline at end of file diff --git a/docs/concepts/Package-Versioning.md b/docs/concepts/Package-Versioning.md index 6ea4acc83..eb29a1da6 100644 --- a/docs/concepts/Package-Versioning.md +++ b/docs/concepts/Package-Versioning.md @@ -14,11 +14,15 @@ A specific package is always referred to using its package identifier and an exa When creating a package, you assign a specific version number with an optional pre-release text suffix. When consuming packages, on the other hand, you can specify either an exact version number or a range of acceptable versions. +The following document follows the [Semantic Versioning 2.0.0](https://semver.org/spec/v2.0.0.html) standard, supported by NuGet 4.3.0+ and Visual Studio 2017 version 15.3+. +Certain [semantics of SemVer v2.0.0](#semantic-versioning-200) are not supported in older clients. + In this topic: - [Version basics](#version-basics) including pre-release suffixes. - [Version ranges](#version-ranges) - [Normalized version numbers](#normalized-version-numbers) +- [Semantic Versioning 2.0.0](#semantic-versioning-200) ## Version basics @@ -27,7 +31,7 @@ A specific version number is in the form *Major.Minor.Patch[-Suffix]*, where the - *Major*: Breaking changes - *Minor*: New features, but backwards compatible - *Patch*: Backwards compatible bug fixes only -- *-Suffix* (optional): a hyphen followed by a string denoting a pre-release version (following the [Semantic Versioning or SemVer 1.0 convention](https://semver.org/spec/v1.0.0.html)). +- *-Suffix* (optional): a hyphen followed by a string denoting a pre-release version (following the [Semantic Versioning or SemVer](https://semver.org/) convention). **Examples:** @@ -35,7 +39,7 @@ A specific version number is in the form *Major.Minor.Patch[-Suffix]*, where the 1.0.1 6.11.1231 4.3.1-rc -2.2.44-beta1 +2.2.44-beta.1 ``` > [!Important] @@ -51,51 +55,49 @@ That said, package developers generally follow recognized naming conventions: - `-beta`: Beta release, typically one that is feature complete for the next planned release, but may contain known bugs. - `-rc`: Release candidate, typically a release that's potentially final (stable) unless significant bugs emerge. +When ordering versions by precedence, NuGet follows the SemVer standard and chooses a version without a suffix first, then applies precedence to pre-release versions in reverse alphabetical order and treats dot notation numbers with numerical order. + > [!Note] -> NuGet 4.3.0+ supports [SemVer 2.0.0](https://semver.org/spec/v2.0.0.html), which supports pre-release numbers with dot notation, as in *1.0.1-build.23*. Dot notation is not supported with NuGet versions before 4.3.0. You can use a form like *1.0.1-build23*. +> Prerelease numbers with dot notation, as in *1.0.1-build.23*, are considered part of the [SemVer 2.0.0](https://semver.org/spec/v2.0.0.html) standard, and as such are [only supported with NuGet 4.3.0+](#semantic-versioning-200). -When resolving package references and multiple package versions differ only by suffix, NuGet chooses a version without a suffix first, then applies precedence to pre-release versions in reverse alphabetical order. For example, the following versions would be chosen in the exact order shown: +### [SemVer 2.0 sorting](#tab/semver20sort) ``` 1.0.1 1.0.1-zzz -1.0.1-rc +1.0.1-rc.10 +1.0.1-rc.2 1.0.1-open 1.0.1-beta 1.0.1-alpha2 -1.0.1-alpha +1.0.1-alpha10 1.0.1-aaa ``` -## Semantic Versioning 2.0.0 - -With NuGet 4.3.0+ and Visual Studio 2017 version 15.3+, NuGet supports [Semantic Versioning 2.0.0](https://semver.org/spec/v2.0.0.html). - -Certain semantics of SemVer v2.0.0 are not supported in older clients. NuGet considers a package version to be SemVer v2.0.0 specific if either of the following statements is true: - -- The pre-release label is dot-separated, for example, *1.0.0-alpha.1* -- The version has build-metadata, for example, *1.0.0+githash* - -For nuget.org, a package is defined as a SemVer v2.0.0 package if either of the following statements is true: +Note that 1.0.1-alpha10 is sorted strictly in reverse alphabetical order, whereas 1.0.1-rc.10 is greater precedence than 1.0.1-rc.2. -- The package's own version is SemVer v2.0.0 compliant but not SemVer v1.0.0 compliant, as defined above. -- Any of the package's dependency version ranges has a minimum or maximum version that is SemVer v2.0.0 compliant but not SemVer v1.0.0 compliant, defined above; for example, *[1.0.0-alpha.1, )*. +### [SemVer 1.0 sorting](#tab/semver10sort) -If you upload a SemVer v2.0.0-specific package to nuget.org, the package is invisible to older clients and available to only the following NuGet clients: +``` +1.0.1 +1.0.1-zzz +1.0.1-open +1.0.1-beta05 +1.0.1-beta02 +1.0.1-beta +1.0.1-alpha2 +1.0.1-alpha10 +1.0.1-aaa +``` -- NuGet 4.3.0+ -- Visual Studio 2017 version 15.3+ -- Visual Studio 2015 with [NuGet VSIX v3.6.0](https://dist.nuget.org/visualstudio-2015-vsix/latest/NuGet.Tools.vsix) -- dotnet - - dotnetcore.exe (.NET SDK 2.0.0+) +Note that versions such as `1.0.1-rc.10` and `1.0.1-rc.2` are not parsable by older versions of the client, and such packages with those versions won't be available for download with those clients. -Third-party clients: +If you use numerical suffixes with pre-release tags that might use double-digit numbers (or more), use leading zeroes as in beta01 and beta05 to ensure that they sort correctly when the numbers get larger. +This recommendation only applies this schema. -- JetBrains Rider -- Paket version 5.0+ +Despite the ordering shown above, NuGet does not always consider both stable & prerelease packages during dependency resolution. Those rules are detailed in [Dependency Resolution](./Dependency-Resolution.md). - - +--- ## Version ranges @@ -104,6 +106,7 @@ When referring to package dependencies, NuGet supports using interval notation f | Notation | Applied rule | Description | |----------|--------------|-------------| | 1.0 | x ≥ 1.0 | Minimum version, inclusive | +| [1.0,) | x ≥ 1.0 | Minimum version, inclusive | | (1.0,) | x > 1.0 | Minimum version, exclusive | | [1.0] | x == 1.0 | Exact version match | | (,1.0] | x ≤ 1.0 | Maximum version, inclusive | @@ -113,14 +116,10 @@ When referring to package dependencies, NuGet supports using interval notation f | [1.0,2.0) | 1.0 ≤ x < 2.0 | Mixed inclusive minimum and exclusive maximum version | | (1.0) | invalid | invalid | -When using the PackageReference format, NuGet also supports using a floating notation, \*, for Major, Minor, Patch, and pre-release suffix parts of the number. Floating versions are not supported with the `packages.config` format. When a floating version is specified, the rule is to resolve to the highest existent version that matches the version description. Examples of floating versions and the resolutions are below. - -> [!Note] -> Version ranges in PackageReference include pre-release versions. By design, floating versions do not resolve prerelease versions unless opted into. For the status of the related feature request, see [issue 6434](https://github.com/NuGet/Home/issues/6434#issuecomment-358782297). +### Best Practice -### Examples - -Always specify a version or version range for package dependencies in project files, `packages.config` files, and `.nuspec` files. Without a version or version range, NuGet 2.8.x and earlier chooses the latest available package version when resolving a dependency, whereas NuGet 3.x and later chooses the lowest package version. Specifying a version or version range avoids this uncertainty. +Always specify a version or version range for package dependencies in project files, `packages.config` files, and `.nuspec` files. Without a version or version range, when resolving a dependency, consistent restore results are not guaranteed. +Avoid specifying an upper bound to version ranges to packages you don't own unless you know of a compatibility problem. Upper bounds to version ranges harm adoption, discourage consumers from getting valuable updates to dependencies, and in some cases may lead them to use unsupported versions of dependencies. #### References in project files (PackageReference) @@ -133,6 +132,9 @@ Always specify a version or version range for package dependencies in project fi Will resolve to the highest acceptable stable version.--> + + + @@ -154,19 +156,6 @@ Always specify a version or version range for package dependencies in project fi ``` -#### Floating version resolutions - -| Version | Versions present on server | Resolution | Reason | Notes | -|----------|--------------|-------------|-------------|-------------| -| * | 1.1.0
1.1.1
1.2.0
1.3.0-alpha | 1.2.0 | The highest stable version. | -| 1.1.* | 1.1.0
1.1.1
1.1.2-alpha
1.2.0-alpha | 1.1.1 | The highest stable version that respects the specified pattern.| -| \*-\* | 1.1.0
1.1.1
1.1.2-alpha
1.3.0-beta | 1.3.0-beta | The highest version including the not stable versions. | Available in Visual Studio version 16.6, NuGet version 5.6, .NET Core SDK version 3.1.300 | -| 1.1.\*-\* | 1.1.0
1.1.1
1.1.2-alpha
1.1.2-beta
1.3.0-beta | 1.1.2-beta | The highest version respecting the pattern and including the not stable versions. | Available in Visual Studio version 16.6, NuGet version 5.6, .NET Core SDK version 3.1.300 | - -> [!Note] -> Floating version resolution does not take into account whether or not a package is listed. -> Floating version resolution will be resolved locally if the conditions can be satisfied with packages in the Global Package Folder. - **References in `packages.config`:** In `packages.config`, every dependency is listed with an exact `version` attribute that's used when restoring packages. The `allowedVersions` attribute is used only during update operations to constrain the versions to which the package might be updated. @@ -225,7 +214,7 @@ The `version` attribute in a `` element describes the range versions ## Normalized version numbers > [!Note] -> This is a breaking change for NuGet 3.4 and later. +> This is a breaking change for NuGet 3.4+. When obtaining packages from a repository during install, reinstall, or restore operations, NuGet 3.4+ treats version numbers as follows: @@ -245,12 +234,40 @@ When obtaining packages from a repository during install, reinstall, or restore However, NuGet package repositories must treat these values in the same way as NuGet to prevent package version duplication. Thus a repository that contains version *1.0* of a package should not also host version *1.0.0* as a separate and different package. +## Semantic Versioning 2.0.0 + +Certain semantics of SemVer v2.0.0 are not supported in older clients. +NuGet considers a package version to be SemVer v2.0.0 specific if either of the following statements is true: + +- The pre-release label is dot-separated, for example, *1.0.0-alpha.1* +- The version has build-metadata, for example, *1.0.0+githash* + +For nuget.org, a package is defined as a SemVer v2.0.0 package if either of the following statements is true: + +- The package's own version is SemVer v2.0.0 compliant but not SemVer v1.0.0 compliant, as defined above. +- Any of the package's dependency version ranges has a minimum or maximum version that is SemVer v2.0.0 compliant but not SemVer v1.0.0 compliant, defined above; for example, *[1.0.0-alpha.1, )*. + +If you upload a SemVer v2.0.0-specific package to nuget.org, the package is invisible to older clients and available to only the following NuGet clients: + +- NuGet 4.3.0+ +- Visual Studio 2017 version 15.3+ +- Visual Studio 2015 with [NuGet VSIX v3.6.0](https://dist.nuget.org/visualstudio-2015-vsix/latest/NuGet.Tools.vsix) +- .NET SDK 2.0.0+ + +Third-party clients: + +- JetBrains Rider +- Paket version 5.0+ + + + + ## Where NuGetVersion diverges from Semantic Versioning If you want to programatically use NuGet package versions, it is strongly recommended to use [the package NuGet.Versioning](https://www.nuget.org/packages/NuGet.Versioning). The static method `NuGetVersion.Parse(string)` can be used to parse the version strings, and `VersionComparer` can be used to sort `NuGetVersion` instances. If you are implementing NuGet functionality in a language that does not run on .NET, here are the known list of differences between `NuGetVersion` and Semantic Versioning, and the reasons why an existing Semantic Versioning library might not work for packages already published on nuget.org. -1. `NuGetVersion` supports a 4th version segment, `Revision`, to be compatible with, or a superset of, [`System.Version`](/dotnet/api/system.version). Therefore, excluding prerelease and metadata labels, a version string is `Major.Minor.Patch.Revision`. As per version normalization described above, if `Revision` is zero, it is omit from the normalized version string. +1. `NuGetVersion` supports a 4th version segment, `Revision`, to be compatible with, or a superset of, [`System.Version`](/dotnet/api/system.version). Therefore, excluding prerelease and metadata labels, a version string is `Major.Minor.Patch.Revision`. As per version normalization described above, if `Revision` is zero, it is omitted from the normalized version string. 2. `NuGetVersion` only requires the major segment to be defined. All others are optional, and are equivalent to zero. This means that `1`, `1.0`, `1.0.0`, and `1.0.0.0` are all accepted and equal. 3. `NuGetVersion` uses case insensitive string comparisons for pre-release components. This means that `1.0.0-alpha` and `1.0.0-Alpha` are equal. diff --git a/docs/concepts/Security-Best-Practices.md b/docs/concepts/Security-Best-Practices.md index 32fa1f076..d28f60fb0 100644 --- a/docs/concepts/Security-Best-Practices.md +++ b/docs/concepts/Security-Best-Practices.md @@ -3,21 +3,26 @@ title: Best practices for a secure software supply chain description: Best practices for securing your software supply chain using NuGet & GitHub. author: JonDouglas ms.author: jodou -ms.date: 02/08/2021 -ms.topic: conceptual +ms.topic: best-practice --- # Best practices for a secure software supply chain -Open Source is everywhere. It is in many proprietary codebases and community projects. For organizations and individuals, the question today is not whether you are or are not using open-source code, but what open-source code you are using, and how much. +Open Source is everywhere. +It is in many proprietary codebases and community projects. +For organizations and individuals, the question today is not whether you are or are not using open-source code, but what open-source code you are using, and how much. -If you're not aware of what is in your software supply chain, an upstream vulnerability in one of your dependencies can be fatal, making you, and your customers, vulnerable to a potential compromise. In this document, we will dive deeper into what the term “software supply chain” means, why it matters, and how you can help secure your project’s supply chain with best practices. +If you're not aware of what is in your software supply chain, an upstream vulnerability in one of your dependencies can be fatal, making you, and your customers, vulnerable to a potential compromise. +In this document, we will dive deeper into what the term “software supply chain” means, why it matters, and how you can help secure your project’s supply chain with best practices. ![The State of the Octoverse 2020 - Open Source](media/opensource-percent.png) -## Dependencies +## Dependencies -The term software supply chain is used to refer to everything that goes into your software and where it comes from. It is the dependencies and properties of your dependencies that your software supply chain depends on. A dependency is what your software needs to run. It can be code, binaries, or other components, and where they come from, such as a repository or package manager. +The term software supply chain is used to refer to everything that goes into your software and where it comes from. +It is the dependencies and properties of your dependencies that your software supply chain depends on. +A dependency is what your software needs to run. +It can be code, binaries, or other components, and where they come from, such as a repository or package manager. It includes who wrote the code, when it was contributed, how it was reviewed for security issues, known vulnerabilities, supported versions, license information, and just about anything that touches it at any point of the process. @@ -25,21 +30,33 @@ Your supply chain also encompasses other parts of your stack beyond a single app ## Vulnerabilities -Today, software dependencies are pervasive. It is quite common for your projects to use hundreds of open-source dependencies for functionality that you did not have to write yourself. This may mean that most of your application consists of code that you did not author. +Today, software dependencies are pervasive. +It is quite common for your projects to use hundreds of open-source dependencies for functionality that you did not have to write yourself. +This may mean that most of your application consists of code that you did not author. ![The State of the Octoverse 2020 - Dependencies](media/dependencies.png) Possible vulnerabilities in your third-party or open-source dependencies, are presumably dependencies you cannot control as tightly as the code you write, which can create potential security risks in your supply chain. -If one of these dependencies has a vulnerability, the chances are you have a vulnerability as well. This can be scary as one of your dependencies may change without you even knowing. Even if a vulnerability exists in a dependency today, but is not exploitable, it can be exploitable in the future. +If one of these dependencies has a vulnerability, the chances are you have a vulnerability as well. +This can be scary as one of your dependencies may change without you even knowing. +Even if a vulnerability exists in a dependency today, but is not exploitable, it can be exploitable in the future. -Being able to leverage the work of thousands of open-source developers and library authors means that thousands of strangers can effectively contribute directly to your production code. Your product, through your software supply chain, is affected by unpatched vulnerabilities, innocent mistakes, or even malicious attacks against dependencies. +Being able to leverage the work of thousands of open-source developers and library authors means that thousands of strangers can effectively contribute directly to your production code. +Your product, through your software supply chain, is affected by unpatched vulnerabilities, innocent mistakes, or even malicious attacks against dependencies. ## Supply chain compromises -The traditional definition of a supply chain comes from manufacturing; it is the chain of processes required to make and supply something. It includes planning, supply of materials, manufacturing, and retail. A software supply chain is similar, except instead of materials, it is code. Instead of manufacturing, it is development. Instead of digging ore from the ground, code is sourced from suppliers, commercial or open source, and, in general, the open-source code comes from repositories. Adding code from a repository means your product takes a dependency on that code. +The traditional definition of a supply chain comes from manufacturing; it is the chain of processes required to make and supply something. +It includes planning, supply of materials, manufacturing, and retail. +A software supply chain is similar, except instead of materials, it is code. +Instead of manufacturing, it is development. +Instead of digging ore from the ground, code is sourced from suppliers, commercial or open source, and, in general, the open-source code comes from repositories. +Adding code from a repository means your product takes a dependency on that code. -One example of a software supply chain attack occurs when malicious code is purposefully added to a dependency, using the supply chain of that dependency to distribute the code to its victims. Supply chain attacks are real. There are many methods to attack a supply chain, from directly inserting malicious code as a new contributor, to taking over a contributor’s account without others noticing, or even compromising a signing key to distribute software that is not officially part of the dependency. +One example of a software supply chain attack occurs when malicious code is purposefully added to a dependency, using the supply chain of that dependency to distribute the code to its victims. +Supply chain attacks are real. +There are many methods to attack a supply chain, from directly inserting malicious code as a new contributor, to taking over a contributor’s account without others noticing, or even compromising a signing key to distribute software that is not officially part of the dependency. A software supply chain attack is in and of itself rarely the end goal, rather it is the beginning of an opportunity for an attacker to insert malware or provide a backdoor for future access. @@ -47,18 +64,35 @@ A software supply chain attack is in and of itself rarely the end goal, rather i ## Unpatched software -The use of open source today is significant and is not expected to slow down anytime soon. Given that we are not going to stop using open-source software, the threat to supply chain security is unpatched software. Knowing that, how can you address the risk that a dependency of your project has a vulnerability? +The use of open source today is significant and is not expected to slow down anytime soon. +Given that we are not going to stop using open-source software, the threat to supply chain security is unpatched software. +Knowing that, how can you address the risk that a dependency of your project has a vulnerability? - **Knowing what is in your environment.** This requires discovering your dependencies and any transitive dependencies to understand the risks of those dependencies such as vulnerabilities or licensing restrictions. -- **Manage your dependencies.** When a new security vulnerability is discovered, you must determine whether you are impacted, and if so, update to the latest version and security patch available. This is especially important to review changes that introduce new dependencies or regularly auditing older dependencies. -- **Monitor your supply chain.** This is by auditing the controls you have in place to manage your dependencies. This will help you enforce more restrictive conditions to be met for your dependencies. +- **Manage your dependencies.** When a new security vulnerability is discovered, you must determine whether you are impacted, and if so, update to the latest version and security patch available. + This is especially important to review changes that introduce new dependencies or regularly auditing older dependencies. +- **Monitor your supply chain.** This is by auditing the controls you have in place to manage your dependencies. + This will help you enforce more restrictive conditions to be met for your dependencies. ![The State of the Octoverse 2020 - Advisories](media/advisories.png) -We will cover various tools and techniques that NuGet and GitHub provides, which you can use today to address potential risks inside your project. +We will cover various tools and techniques that NuGet and GitHub provides, which you can use today to address potential risks inside your project. ## Knowing what is in your environment +### Packages with known vulnerabilities + +**📦 Package Consumer | 📦🖊 Package Author** + +.NET 8 and Visual Studio 17.8 added [NuGetAudit](Auditing-Packages.md), which will warn about direct packages with known vulnerabilities during restore. +.NET 9 and Visual Studio 17.12 changed the default to warn about transitive packages as well. + +NuGetAudit requires a source to provide a known vulnerabilities database, so if you're not using nuget.org as a package source, you should add it as an [audit source](Auditing-Packages.md#audit-sources). + +By the time that NuGet is warning you, the vulnerability is publicly known. +Attackers can use this public disclosure to develop attacks for targets who have not patched their applications. +Therefore, when you get a warning that a package your project is using has a known vulnerability, you should quickly take action. + ### NuGet dependency graph **📦 Package Consumer** @@ -67,20 +101,22 @@ You can view your NuGet dependencies in your project by looking directly at the This is typically found in one of two places: -- [`packages.config`](../reference/packages-config.md) – Located in the project root. -- [``](../consume-packages/package-references-in-project-files.md) – Located in the project file. +- [`packages.config`](../reference/packages-config.md) – Located in the project root. +- [``](../consume-packages/package-references-in-project-files.md) – Located in the project file. Depending on what method you use to manage your NuGet dependencies, you can also use Visual Studio to view your dependencies directly in [Solution Explorer](/visualstudio/ide/solutions-and-projects-in-visual-studio#solution-explorer) or [NuGet Package Manager](../consume-packages/install-use-packages-visual-studio.md). -For CLI environments, you can use the [`dotnet list package`](/dotnet/core/tools/dotnet-list-package) command to list out your project or solution’s dependencies. +For CLI environments, you can use the [`dotnet list package` command](/dotnet/core/tools/dotnet-list-package) to list out your project or solution’s dependencies. +You can also use the [`dotnet nuget why` command](/dotnet/core/tools/dotnet-nuget-why) to understand why transitive packages (those not directly referenced by your project) are being included in your project's package graph. For more information on managing NuGet dependencies, [see the following documentation](../consume-packages/overview-and-workflow.md). -### GitHub dependency graph +### GitHub dependency graph **📦 Package Consumer | 📦🖊 Package Author** -You can use GitHub’s dependency graph to see the packages your project depends on and the repositories that depend on it. This can help you see any vulnerabilities detected in its dependencies. +You can use GitHub’s dependency graph to see the packages your project depends on and the repositories that depend on it. +This can help you see any vulnerabilities detected in its dependencies. For more information on GitHub repository dependencies, [see the following documentation](https://github.co/dependency-graph). @@ -88,12 +124,14 @@ For more information on GitHub repository dependencies, [see the following docum **📦 Package Consumer | 📦🖊 Package Author** -To ensure a secure supply chain of dependencies, you will want to ensure that all of your dependencies & tooling are regularly updated to the latest stable version as they will often include the latest functionality and security patches to known vulnerabilities. Your dependencies can include code you depend on, binaries you consume, tooling you use, and other components. This may include: +To ensure a secure supply chain of dependencies, you will want to ensure that all of your dependencies & tooling are regularly updated to the latest stable version as they will often include the latest functionality and security patches to known vulnerabilities. +Your dependencies can include code you depend on, binaries you consume, tooling you use, and other components. +This may include: -- [Visual Studio](https://visualstudio.microsoft.com/downloads/) -- [.NET SDK & Runtime](https://dotnet.microsoft.com/download) -- [NuGet](https://www.nuget.org/downloads) -- [NuGet packages](../consume-packages/reinstalling-and-updating-packages.md) +- [Visual Studio](https://visualstudio.microsoft.com/downloads/) +- [.NET SDK & Runtime](https://dotnet.microsoft.com/download) +- [NuGet](https://www.nuget.org/downloads) +- [NuGet packages](../consume-packages/reinstalling-and-updating-packages.md) ## Manage your dependencies @@ -101,31 +139,61 @@ To ensure a secure supply chain of dependencies, you will want to ensure that al **📦 Package Consumer | 📦🖊 Package Author** -You can use the [dotnet CLI](/dotnet/core/tools/dotnet-list-package) to list any known deprecated or vulnerable dependencies you may have inside your project or solution. You can use the command `dotnet list package --deprecated` or `dotnet list package --vulnerable` to provide you a list of any known deprecations or vulnerabilities. +You can use the [dotnet CLI](/dotnet/core/tools/dotnet-list-package) to list any known deprecated or vulnerable dependencies you may have inside your project or solution. +You can use the command `dotnet list package --deprecated` or `dotnet list package --vulnerable` to provide you a list of any known deprecations or vulnerabilities. +[NuGetAudit](Auditing-Packages.md) can warn you about known vulnerable dependencies, and is enabled by default when [a source provides a vulnerabilities database](Auditing-Packages.md#audit-sources). ### GitHub vulnerable dependencies **📦 Package Consumer | 📦🖊 Package Author** -If your project is hosted on GitHub, you can leverage [GitHub Security](https://docs.github.com/en/free-pro-team@latest/github/finding-security-vulnerabilities-and-errors-in-your-code/automatically-scanning-your-code-for-vulnerabilities-and-errors) to find security vulnerabilities and errors in your project and Dependabot will fix them by opening up a pull request against your codebase. +If your project is hosted on GitHub, you can leverage [GitHub Security](https://docs.github.com/en/free-pro-team@latest/github/finding-security-vulnerabilities-and-errors-in-your-code/automatically-scanning-your-code-for-vulnerabilities-and-errors) to find security vulnerabilities and errors in your project and Dependabot will fix them by opening up a pull request against your codebase. -Catching vulnerable dependencies before they are introduced is one goal of the [“Shift Left”](https://en.wikipedia.org/wiki/Shift-left_testing) movement. Being able to have information about your dependencies such as their license, transitive dependencies, and the age of dependencies helps you do just that. +Catching vulnerable dependencies before they are introduced is one goal of the [“Shift Left”](https://en.wikipedia.org/wiki/Shift-left_testing) movement. +Being able to have information about your dependencies such as their license, transitive dependencies, and the age of dependencies helps you do just that. For more information about Dependabot alerts & security updates, [see the following documentation](https://docs.github.com/en/github/managing-security-vulnerabilities/about-alerts-for-vulnerable-dependencies). +## NuGet Configuration + +**📦 Package Consumer** + +Add a `nuget.config` file in the root of your project repository. This is considered a best practice as it promotes repeatability and ensures that different users have the same NuGet configuration. +We recommend adding `clear` elements to ensure no user or machine specific configuration is applied. [Read more about how settings are applied](../consume-packages/configuring-nuget-behavior.md#how-settings-are-applied). + +For example: + +```xml + + + + + + + + + +``` + ### NuGet feeds **📦 Package Consumer** -When using multiple public & private NuGet source feeds, a package can be downloaded from any of the feeds. To ensure your build is predictable and secure from known attacks such as [Dependency Confusion](https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610), knowing what specific feed(s) your packages are coming from is a best practice. You can use a single feed or private feed with upstreaming capabilities for protection. +Use package sources that you trust. +When using multiple public & private NuGet source feeds, a package can be downloaded from any of the feeds. +To ensure your build is predictable and secure from known attacks such as [Dependency Confusion](https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610), knowing what specific feed(s) your packages are coming from is a best practice. +You can use a single feed or private feed with upstreaming capabilities for protection. + +For more information to secure your package feeds, see [3 Ways to Mitigate Risk When Using Private Package Feeds](https://azure.microsoft.com/resources/3-ways-to-mitigate-risk-using-private-package-feeds/en-us/). -For more information to secure your package feeds, see [3 Ways to Mitigate Risk When Using Private Package Feeds](https://azure.microsoft.com/resources/3-ways-to-mitigate-risk-using-private-package-feeds/). +When using a private feed, refer to the [security best practices for managing credentials](../consume-packages/consuming-packages-authenticated-feeds.md#security-best-practices-for-managing-credentials). ### Client trust policies **📦 Package Consumer** -There are policies that you can opt-into in which you require the packages you use to be signed. This allows you to trust a package author, as long as it is author signed, or trust a package if it is owned by a specific user or account that is repository signed by NuGet.org. +There are policies that you can opt-into in which you require the packages you use to be signed. +This allows you to trust a package author, as long as it is author signed, or trust a package if it is owned by a specific user or account that is repository signed by NuGet.org. To configure client trust policies, [see the following documentation](../consume-packages/installing-signed-packages.md). @@ -133,7 +201,8 @@ To configure client trust policies, [see the following documentation](../consume **📦 Package Consumer** -Lock files store the hash of your package’s content. If the content hash of a package you want to install matches with the lock file, it will ensure package repeatability. +Lock files store the hash of your package’s content. +If the content hash of a package you want to install matches with the lock file, it will ensure package repeatability. To enable lock files, [see the following documentation](../consume-packages/package-references-in-project-files.md#locking-dependencies). @@ -145,13 +214,54 @@ Package Source Mapping allows you to centrally declare which source each package To enable package source mapping, [see the following documentation](../consume-packages/package-source-mapping.md). +## Secure computers + +### Directory permissions + +**📦 Package Consumer** + +On Windows and Mac, and some Linux distributions, user account home directories are private by default. +However, some Linux distributions make user directories readable by other accounts on the same computer by default. +Additionally, there are [multiple configuration options to redirect NuGet's global packages folder and HTTP cache to non-default locations](../consume-packages/managing-the-global-packages-and-cache-folders.md). +Solutions, projects, and repositories might also be created outside of the user's home directory. + +If you use any packages that are not on nuget.org, then if any other account on the computer can read NuGet's global packages or HTTP cache directories, or the project's build output directory, then these packages might be disclosed to people who should not have access to those packages. + +On Linux, `dotnet nuget update source` will change *nuget.config* file permissions to make it only readable by the file owner. +However, if you edit the *nuget.config* file in any other way, and the file is in a location that other accounts can read the file, there might be information disclosure about package source URL or package source credentials. +You should ensure any nuget.config file cannot be read by other users of the same computer. + +### Solutions within the downloads directory + +**📦 Package Consumer** + +Extra care should be taken if working on solutions or projects in your downloads directory. +NuGet will [accumulate settings from multiple config files](../consume-packages/configuring-nuget-behavior.md), and MSBuild will typically import *Directory.Build.props*, *Directory.NuGet.props*, *Directory.Build.targets*, and potentially other files, from any parent directory, right up to the filesystem root. + +The downloads folder has additional risk, since it's usually the default location that web browsers will download files from the internet + +### Build Agents + +**📦 Package Consumer** + +Build agents (CI agents) that are not reset to an initial state after every build have multiple risks that must be considered. + +To learn about secure ways to manage credentials, [see the docs on consuming packages from authenticated feeds](../consume-packages/consuming-packages-authenticated-feeds.md). + +To learn about modifying the directories that NuGet stores data in, see [the docs on managing the global packages, cache, and temp folders](../consume-packages/managing-the-global-packages-and-cache-folders.md). +These directories should be configured to a directory that the CI agent cleans after every build. + +Note that any packages used by your project might be left in your project's build output directory. +If your project uses packages from authenticated sources, then other users of the same CI agent might gain unauthorized access to the package assemblies. +Therefore, you should also clean your repo at the end of your build, even when the build fails or is cancelled. + ## Monitor your supply chain ### GitHub secret scanning **📦🖊 Package Author** -GitHub scans repositories for NuGet API keys to prevent fraudulent uses of secrets that were accidentally committed. +GitHub scans repositories for NuGet API keys to prevent fraudulent uses of secrets that were accidentally committed. To learn more about secret scanning, see [About secret scanning](https://docs.github.com/en/github/administering-a-repository/about-secret-scanning). @@ -159,7 +269,9 @@ To learn more about secret scanning, see [About secret scanning](https://docs.gi **📦🖊 Package Author** -[Author signing](../reference/signed-packages-reference.md) allows a package author to stamp their identity on a package and for a consumer to verify it came from you. This protects you against content tampering and serves as a single source of truth about the origin of the package and the package authenticity. When combined with client trust policies, you can verify a package came from a specific author. +[Author signing](../reference/signed-packages-reference.md) allows a package author to stamp their identity on a package and for a consumer to verify it came from you. +This protects you against content tampering and serves as a single source of truth about the origin of the package and the package authenticity. +When combined with client trust policies, you can verify a package came from a specific author. To author sign a package, see [Sign a package](../create-packages/sign-a-package.md). @@ -175,13 +287,14 @@ To learn more about reproducible builds, see [Producing Packages with Source Lin **📦🖊 Package Author** -Every account on nuget.org has 2FA enabled. This adds an extra layer of security when [logging into your GitHub account](https://docs.github.com/en/github/authenticating-to-github/securing-your-account-with-two-factor-authentication-2fa) or your [NuGet.org account](../nuget-org/individual-accounts.md#add-a-new-individual-account). +Every account on nuget.org has 2FA enabled. +This adds an extra layer of security when [logging into your GitHub account](https://docs.github.com/en/github/authenticating-to-github/securing-your-account-with-two-factor-authentication-2fa) or your [NuGet.org account](../nuget-org/individual-accounts.md#add-a-new-individual-account). -### Package ID prefix reservation +### Package ID prefix reservation **📦🖊 Package Author** -To protect the identity of your packages, you can reserve a package ID prefix with your respective namespace to associate a matching owner if your package ID prefix properly falls under the [specified criteria](../nuget-org/id-prefix-reservation.md#id-prefix-reservation-criteria). +To protect the identity of your packages, you can reserve a package ID prefix with your respective namespace to associate a matching owner if your package ID prefix properly falls under the [specified criteria](../nuget-org/id-prefix-reservation.md#id-prefix-reservation-criteria). To learn about reserving ID prefixes, see [Package ID prefix reservation](../nuget-org/id-prefix-reservation.md). @@ -189,13 +302,17 @@ To learn about reserving ID prefixes, see [Package ID prefix reservation](../nug **📦🖊 Package Author** -To protect the .NET package ecosystem when you are aware of a vulnerability in a package you have authored, do your best to deprecate and unlist the package so it is hidden from users searching for packages. If you are consuming a package that is deprecated and unlisted, you should avoid using the package. +To protect the .NET package ecosystem when you are aware of a vulnerability in a package you have authored, do your best to deprecate and unlist the package so it is hidden from users searching for packages. +If you are consuming a package that is deprecated and unlisted, you should avoid using the package. To learn how to deprecate and unlist a package, see the following documentation on [deprecating](../nuget-org/deprecate-packages.md) and [unlisting packages](../nuget-org/policies/deleting-packages.md#unlisting-a-package). +Also consider reporting the known to the [GitHub Advisories Database](https://github.com/advisories). + ## Summary -Your software supply chain is anything that goes into or affects your code. Even though supply chain compromises are real and growing in popularity, they are still rare; so the most important thing you can do is protect your supply chain by **being aware of your dependencies, managing your dependencies** and **monitoring your supply chain.** +Your software supply chain is anything that goes into or affects your code. +Even though supply chain compromises are real and growing in popularity, they are still rare; so the most important thing you can do is protect your supply chain by **being aware of your dependencies, managing your dependencies** and **monitoring your supply chain.** You learned about various methods that NuGet and [GitHub](/training/modules/maintain-secure-repository-github/) provide that are available to you today to be more effective in viewing, managing, and monitoring your supply chain. diff --git a/docs/concepts/media/copilot-tools-menu-2022.png b/docs/concepts/media/copilot-tools-menu-2022.png new file mode 100644 index 000000000..3fe2bdfb5 Binary files /dev/null and b/docs/concepts/media/copilot-tools-menu-2022.png differ diff --git a/docs/concepts/media/copilot-tools-menu-vs-code.png b/docs/concepts/media/copilot-tools-menu-vs-code.png new file mode 100644 index 000000000..995a86948 Binary files /dev/null and b/docs/concepts/media/copilot-tools-menu-vs-code.png differ diff --git a/docs/concepts/media/copilot-tools-menu.png b/docs/concepts/media/copilot-tools-menu.png new file mode 100644 index 000000000..ec5033751 Binary files /dev/null and b/docs/concepts/media/copilot-tools-menu.png differ diff --git a/docs/concepts/media/dotnet-nuget-why-1.png b/docs/concepts/media/dotnet-nuget-why-1.png new file mode 100644 index 000000000..b8422c44e Binary files /dev/null and b/docs/concepts/media/dotnet-nuget-why-1.png differ diff --git a/docs/concepts/media/github-copilot-agent-settings.png b/docs/concepts/media/github-copilot-agent-settings.png new file mode 100644 index 000000000..2b998ee35 Binary files /dev/null and b/docs/concepts/media/github-copilot-agent-settings.png differ diff --git a/docs/concepts/media/pm-ui-transitive-tooltip-1.png b/docs/concepts/media/pm-ui-transitive-tooltip-1.png new file mode 100644 index 000000000..d83e6bced Binary files /dev/null and b/docs/concepts/media/pm-ui-transitive-tooltip-1.png differ diff --git a/docs/concepts/media/vs-solution-explorer-search-options-1.png b/docs/concepts/media/vs-solution-explorer-search-options-1.png new file mode 100644 index 000000000..870c39a8a Binary files /dev/null and b/docs/concepts/media/vs-solution-explorer-search-options-1.png differ diff --git a/docs/concepts/media/vs-solution-explorer-search-results-1.png b/docs/concepts/media/vs-solution-explorer-search-results-1.png new file mode 100644 index 000000000..00e30fedd Binary files /dev/null and b/docs/concepts/media/vs-solution-explorer-search-results-1.png differ diff --git a/docs/concepts/nuget-mcp.md b/docs/concepts/nuget-mcp.md new file mode 100644 index 000000000..42eeaa5af --- /dev/null +++ b/docs/concepts/nuget-mcp.md @@ -0,0 +1,81 @@ +--- +title: MCP servers in NuGet packages +description: How can MCP servers be distributed using NuGet? +author: joelverhagen +ms.author: jver +ms.topic: article +ms.date: 07/23/2025 +--- + +# MCP servers in NuGet packages + +NuGet provides a convenient way to package and distribute MCP servers written in .NET. The C# MCP SDK and .NET offer a robust platform for building MCP servers, and NuGet is ideal for delivering your MCP server to end users as a local tool. Self-contained, platform-specific packages reduce runtime compatibility issues, and AOT compilation can further improve the end-user experience. + +For more information about the Model Context Protocol (MCP) in general, see the [introduction on the MCP website](https://modelcontextprotocol.io/introduction). To create your own MCP server and package it using NuGet, see the [quickstart guide](/dotnet/ai/quickstarts/build-mcp-server). + +## Applicable scenarios + +Shipping your MCP server via NuGet does not apply to all situations. The term "MCP client" is used in this document and refers to an application that orchestrates the interaction between an AI agent or LLM and calls made to an MCP server. Some example MCP clients are [Visual Studio Code](https://code.visualstudio.com/docs/copilot/chat/mcp-servers), [Visual Studio](/visualstudio/ide/mcp-servers), [GitHub Copilot coding agent](https://docs.github.com/copilot/concepts/coding-agent/about-copilot-coding-agent), Claude Code, or Cursor. + +Consider the following criteria to determine whether shipping your MCP server as a NuGet package makes sense: + +- ✅ You want your MCP server to run **locally** on the user's system (i.e., in the same context as the MCP client). + - Local MCP servers, such as those shipped in NuGet packages, run in the same context as the MCP client and communicate with the MCP client via standard IO (stdio) transport. The MCP client is responsible for launching the local MCP server process. +- ✅ The .NET SDK is available to the MCP client. + - NuGet MCP servers are [.NET tool packages](/dotnet/core/tools/global-tools), which are installed and executed using `dnx` from the .NET SDK. +- ✅ You have a NuGet package feed to host your MCP server package. + - NuGet.org can be used to publish MCP server packages and provides a tailored MCP browsing and consumption experience. However, any NuGet package feed, such as Azure Artifacts, can be used for hosting MCP servers if you wish to keep your MCP server package private. + +## Benefits of using .NET and NuGet for MCP servers + +There are several benefits to using NuGet for hosting your MCP server: + +- **Official SDK** - the [MCP C# SDK](https://github.com/modelcontextprotocol/csharp-sdk) provides a familiar interface for implementing your MCP server in C# and makes it easy to expose tools to MCP clients. +- **Flexible runtime options** - the .NET SDK provides several options for how your MCP server is compiled and packaged. See the [runtime requirements](#runtime-requirements) section for details. +- **Discoverability and distribution** - NuGet.org provides a way to showcase your MCP server, allowing potential users to find your MCP server and easily use it from inside VS Code or Visual Studio. NuGet.org encourages the use of an embedded [`.mcp/server.json`](https://github.com/modelcontextprotocol/registry/blob/main/docs/server-json/README.md) to declare inputs and an `McpServer` package type to allow MCP servers to be differentiated from other tool or dependency packages. +- **Familiar authoring workflows** - if you already use NuGet for creating dependency packages, creating and publishing an MCP server will be a very similar experience. + +## Package download and execution + +To fetch a local MCP server, the code for the server must be located and downloaded using a mechanism (protocol) specific to the package ecosystem. This is generally done with a "single-shot" command which takes the package name and arguments to download and then execute the package as a command-line application. + +For NuGet-based MCP servers, we recommend using `dnx` (a new command shipped in .NET 10 Preview 6) to acquire and execute the package. `dnx` currently ships with the .NET SDK, but there [is discussion to include `dnx` in the .NET runtime](https://github.com/dotnet/sdk/issues/49796). + +A command to start an MCP server would look something like this: + +```bash +dnx NuGet.Mcp.Server@0.1.2-preview --yes +``` + +Environment variables and command-line arguments can both be used to configure your MCP server in custom ways. These inputs allow you to customize the behavior of your MCP server to suit specific needs. + +This will download the `NuGet.Mcp.Server` package of version `0.1.2-preview` from your configured package sources (NuGet.org by default), and launch the contained CLI tool. For an MCP server, you may see log messages appear in stderr, but the process will appear to hang. This is expected, since the process is waiting for MCP protocol messages over stdin from your MCP client. + +Typically, your MCP client will invoke this command via tool-specific MCP configuration, such as the `mcp.json` file used by Visual Studio Code and Visual Studio. + +All of these tools support installing alternate sources. For example, `dnx` supports installing from Azure DevOps using the `--source` parameter, allowing consumption of private MCP servers, as long as the needed credential or credential providers are configured. + +## Runtime requirements + +Once the package is downloaded, a runtime is needed to execute the code inside the package. .NET tool packages (and by extension NuGet-based MCP servers) support a variety of options for how the tool is compiled and packaged. These options allow you, the MCP server author, to decide which runtime requirements should be placed on the users of your MCP server. + +There are three main options for how to package your MCP server: + +1. **Framework-dependent**: Requires that the MCP client has access to a compatible .NET runtime. If `dnx` is being used to download and execute the package, a runtime will be available. +2. **Self-contained**: Bundles the runtime with the package. [Using trimming](/dotnet/core/deploying/trimming/trimming-options) can reduce the size of the package. Self-contained .NET tools use `true`. +3. **Ahead-of-time (AOT) compiled**: A self-contained package with AOT compilation enabled. See [native AOT deployment](/dotnet/core/deploying/native-aot/) for more information. AOT .NET tools use `true`. + +For MCP servers, we recommend using option #2 (self-contained package without AOT) because it eliminates the need for any specific .NET runtime version present in the user's environment. If you can guarantee a compatible runtime version on the intended execution environment, option #1 is reasonable. Option #3 (using AOT) is also a good option, but it forces you or your dependencies to make your code compatible with AOT compilation. The C# MCP SDK is AOT compatible, but other dependencies you intend to use may not yet be AOT compatible. + +Consider using the `mcpserver` template in the [Microsoft.Extensions.AI.Templates](https://www.nuget.org/packages/Microsoft.Extensions.AI.Templates) template package to use the latest recommended defaults. + +## Comparison to other ecosystems + +Other ecosystems have similar requirements and workflows for packaging and running MCP servers: + +- **NuGet/.NET**: Uses the `dnx` command to download and execute .NET tool packages. Requires the .NET SDK for `dnx`. Additional runtime dependencies can be bundled into the package. +- **npm**: Uses the `npx` command to download and execute npm packages, and install dependencies transitively. Requires Node.js. +- **Python**: Uses the `uvx` command to download and execute Python packages, and install dependencies transitively. Requires a Python runtime. +- **Docker**: Uses the `docker run` command to download and execute images. Requires the Docker Engine. Docker images can target multiple CPU architectures and provide excellent isolation, but are generally larger than NuGet, npm, or Python packages. + +In all of these cases, the MCP client needs to have the necessary ecosystem-specific tool (e.g., `dnx`, `npx`) to download and execute the package-based MCP server. diff --git a/docs/concepts/package-installation-process.md b/docs/concepts/package-installation-process.md index e72f9bb70..76074a1c4 100644 --- a/docs/concepts/package-installation-process.md +++ b/docs/concepts/package-installation-process.md @@ -4,7 +4,7 @@ description: Detailed information about the package installation process author: JonDouglas ms.author: jodou ms.date: 06/20/2019 -ms.topic: conceptual +ms.topic: article --- # What happens when a NuGet package is installed? @@ -20,7 +20,7 @@ The general process is as follows: 2. Acquire the package: - Check if the package (by exact identifer and version number) is already installed in the *global-packages* folder as described on [Managing the global packages and cache folders](../consume-packages/managing-the-global-packages-and-cache-folders.md). - - If the package is not in the *global-packages* folder, attempt to retrieve it from the sources listed in the [configuration files](../consume-packages/Configuring-NuGet-Behavior.md). [Package Source Mapping](../consume-packages/package-source-mapping.md) configurations are applied at this point. For online sources, attempt first to retrieve the package from the HTTP cache unless `-NoCache` is specified with `nuget.exe` commands or `--no-cache` is specified with `dotnet restore`. (Visual Studio and `dotnet add package` always use the cache.) If a package is used from the cache, "CACHE" appears in the output. The cache has an expiration time of 30 minutes. + - If the package is not in the *global-packages* folder, attempt to retrieve it from the sources listed in the [configuration files](../consume-packages/Configuring-NuGet-Behavior.md). [Package Source Mapping](../consume-packages/package-source-mapping.md) configurations are applied at this point. For online sources, attempt first to retrieve the package from the HTTP cache unless `-NoHttpCache` is specified with `nuget.exe` commands or `--no-http-cache` is specified with `dotnet restore`. (Visual Studio and `dotnet add package` always use the cache.) If a package is used from the cache, "CACHE" appears in the output. The cache has an expiration time of 30 minutes. - If the package has been specified using a [floating version](../consume-packages/Package-References-in-Project-Files.md#floating-versions), or without a minimum version, NuGet *will* contact all sources to figure out the best match. Example: `1.*`, `(, 2.0.0]`. diff --git a/docs/concepts/troubleshooting-installed-packages.md b/docs/concepts/troubleshooting-installed-packages.md index 1b6c361b9..d06dfcebc 100644 --- a/docs/concepts/troubleshooting-installed-packages.md +++ b/docs/concepts/troubleshooting-installed-packages.md @@ -4,7 +4,7 @@ description: How to find which package source was used for individual packages author: JonDouglas ms.author: jodou ms.date: 03/26/2021 -ms.topic: conceptual +ms.topic: troubleshooting-general --- # Troubleshooting Installed Packages diff --git a/docs/consume-packages/Central-Package-Management.md b/docs/consume-packages/Central-Package-Management.md index b23b59ef5..66f7e9744 100644 --- a/docs/consume-packages/Central-Package-Management.md +++ b/docs/consume-packages/Central-Package-Management.md @@ -1,46 +1,32 @@ --- title: Central Package Management -description: Manage your dependencies in a central location and how you can get started with central package management. +description: Manage your dependencies in a central location and learn how to get started with Central Package Management. author: jondouglas ms.author: jodou ms.date: 05/09/2022 -ms.topic: conceptual +ms.topic: article --- # Central Package Management (CPM) -Dependency management is a core feature of NuGet. Managing dependencies for a single project can be easy. Managing dependencies for multi-project solutions -can prove to be difficult as they start to scale in size and complexity. In situations where you manage common dependencies for many different projects, you -can leverage NuGet's central package management (CPM) features to do all of this from the ease of a single location. +Dependency management is a core feature of NuGet. +While managing dependencies for a single project is straightforward, it becomes increasingly complex as the number of projects in a solution grows. -Historically, NuGet package dependencies have been managed in one of two locations: +If you manage common dependencies for many different projects, you can leverage NuGet's Central Package Management (CPM) features to do all of this from a single, central location. -- `packages.config` - An XML file used in older project types to maintain the list of packages referenced by the project. -- `` - An XML element used in MSBuild projects defines NuGet package dependencies. +Central Package Management applies to all ``-based MSBuild projects (including [legacy CSPROJ](https://github.com/dotnet/project-system/blob/main/docs/feature-comparison.md)). -Starting with [NuGet 6.2](..\release-notes\NuGet-6.2.md), you can centrally manage your dependencies in your projects with the addition of a -`Directory.Packages.props` file and an MSBuild property. - -The feature is available across all NuGet integrated tooling. - -* [Visual Studio 2022 17.2 and later](https://visualstudio.microsoft.com/downloads/) -* [.NET SDK 6.0.300 and later](https://dotnet.microsoft.com/download/dotnet/6.0) -* [.NET SDK 7.0.0-preview.4 and later](https://dotnet.microsoft.com/download/dotnet/7.0) -* [nuget.exe 6.2.0 and later](https://www.nuget.org/downloads) - -Older tooling will ignore central package management configurations and features. To use this feature to the fullest extent, ensure all your build environments -use the latest compatible tooling versions. +## Enabling Central Package Management -Central package management applies to all ``-based MSBuild projects (including -[legacy CSPROJ](https://github.com/dotnet/project-system/blob/main/docs/feature-comparison.md)) as long as compatible tooling is used. +To get started with Central Package Management, create a `Directory.Packages.props` file at the root of your repository and set the MSBuild property `ManagePackageVersionsCentrally` to `true`. -## Enabling Central Package Management +You can create it manually, or use the .NET CLI: -To get started with central package management, you must create a `Directory.Packages.props` file at the root of your repository and set the MSBuild property -`ManagePackageVersionsCentrally` to `true`. +```shell +dotnet new packagesprops +``` -Inside, you then define each of the respective package versions required of your projects using `` elements that define the package ID and -version. +Inside `Directory.Packages.props`, define `` elements to specify the package IDs and versions used by your projects. ```xml @@ -48,13 +34,14 @@ version. true - + + ``` -For each project, you then define a `` but omit the `Version` attribute since the version will be attained from a corresponding -`` item. +In each project file, define `` elements without the `Version` attribute. +The version will be resolved from the corresponding `` entry in `Directory.Packages.props`. ```xml @@ -62,65 +49,107 @@ For each project, you then define a `` but omit the `Version net6.0 - + ``` -Now you're using central package management and managing your versions in a central location! +Now you're using Central Package Management and managing your versions in a central location! -## Central Package Management rules +## Central Package Management Rules -The `Directory.Packages.props` file has a number of rules with regards to where it's located in a repository's directory and its context. For the sake of -simplicity, only one `Directory.Packages.props` file is evaluated for a given project. +The `Directory.Packages.props` file has specific rules regarding its location and context within a repository. +Only one `Directory.Packages.props` file is evaluated for a given project by default. -What this means is that if you had multiple `Directory.Packages.props` files in your repository, the file that is closest to your project's directory will -be evaluated for it. This allows you extra control at various levels of your repository. +If you have multiple `Directory.Packages.props` files in your repository, the file closest to a given project's directory will be evaluated for it. +This allows extra control at various levels of your repository. -Here's an example, consider the following repository structure: +Consider the following repository directory structure: ``` -Repository - |-- Directory.Packages.props - |-- Solution1 - |-- Directory.Packages.props - |-- Project1 - |-- Solution2 - |-- Project2 +📂 (root) + ├─📄 Directory.Packages.props + | + ├─📂Solution1 + | ├─ 📄Directory.Packages.props + | | + | └─ 📂 Project1 + | └─📄Project1.csproj + | + └─ 📂 Solution2 + └─ 📂 Project2 + └─ 📄 Project2.csproj +``` + +`Project1.csproj` will use the `Directory.Packages.props` file in the `Repository\Solution1\` directory. +If you want to include settings from a parent `Directory.Packages.props`, you must manually import it. + +```xml + + + + + + ``` -- Project1 will evaluate the `Directory.Packages.props` file in the `Repository\Solution1\` directory and it must manually import the next one if so desired. - ```xml - - - - - - - ``` -- Project2 will evaluate the `Directory.Packages.props` file in the `Repository\` directory. +`Project2.csproj` will evaluate the `Directory.Packages.props` file in the root directory. -**Note:** MSBuild will not automatically import each `Directory.Packages.props` for you, only the first one closest to the project. If you have multiple -`Directory.Packages.props`, you must import the parent one manually while the root `Directory.Packages.props` would not. +> [!NOTE] +> MSBuild will only automatically import the first `Directory.Packages.props` file it finds in the project directory or any parent directory. +> If you have multiple such files, you must manually import parent files as needed. -## Get started +## Getting Started -To fully onboard your repository, consider taking these steps: +To fully onboard your repository, follow these steps: -1. Create a new file at the root of your repository named `Directory.Packages.props` that declares your centrally defined package versions and set - the MSBuild property `ManagePackageVersionsCentrally` to `true`. +1. Create a new file at the root of your repository named `Directory.Packages.props` that declares your centrally defined package versions and set the MSBuild property `ManagePackageVersionsCentrally` to `true`. 2. Declare `` items in your `Directory.Packages.props`. 3. Declare `` items without `Version` attributes in your project files. -For an idea of how central package management may look like, refer to our [samples repo](https://github.com/NuGet/Samples/tree/main/CentralPackageManagementExample). +For an example of how Central Package Management may look, refer to our [samples repository](https://github.com/NuGet/Samples/tree/main/CentralPackageManagementExample). + +## Using Different Versions for Different Target Frameworks + +As NuGet packages evolve, package owners may drop support for older target frameworks. +This can cause issues for developers of libraries that still target older frameworks but want to reference newer versions of packages for newer target frameworks. + +For example, if your project targets .NET Standard 2.0, .NET 8.0, and .NET Framework 4.7.2, but `PackageA` no longer supports .NET Standard 2.0 in its latest version, you can specify different versions for each target framework. + +```xml + + + netstandard2.0;net8.0;net472 + + + + + +``` + +In this case, define different versions for each target framework in your `Directory.Packages.props` using [MSBuild conditions](/visualstudio/msbuild/msbuild-conditions): + +```xml + + + true + + + + + + +``` + +## Transitive Pinning -## Transitive pinning +You can automatically override a transitive package version without an explicit top-level `` item by opting into a feature known as transitive pinning. +This promotes a transitive dependency to a top-level dependency implicitly on your behalf when necessary. -You can automatically override a transitive package version even without an explicit top-level `` by opting into a feature known as -transitive pinning. This promotes a transitive dependency to a top-level dependency implicitly on your behalf when necessary. +Note that downgrades are not allowed when transitive pinning a package. +If you attempt to pin a package to a lower version than the one requested by your dependencies, restore will raise a [NU1109](../reference/errors-and-warnings/NU1109.md) error. -You can enable this feature by setting the MSBuild property `CentralPackageTransitivePinningEnabled` to `true` in a project or in a `Directory.Packages.props` -or `Directory.Build.props` import file: +You can enable this feature by setting the MSBuild property `CentralPackageTransitivePinningEnabled` to `true` in a project or in a `Directory.Packages.props` or `Directory.Build.props` import file: ```xml @@ -128,10 +157,49 @@ or `Directory.Build.props` import file: ``` -## Overriding package versions +### Transitive Pinning and Pack + +When a package is transitively pinned, your project uses a higher version than the one requested by your dependencies. +If you create a package from your project, to ensure that your package will work, NuGet will promote the transitively pinned dependencies to explicit dependencies in the nuspec. + +In the following example, `PackageA 1.0.0` has a dependency on `PackageB 1.0.0`. + +```xml + + + + + + +``` + +```xml + + + true + net6.0 + + + + + +``` + +When you use the pack command to create a package, both packages will appear in the dependency group. + +```xml + + + + +``` + +Because of this, the use of transitive pinning should be carefully evaluated when authoring a library, as it may lead to dependencies you did not expect. -You can override an individual package version by using the `VersionOverride` property on a `` item. This overrides any `` -defined centrally. +## Overriding Package Versions + +You can override an individual package version by using the `VersionOverride` property on a `` item. +This will take precedence over any centrally defined ``. ```xml @@ -153,22 +221,19 @@ defined centrally. ``` -You can disable this feature by setting the MSBuild property `EnablePackageVersionOverride` to `false` in a project or in a `Directory.Packages.props` or -`Directory.Build.props` import file: +You can disable this feature by setting the MSBuild property `CentralPackageVersionOverrideEnabled` to `false` in a project or in a `Directory.Packages.props` or `Directory.Build.props` import file: ```xml - false + false ``` -When this feature is disabled, specifying a `VersionOverride` on any `` item will result in an error at restore time indicating that -the feature is disabled. +When this feature is disabled, specifying a `VersionOverride` on any `` item will result in an error at restore time indicating that the feature is disabled. ## Disabling Central Package Management -If you'd like to disable central package management for any a particular project, you can disable it by setting the MSBuild property -`ManagePackageVersionsCentrally` to `false`: +To disable Central Package Management for a specific project, set the MSBuild property `ManagePackageVersionsCentrally` to `false`: ```xml @@ -177,17 +242,19 @@ If you'd like to disable central package management for any a particular project ``` ## Global Package References -> [!Note] + +> [!NOTE] > This feature is only available in Visual Studio 2022 17.4 or higher, .NET SDK 7.0.100.preview7 or higher, and NuGet 6.4 or higher. -A global package reference is used to specify that a package will be used by every project in a repository. This includes packages that do versioning, extend your build, or do any other package that is needed by all projects. Global package references are added to the PackageReference item group with the following metadata: +A global package reference is used to specify that a package will be used by every project in a repository. +This includes packages that do versioning, extend your build, or any other packages that are needed by all projects. +Global package references are added to the PackageReference item group with the following metadata: * `IncludeAssets="Runtime;Build;Native;contentFiles;Analyzers"`
- This ensures that the package is only used as a development dependency and prevents any compile-time assembly references. + This ensures that the package is only used as a development dependency and prevents it from being included as a compile-time assembly reference. * `PrivateAssets="All"`
This prevents global package references from being picked up by downstream dependencies. - `GlobalPackageReference` items should be placed in your `Directory.Packages.props` to be used by every project in a repository: ```xml @@ -198,18 +265,11 @@ A global package reference is used to specify that a package will be used by eve ``` -## Warning when using multiple package sources +## NU1507 Warning When Using Multiple Package Sources -When using central package management, you will see a `NU1507` warning if you have more than one package source defined in your configuration. To resolve -this warning, map your package sources with [package source mapping](https://aka.ms/nuget-package-source-mapping) or specify a single package source. +When using Central Package Management, NuGet will log an [`NU1507`](../reference/errors-and-warnings/nu1507.md) warning if more than one package source is defined in your configuration. +To resolve this warning, map your package sources with [package source mapping](https://aka.ms/nuget-package-source-mapping) or specify a single package source. ``` -There are 3 package sources defined in your configuration. When using central package management, please map your package sources with package source mapping (https://aka.ms/nuget-package-source-mapping) or specify a single package source. +There are 3 package sources defined in your configuration. When using Central Package Management, please map your package sources with package source mapping (https://aka.ms/nuget-package-source-mapping) or specify a single package source. ``` - - - -> [!Note] -> Central package management is in active development. We appreciate you trying it out and providing any feedback you may have at [NuGet/Home](https://github.com/nuget/home/issues). -> -> * There is currently no support in Visual Studio or the .NET CLI for Central Package Management. diff --git a/docs/consume-packages/Finding-and-Choosing-Packages.md b/docs/consume-packages/Finding-and-Choosing-Packages.md index 0f59472f7..fef94e0cd 100644 --- a/docs/consume-packages/Finding-and-Choosing-Packages.md +++ b/docs/consume-packages/Finding-and-Choosing-Packages.md @@ -3,8 +3,8 @@ title: Find and evaluate NuGet packages description: Find and evaluate publicly available NuGet packages for your project by using advanced nuget.org search filters and syntax. author: JonDouglas ms.author: jodou -ms.date: 08/29/2022 -ms.topic: conceptual +ms.date: 03/03/2025 +ms.topic: how-to --- # Find and evaluate NuGet packages for your project @@ -17,15 +17,27 @@ You can find packages directly at [https://nuget.org/packages](https://www.nuget At [nuget.org/packages](https://www.nuget.org/packages), you see a list of NuGet packages with the most popular packages across all .NET projects listed first. Some of these packages might be useful for your projects. -![Screenshot that shows the default view of nuget.org/packages with the most popular packages at the top.](media/Finding-01-Popularity.png) +![Screenshot that shows the default view of nuget.org/packages with the most popular packages at the top.](media/Finding-07-MostPopular.png) To search for a package, enter the package name or search terms in the Search box at the top of the page. You can use [advanced search syntax](#search-syntax) to filter your search. ### Advanced filtering and sorting -At nuget.org/packages, you can select the **Filter** button at upper-right to expand advanced sorting and filtering options. +At nuget.org/packages, you can refine your search results by making use of the advanced filtering and sorting options. -![Screenshot that shows the Advanced Search panel on nuget.org.](media/Finding-02-SearchResults.png) +![Screenshot that shows the filtering and sorting options on nuget.org.](media/Finding-08-FiltersAndSorts.png) + +Use the **Frameworks** filters to show packages targeting specific .NET frameworks (To learn more, see [Target Frameworks](/dotnet/standard/frameworks)): + +- Selecting one of the .NET framework generation checkboxes would filter the search results to packages compatible with any of the individual Target Frameworks within that generation. For example, selecting `.NET` will return packages compatible with any of the modern .NET frameworks, including `net5.0` through `net8.0`. + + ![Screenshot that shows the Framework filters on nuget.org.](media/Finding-09-FrameworkFilterPanel.png) + +- Expanding one of these framework generations with the arrows on the right will show you individual Target Framework Monikers (TFMs) that you can filter your results by. For example, selecting `net5.0` will return packages compatible with the '.NET 5.0' framework. +- By default, packages are filtered by their expanded list of computed compatible frameworks. If you want to filter packages purely by the asset frameworks they explicitly target, deselect the **Include compatible frameworks** checkbox. +- Combining multiple framework filters will show you search results that match all of your selected filters, i.e. packages that fall in the intersection of your selections. For example, selecting `netcoreapp3.1` and `net45` together will show packages that target **both** '.NET Core 3.1' and '.NET Framework 4.5'. Selecting the `.NET Core` framework generation checkbox and the `net45` checkbox together will return packages that target '.NET Framework 4.5', and at least one of the '.NET Core' TFMs (`netcoreapp1.0` through `netcoreapp3.1`). + - Alternatively, if you want to see packages matching **any one** of your framework filters, select the **Any** radio button on the **Framework Filter Mode** option. Now, selecting `netcoreapp3.1` and `net5.0` will show packages that target **either** '.NET Core 3.1' or '.NET 5.0'. Selecting the `netcoreapp3.1` checkbox and the `.NET` framework generation checkbox together will return packages that target '.NET Core 3.1' or any one of the '.NET' TFMs (`net5.0` through `net8.0`). +- You can learn more on how to evaluate a package's supported frameworks and its compatibility with your project [here](#determine-supported-frameworks). Use the **Package type** filter to show packages of a specific type: @@ -34,16 +46,16 @@ Use the **Package type** filter to show packages of a specific type: - **.NET tool** filters to [.NET tools](/dotnet/core/tools/global-tools) packages that contain console applications. - **Template** filters to [.NET templates](/dotnet/core/install/templates) that you can use to create new projects with the [dotnet new](/dotnet/core/tools/dotnet-new) command. -Use the **Sort by** option to sort the list by several criteria: +By default, NuGet lists all versions of packages, including prerelease and beta versions. In the **Options** section, deselect the **Include prerelease** checkbox to list only stable, released package versions. + +To apply changes, select **Apply**. To get back to the defaults, select **Reset**. + +Use the **Sort by** dropdown on the top-right of the page to sort the list by several criteria: - **Relevance** is the default, and sorts results according to an internal scoring algorithm. - **Downloads** sorts the search results by the total number of downloads, in descending order. - **Recently updated** sorts the search results by the latest package version creation date, in descending chronological order. -By default, NuGet lists all versions of packages, including prerelease and beta versions. In the **Options** section, deselect the **Include prerelease** checkbox to list only stable, released package versions. - -To apply changes, select **Apply**. To get back to the defaults, select **Reset**. - ### Search syntax Package search queries at nuget.org, from the NuGet CLI, and from within Visual Studio all use the same syntax. Other package sources, like Azure Artifacts or GitHub Package Repository, might use different syntax or might not support advanced filtering. @@ -60,7 +72,7 @@ Package search queries at nuget.org, from the NuGet CLI, and from within Visual - You can search for multiple values or properties at the same time. For example: - `id:jquery id:ui` searches for multiple terms in the `id` property.
`id:jquery tags:validation` searches multiple properties. + `id:jquery id:ui` searches for multiple terms in the `id` property.
`id:jquery tags:validation` searches for multiple properties. - Search ignores unsupported properties, so `invalid:jquery ui` is the same as searching for `ui`, and `invalid:jquery` returns all packages. @@ -70,6 +82,14 @@ NuGet installs a package into a project only if the package's supported .NET fra There are several ways to determine the frameworks that a package supports: +- On the search page, a package's supported frameworks will appear as badges below the package ID. These badges show the lowest supported framework versions from the **.NET**, **.NET Core**, **.NET Standard**, and **.NET Framework** generations. The package will be compatible with any framework version that's equal to or higher than the badge version shown. + + 'Dark blue' badges represent explicitly targeted frameworks, while 'light blue' badges represent computed compatible frameworks. + + Clicking on a badge will redirect you to the package's details page on nuget.org. The **Frameworks** tab on the package's page will show the full list of supported frameworks. + + ![Screenshot of the Framework badges on nuget.org's search page.](media/Finding-10-FrameworkBadgesInSearch.png) + - On the package's page at nuget.org, supported frameworks appear below the package ID and on the **Frameworks** tab, but not all packages show supported frameworks. ![Screenshot of the Frameworks UI and tab on the package page at nuget.org.](media/supported-frameworks.png) @@ -98,7 +118,7 @@ The Visual Studio Package Manager Console, NuGet CLI, and dotnet CLI tools don't ### Native C++ packages -Visual Studio C++ projects can use native C++ NuGet packages. Installing these packages enables the **Manage NuGet Packages** context-menu command, exposes a `native` target framework, and provides MSBuild integration. +Visual Studio C++ projects can use native C++ NuGet packages. Installing these packages enable the **Manage NuGet Packages** context-menu command, exposes a `native` target framework, and provides MSBuild integration. To find native packages on nuget.org/packages, search by using `tag:native`. Such packages typically provide *.targets* and *.props* files, which NuGet imports automatically when adding the packages. diff --git a/docs/consume-packages/Overview-and-Workflow.md b/docs/consume-packages/Overview-and-Workflow.md index 4c47052ab..b9bc8f527 100644 --- a/docs/consume-packages/Overview-and-Workflow.md +++ b/docs/consume-packages/Overview-and-Workflow.md @@ -4,7 +4,7 @@ description: An overview of the process of consuming NuGet packages in a project author: JonDouglas ms.author: jodou ms.date: 03/22/2018 -ms.topic: conceptual +ms.topic: concept-article --- # Package consumption workflow diff --git a/docs/consume-packages/Package-References-in-Project-Files.md b/docs/consume-packages/Package-References-in-Project-Files.md index c243db7e7..d9290e3cd 100644 --- a/docs/consume-packages/Package-References-in-Project-Files.md +++ b/docs/consume-packages/Package-References-in-Project-Files.md @@ -4,20 +4,20 @@ description: Details on NuGet PackageReference in project files as supported by author: nkolev92 ms.author: nikolev ms.date: 4/6/2022 -ms.topic: conceptual +ms.topic: article --- # `PackageReference` in project files Package references, using `` MSBuild items, specify NuGet package dependencies directly within project files, as opposed to having a separate `packages.config` file. Use of PackageReference doesn't affect other aspects of NuGet; for example, settings in `NuGet.Config` files (including package sources) are still applied as explained in [Common NuGet configurations](configuring-nuget-behavior.md). -With PackageReference, you can also use MSBuild conditions to choose package references per target framework, or other groupings. It also allows for fine-grained control over dependencies and content flow. (See For more details [NuGet pack and restore as MSBuild targets](../reference/msbuild-targets.md).) +With PackageReference, you can also use MSBuild conditions to choose package references per target framework, or other groupings. It also allows for fine-grained control over dependencies and content flow. (For more information, see [NuGet pack and restore as MSBuild targets](../reference/msbuild-targets.md).) ## Project type support -By default, PackageReference is used for .NET Core projects, .NET Standard projects, and UWP projects targeting Windows 10 Build 15063 (Creators Update) and later, with the exception of C++ UWP projects. .NET Framework projects support PackageReference, but currently default to `packages.config`. To use PackageReference, [migrate](../consume-packages/migrate-packages-config-to-package-reference.md) the dependencies from `packages.config` into your project file, then remove packages.config. +By default, PackageReference is used for .NET projects, .NET Standard projects, and UWP projects targeting Windows 10 Build 15063 (Creators Update) and later, with the exception of C++ UWP projects. .NET Framework projects support PackageReference, but currently default to `packages.config`. To use PackageReference in a .NET Framework project, [migrate](../consume-packages/migrate-packages-config-to-package-reference.md) the dependencies from `packages.config` into your project file, then remove packages.config. -ASP.NET apps targeting the full .NET Framework include only [limited support](https://github.com/NuGet/Home/issues/5877) for PackageReference. C++ and JavaScript project types are unsupported. +ASP.NET apps that target the full .NET Framework include only [limited support](https://github.com/NuGet/Home/issues/5877) for PackageReference. C++ and JavaScript project types are unsupported. ## Adding a PackageReference @@ -43,7 +43,7 @@ The convention for specifying the version of a package is the same as when using ``` -In the example above, 3.6.0 means any version that is >=3.6.0 with preference for the lowest version, as described on [Package versioning](../concepts/package-versioning.md#version-ranges). +In the example above, 3.6.0 means any version that is >=3.6.0 with preference for the lowest version, as described in [Package versioning](../concepts/package-versioning.md#version-ranges). ## Using PackageReference for a project with no package dependencies @@ -57,11 +57,11 @@ Advanced: If you have no packages installed in a project (no PackageReferences i ``` -This may be useful, if you reference projects which are PackageReference styled (existing csproj or SDK-style projects). This will enable packages that those projects refer to, to be "transitively" referenced by your project. +This might be useful if you reference projects that are PackageReference styled (existing csproj or SDK-style projects). This will enable packages that those projects refer to, to be "transitively" referenced by your project. ## PackageReference and sources -In PackageReference projects, the transitive dependency versions are resolved at restore time. As such, in PackageReference projects all sources need to be available for all restores. +In PackageReference projects, the transitive dependency versions are resolved at restore time. As such, in PackageReference projects, all sources need to be available for all restores. ## Floating Versions @@ -94,13 +94,13 @@ You might be using a dependency purely as a development harness and might not wa The following metadata tags control dependency assets: -| Tag | Description | Default Value | -| --- | --- | --- | -| IncludeAssets | These assets will be consumed | all | -| ExcludeAssets | These assets will not be consumed | none | +| Tag | Description | Default Value | +|---------------|--------------------------------------------------------------------|------------------------------| +| IncludeAssets | These assets will be consumed | all | +| ExcludeAssets | These assets will not be consumed | none | | PrivateAssets | These assets will be consumed but won't flow to the parent project | contentfiles;analyzers;build | -Allowable values for these tags are as follows, with multiple values separated by a semicolon except with `all` and `none` which must appear by themselves: +Allowable values for these tags are as follows, with multiple values separated by a semicolon except for `all` and `none`, which must appear by themselves: | Value | Description | | --- | --- @@ -143,9 +143,9 @@ Note that because `build` is not included with `PrivateAssets`, targets and prop ## Adding a PackageReference condition -You can use a condition to control whether a package is included, where conditions can use any MSBuild variable or a variable defined in the targets or props file. However, at presently, only the `TargetFramework` variable is supported. +You can use a condition to control whether a package is included. Conditions can use any MSBuild variable or a variable defined in the targets or props file. However, at present, only the `TargetFramework` variable is supported. -For example, say you're targeting `netstandard1.4` as well as `net452` but have a dependency that is applicable only for `net452`. In this case you don't want a `netstandard1.4` project that's consuming your package to add that unnecessary dependency. To prevent this, you specify a condition on the `PackageReference` as follows: +For example, say you're targeting `netstandard1.4` as well as `net452` but have a dependency that's applicable only for `net452`. In this case you don't want a `netstandard1.4` project that consumes your package to add that unnecessary dependency. To prevent this, you specify a condition on the `PackageReference` as follows: ```xml @@ -191,7 +191,7 @@ Example: ```` -Additionally NuGet will automatically generate properties for packages containing a tools folder. +Additionally NuGet automatically generates properties for packages containing a tools folder. ```xml @@ -206,12 +206,12 @@ Additionally NuGet will automatically generate properties for packages containin MSBuild properties and package identities do not have the same restrictions so the package identity needs to be changed to an MSBuild friendly name, prefixed by the word `Pkg`. To verify the exact name of the property generated, look at the generated [nuget.g.props](../reference/msbuild-targets.md#restore-outputs) file. -## PackageReference Aliases +## PackageReference aliases -In some rare instances different packages will contain classes in the same namespace. Starting with NuGet 5.7 & Visual Studio 2019 Update 7, equivalent to ProjectReference, PackageReference supports [`Aliases`](/dotnet/api/microsoft.codeanalysis.projectreference.aliases). -By default no aliases are provided. When an alias is specified, *all* assemblies coming from the annotated package with need to be referenced with an alias. +In some rare instances, different packages will contain classes in the same namespace. Starting with NuGet 5.7 & Visual Studio 2019 Update 7, equivalent to ProjectReference, PackageReference supports [`Aliases`](/dotnet/api/microsoft.codeanalysis.projectreference.aliases). +By default, no aliases are provided. When an alias is specified, *all* assemblies coming from the annotated package need to be referenced with an alias. -You can look at sample usage at [NuGet\Samples](https://github.com/NuGet/Samples/tree/main/PackageReferenceAliasesExample) +You can look at sample usage at [NuGet\Samples](https://github.com/NuGet/Samples/tree/main/PackageReferenceAliasesExample). In the project file, specify the aliases as follows: @@ -221,7 +221,7 @@ In the project file, specify the aliases as follows: ``` -and in the code use it as follows: +And in the code, use it as follows: ```cs extern alias ExampleAlias; @@ -246,8 +246,8 @@ For many pack and restore scenarios, all NuGet warnings and errors are coded, an NuGet observes the following warning properties: -- `TreatWarningsAsErrors`, treat all warnings as errors -- `WarningsAsErrors`, treat specific warnings as errors +- `TreatWarningsAsErrors`, treat all warnings as errors. +- `WarningsAsErrors`, treat specific warnings as errors. - `NoWarn`, hide specific warnings, either project-wide or package-wide. Examples: @@ -285,7 +285,7 @@ To suppress a warning project wide, consider doing: ``` -Sometimes warnings apply only to a certain package in the graph. We can choose to suppress that warning more selectively by adding a `NoWarn` on the PackageReference item. +Sometimes warnings apply only to a certain package in the graph. You can choose to suppress that warning more selectively by adding a `NoWarn` on the PackageReference item. ```xml @@ -307,19 +307,19 @@ When in Visual Studio, you can also [suppress warnings](/visualstudio/ide/how-to Input to NuGet restore is a set of `PackageReference` items from the project file (top-level or direct dependencies) and the output is a full closure of all the package dependencies including transitive dependencies. NuGet tries to always produce the same full closure of package dependencies if the input PackageReference list has not changed. However, there are some scenarios where it is unable to do so. For example: -* When you use floating versions like ``. While the intention here is to float to the latest version on every restore of packages, there are scenarios where users require the graph to be locked to a certain latest version and float to a later version, if available, upon an explicit gesture. -* A newer version of the package matching PackageReference version requirements is published. E.g. +- When you use floating versions like ``. While the intention here is to float to the latest version on every restore of packages, there are scenarios where users require the graph to be locked to a certain latest version and float to a later version, if available, upon an explicit gesture. +- A newer version of the package matching PackageReference version requirements is published. For example: - * Day 1: if you specified `` but the versions available on the - NuGet repositories were 4.1.0, 4.2.0 and 4.3.0. In this case, NuGet would have resolved to 4.1.0 (nearest minimum version) + - Day 1: if you specified `` but the versions available on the + NuGet repositories were 4.1.0, 4.2.0, and 4.3.0. In this case, NuGet would have resolved to 4.1.0 (nearest minimum version). - * Day 2: Version 4.0.0 gets published. NuGet will now find the exact match and start resolving to 4.0.0 + - Day 2: Version 4.0.0 gets published. NuGet will now find the exact match and start resolving to 4.0.0. -* A given package version is removed from the repository. Though nuget.org does not allow package deletions, not all package repositories have this constraint. This results in NuGet finding the best match when it cannot resolve to the deleted version. +- A given package version is removed from the repository. Though nuget.org does not allow package deletions, not all package repositories have this constraint. This results in NuGet finding the best match when it cannot resolve to the deleted version. ### Enabling the lock file -In order to persist the full closure of package dependencies you can opt-in to the lock file feature by setting the MSBuild property `RestorePackagesWithLockFile` for your project: +In order to persist the full closure of package dependencies, you can opt-in to the lock file feature by setting the MSBuild property `RestorePackagesWithLockFile` for your project: ```xml @@ -329,13 +329,14 @@ In order to persist the full closure of package dependencies you can opt-in to t ``` -If this property is set, NuGet restore will generate a lock file - `packages.lock.json` file at the project root directory that lists all the package dependencies. +If this property is set, NuGet restore will generate a lock file (`packages.lock.json`) at the project root directory that lists all the package dependencies. > [!Note] > Once a project has `packages.lock.json` file in its root directory, the lock file is always used with restore even if the property `RestorePackagesWithLockFile` is not set. So another way to opt-in to this feature is to create a dummy blank `packages.lock.json` file in the project's root directory. ### `restore` behavior with lock file -If a lock file is present for project, NuGet uses this lock file to run `restore`. NuGet does a quick check to see if there were any changes in the package dependencies as mentioned in the project file (or dependent projects' files) and if there were no changes it just restores the packages mentioned in the lock file. There is no re-evaluation of package dependencies. + +If a lock file is present for a project, NuGet uses this lock file to run `restore`. NuGet does a quick check to see if there were any changes in the package dependencies as mentioned in the project file (or dependent projects' files), and if there were no changes, it just restores the packages mentioned in the lock file. There is no re-evaluation of package dependencies. If NuGet detects a change in the defined dependencies as mentioned in the project file(s), it re-evaluates the package graph and updates the lock file to reflect the new package closure for the project. @@ -353,7 +354,7 @@ For msbuild.exe, run: > msbuild.exe -t:restore -p:RestoreLockedMode=true ``` -You may also set this conditional MSBuild property in your project file: +You can also set this conditional MSBuild property in your project file: ```xml @@ -365,12 +366,21 @@ You may also set this conditional MSBuild property in your project file: If locked mode is `true`, restore will either restore the exact packages as listed in the lock file or fail if you updated the defined package dependencies for the project after lock file was created. +#### Lock files and PrunePackageReference + +[PrunePackageReference](#prunepackagereference) changes the dependencies of a project, by removing unnecessary transitive packages. +While removing these packages should not have an impact at runtime, it will affect lock files. +If you enable pruning for an existing project, whenever the lock file gets regenerated, it may lead to fewer packages than before pruning. +The lock file up to date check that powers locked mode is pruning aware, which means if you enabled pruning on a project, the check will account for packages that are pruned. +However the next time the lock file is regenerated, it will exclude the pruned packages, so you may see a diff that's larger than usual. + ### Make lock file part of your source repository -If you are building an application, an executable and the project in question is at the start of the dependency chain then do check in the lock file to the source code repository so that NuGet can make use of it during restore. -However, if your project is a library project that you do not ship or a common code project on which other projects depend upon, you **should not** check in the lock file as part of your source code. There is no harm in keeping the lock file but the locked package dependencies for the common code project may not be used, as listed in the lock file, during the restore/build of a project that depends on this common-code project. +If you are building an application, an executable, and the project in question is at the start of the dependency chain, then do check in the lock file to the source code repository so that NuGet can make use of it during restore. -Eg. +However, if your project is a library project that you do not ship or a common code project on which other projects depend, you **should not** check in the lock file as part of your source code. There is no harm in keeping the lock file, but the locked package dependencies for the common code project can't be used, as listed in the lock file, during the restore/build of a project that depends on this common-code project. + +Example: ``` ProjectA @@ -388,10 +398,47 @@ You can control various behaviors of restore with lock file as described below: | NuGet.exe option | dotnet option | MSBuild equivalent option | Description | |:--- |:--- |:--- |:--- | | `-UseLockFile` |`--use-lock-file` | RestorePackagesWithLockFile | Opts into the usage of a lock file. | -| `-LockedMode` | `--locked-mode` | RestoreLockedMode | Enables locked mode for restore. This is useful in CI/CD scenarios where you want repeatable builds.| +| `-LockedMode` | `--locked-mode` | RestoreLockedMode | Enables locked mode for restore. This is useful in CI/CD scenarios where you want repeatable builds.| | `-ForceEvaluate` | `--force-evaluate` | RestoreForceEvaluate | This option is useful with packages with floating version defined in the project. By default, NuGet restore will not update the package version automatically upon each restore unless you run restore with this option. | | `-LockFilePath` | `--lock-file-path` | NuGetLockFilePath | Defines a custom lock file location for a project. By default, NuGet supports `packages.lock.json` at the root directory. If you have multiple projects in the same directory, NuGet supports project specific lock file `packages..lock.json` | +## NuGet Dependency Resolver + +The NuGet dependency resolver follows the [four rules as described in the dependency resolution document](../../docs/concepts/Dependency-Resolution.md). + +In order to improve the performance and scalability of the restore operation, the restore algorithm was rewritten in the 6.12 release. +As of the 6.12 release, the new restore algorithm is enabled by default for all PackageReference projects. +While the new restore algorithm is is functionally equivalent to the previous one, as with any software, bugs are possible. +To revert to the previous implementation, set the MSBuild property `RestoreUseLegacyDependencyResolver` to `true`. + +Should you face restore failures in 6.12, .NET 9 or 17.12, that weren't reproducing in earlier versions, please [file an issue on GitHub](https://github.com/NuGet/Home/issues/). +Any differences between the old and new algorithms may have different impacts, such as during compilation or at runtime. +There's also a chance that changes don't lead to failures, but different package versions being restored. +If you think you might be impacted by any changes, here are the steps you can take to verify whether the changes in the NuGet restore algorithm are the root cause. + +Restore writes its results in the `MSBuildProjectExtensionsPath` directory, which can be compared with the new and old algorithms to find differences. +Usually this is the `obj` folder of your build. +You can use `msbuild.exe` or `dotnet.exe` for the next steps. + +1. Remove the `obj` folder for your project. +1. Run `msbuild -t:restore` +1. Save the contents of the `obj` to a location indicating that it's the `new` behavior. +1. Run `msbuild -t:restore -p:RestoreUseLegacyDependencyResolver="true"`. +1. Save the contents of the `obj` to a location indicating that it's the `legacy` behavior. +1. Compare the files in the two directories, particularly *project.assets.json*. + + Tools that can highlight differences are especially useful for this (for example, in Visual Studio Code, open both files, and use the right-click "select for compare" and "compare to selected"). + +If you follow the above method, there should be exactly 1 difference between the `project.assets.json` files: + +```diff + "projectStyle": "PackageReference", ++ "restoreUseLegacyDependencyResolver": true, + "fallbackFolders": [ +``` + +If there are any more differences, please [file an issue on GitHub](https://github.com/NuGet/Home/issues/) with all the details. + ## AssetTargetFallback The `AssetTargetFallback` property lets you specify additional compatible framework versions for projects that your project references and NuGet packages that your project consumes. @@ -422,3 +469,90 @@ You can leave off `$(AssetTargetFallback)` if you wish to overwrite, instead of > If you are using a [.NET SDK based project](/dotnet/core/sdk), appropriate `$(AssetTargetFallback)` values are configured and you do not need to set them manually. > > `$(PackageTargetFallback)` was an earlier feature that attempted to address this challenge, but it is fundamentally broken and *should* not be used. To migrate from `$(PackageTargetFallback)` to `$(AssetTargetFallback)`, simply change the property name. + +## PrunePackageReference + +The .NET Runtime is constantly evolving, with performance improvements and new APIs each release. +New features added to .NET are also sometimes provided as packages, so that developers using older target frameworks can use the library, such as [System.Text.Json](https://www.nuget.org/packages/System.Text.Json). +This can often lead to a `System.Text.Json 8.0.0` in a project targeting `.NET 9` or `.NET 8`. This dependency is unnecessary and the build conflict resolution would not use the assembly coming from the package since it's already available in the .NET Runtime. +Starting in [NuGet version 6.13](..\release-notes\NuGet-6.13.md) and .NET SDK 9.0.200, `PrunePackageReference` enables the pruning of these packages at restore time for .NET SDK based projects. +The first iteration of pruning affected transitive packages only, but starting with .NET SDK 10, package pruning affects direct packages as well. + +Package pruning is available as an opt-in feature with the .NET 9 SDK, and is enabled by default for all frameworks of a project that targets `>= .NET 10.0` in the .NET 10 SDK. + +Package pruning is only available with the default dependency resolver as [released in 6.12](#nuget-dependency-resolver). + +### PrunePackageReference specification + +The list of packages to be pruned is defined with the `PrunePackageReference` item. + +| Attributes | Description | +|------------|-------------| +| Version | Specifies the maximum version to be pruned. `1.0.0` means that all packages up to and including 1.0.0 will be pruned. For `1.0.0`, `0.9.0` and `1.0.0` will be pruned, but `1.0.1` would not. | + +The following properties can be used to modify the pruning behavior. + +| PropertyName | Description | +|--------------|-------------| +| RestoreEnablePackagePruning | Enables package pruning for the packages specified with `PrunePackageReference`. This property is per target framework and the valid values are `true` and `false`. Defaults may differ based on the .NET SDK as defined above. | + +The .NET SDK predefines the list of packages to be pruned for you. + +### How PrunePackageReference works + +When a package is specified to be pruned during restore, it is removed from the dependency graph. +When a package is pruned, there is a message, visible at detailed verbosity, indicating that the package has been removed for the given target framework. + +For transitive packages, meaning dependencies of other packages or projects, the packages are not downloaded and do not appear in any of the outputs of NuGet. + +For direct packages, `PrivateAssets='all'` and `IncludeAssets='none'` are implicitly applied. + +- `IncludeAssets='none'` ensures that the assemblies from this package are not used during the build. Before pruning existed, the conflict resolution during the build ensured that platform assemblies were preferred over those coming from the packages. +- `PrivateAssets='all'` ensures that the packages aren't included in packages or through project references. + +Example: + +A project like below: + +```xml + + net9.0;netstandard2.0 + + + + + +``` + +will have a nuspec with the following dependencies: + +```xml + + + + + + + +``` + +When a direct PackageReference can be completely removed from your project, and one of the project frameworks are .NET 10 or newer, [NU1510](../reference/errors-and-warnings/NU1510.md) will be raised asking you to remove the package. +Following this suggestion will reduce the complexity of your project graph. + +The following table summarizes all the package pruning behaviors. + +| Dependency disposition | Behavior | +|-----------------|----------| +| Matches the ID of a transitive package coming through another package | Prune | +| Matches the ID of a transitive package coming through another project | Prune | +| Matches the ID of a direct `PackageReference` | Apply `PrivateAssets='all'` and `IncludeAssets='none'` and raise the [NU1510](../reference/errors-and-warnings/NU1510.md) warning when the package can be removed from all frameworks and the project targets .NET 10. | +| Matches the ID of a `ProjectReference` | Do not prune and raise the [NU1511](../reference/errors-and-warnings/NU1511.md) warning when the project targets .NET 10 | + +### PrunePackageReference applications + +The benefits of package pruning are two-fold: + +- Performance benefits, by virtue of reducing the number of packages within a dependency graph +- Reduction of false positives by component scanners such as `NuGetAudit` + +Pruning is particularly valuable when [auditing](./../concepts/Auditing-Packages.md) packages with `NuGetAuditMode` set to `all`. If you are using .NET 9, we recommend you try out pruning by setting `RestoreEnablePackagePruning` to `true`. diff --git a/docs/consume-packages/Package-Restore.md b/docs/consume-packages/Package-Restore.md index 567e6f9f8..62f1f673f 100644 --- a/docs/consume-packages/Package-Restore.md +++ b/docs/consume-packages/Package-Restore.md @@ -3,8 +3,8 @@ title: NuGet Package Restore description: See an overview of how NuGet restores packages a project depends on, including how to disable restore and constrain versions. author: JonDouglas ms.author: jodou -ms.date: 08/29/2022 -ms.topic: conceptual +ms.date: 10/20/2023 +ms.topic: how-to --- # Restore packages with NuGet Package Restore @@ -41,9 +41,10 @@ After a successful restore: If the package references in your project file or your *packages.config* file are incorrect and don't match your desired state, install or update the correct packages instead of using Package Restore. -If you have missing packages or package-related errors after you run Package Restore, such as error icons in Solution Explorer, follow the instructions in [Troubleshooting Package Restore errors](package-restore-troubleshooting.md), or [reinstall or update](../consume-packages/reinstalling-and-updating-packages.md) the packages. In Visual Studio, the Package Manager Console provides several options for reinstalling packages. For more information, see [Use Package-Update](reinstalling-and-updating-packages.md#using-update-package). +If you have missing packages or package-related errors after you run Package Restore, such as error icons in Solution Explorer, follow the instructions in [Troubleshooting Package Restore errors](package-restore-troubleshooting.md), or [reinstall or update](../consume-packages/reinstalling-and-updating-packages.md) the packages. In Visual Studio, the Package Manager Console provides several options for reinstalling packages. For more information, see [Use Package-Update](reinstalling-and-updating-packages.md#update-package-command). + ## Restore packages in Visual Studio In Visual Studio on Windows, you can restore packages automatically or manually. First, configure Package Restore through **Tools** > **Options** > **NuGet Package Manager**. @@ -52,9 +53,10 @@ In Visual Studio on Windows, you can restore packages automatically or manually. Configure the following Package Restore options at **Tools** > **Options** > **NuGet Package Manager** > **General**. -![Screenshot that shows the NuGet Package Manager options.](media/Restore-01-AutoRestoreOptions.png) +![Screenshot that shows the NuGet Package Manager options.](media/vsoptions/general.png) + #### Allow NuGet to download missing packages Select **Allow NuGet to download missing packages** to enable package restore and the **Restore NuGet Packages** command. This selection sets the `packageRestore/enabled` setting to `True` in the [packageRestore section](../reference/nuget-config-file.md#packagerestore-section) of the global *NuGet.Config* file, at *%AppData%\\Roaming\\NuGet* on Windows or *~/.nuget/NuGet/* on Mac or Linux. @@ -87,20 +89,23 @@ Select **Automatically check for missing packages during build in Visual Studio* ``` -For non-SDK-style projects, you must select **Allow NuGet to download missing packages** as well as **Automatically check for missing packages during build in Visual Studio** in **Options** to enable automatic restore. +You must select **Allow NuGet to download missing packages** as well as **Automatically check for missing packages during build in Visual Studio** in **Options** to enable package restore during build. + #### Choose the default package management format NuGet has two package management formats, [PackageReference](Package-References-in-Project-Files.md) and [packages.config](../reference/packages-config.md). Select the format you want to use from the dropdown list under **Package Management**. You can also select whether to allow format selection on first package install. > [!Note] +> > - If a project doesn't support both package management formats, NuGet uses the package management format that's compatible with the project, which might not be the default you set in the options. NuGet then won't prompt for selection on first install, even if you selected that option. > > - If you use Package Manager Console to install the first package in a project, NuGet doesn't prompt for format selection, even if that option is selected in **Options**. + ### Restore packages manually or automatically After you enable package restore in **Options**, you can right-click the solution in **Solution Explorer** and select **Restore NuGet Packages** to restore packages anytime. @@ -112,6 +117,7 @@ For projects that use ``, you can see the package references i If you see the error **This project references NuGet package(s) that are missing on this computer**, or **One or more NuGet packages need to be restored but couldn't be because consent has not been granted**, make sure you enabled automatic restore. For older projects, see [Migrate to automatic package restore](#migrate-to-automatic-package-restore-visual-studio). Also see [Troubleshooting package restore errors](Package-restore-troubleshooting.md). + ## Restore by using the dotnet CLI [!INCLUDE [restore-dotnet-cli](includes/restore-dotnet-cli.md)] @@ -120,11 +126,13 @@ If you see the error **This project references NuGet package(s) that are missing > To add a missing package reference to the project file, use [dotnet add package](/dotnet/core/tools/dotnet-add-package), which also runs `restore`. + ## Restore by using the NuGet CLI [!INCLUDE [restore-nuget-exe-cli](includes/restore-nuget-exe-cli.md)] + ## Restore by using MSBuild You can use [msbuild -t:restore](../reference/msbuild-targets.md#restore-target) to restore packages in NuGet 4.x+ and MSBuild 15.1+, which are included with Visual Studio 2017 and higher. @@ -144,6 +152,7 @@ To use MSBuild restore: + ## Restore with Azure Pipelines or Azure DevOps Server When you create a build definition in Azure Pipelines, you can include the [NuGet CLI restore](/azure/devops/pipelines/tasks/package/nuget#restore-nuget-packages) or [dotnet CLI restore](/azure/devops/pipelines/tasks/build/dotnet-core-cli) task in the definition before any build tasks. Some build templates include the restore task by default. @@ -154,7 +163,7 @@ Azure DevOps Server and TFS 2013 and later automatically restore packages during NuGet restore through any method honors any version constraints you specify in *packages.config* or the project file. -- In *packages.config*, you can specify an `allowedVersions` range in the dependency. For more information, see [Constrain upgrade versions](../consume-packages/reinstalling-and-updating-packages.md#constraining-upgrade-versions). For example: +- In *packages.config*, you can specify an `allowedVersions` range in the dependency. For more information, see [Constraints on upgrade versions](../consume-packages/reinstalling-and-updating-packages.md#constraints-on-upgrade-versions). For example: ```xml @@ -189,9 +198,10 @@ To avoid using packages in the HTTP cache: - Clear the cache by using `nuget locals http-cache -clear` or `dotnet nuget locals http-cache --clear`. - Temporarily set the **NUGET_HTTP_CACHE_PATH** environment variable to a different folder. -- For `nuget restore`, use the `-NoCache` option, or for `dotnet restore`, use the `--no-cache` option. These options don't affect restore operations through the Visual Studio Package Manager or Console. +- For `nuget restore`, use the `-NoHttpCache` option, or for `dotnet restore`, use the `--no-http-cache` option. These options don't affect restore operations through the Visual Studio Package Manager or Console. + ## Migrate to automatic package restore Earlier versions of NuGet supported an MSBuild-integrated package restore. Projects that use the deprecated MSBuild-integrated package restore should migrate to automatic package restore. diff --git a/docs/consume-packages/Package-Source-Mapping.md b/docs/consume-packages/Package-Source-Mapping.md index ec65391b8..5386bb61d 100644 --- a/docs/consume-packages/Package-Source-Mapping.md +++ b/docs/consume-packages/Package-Source-Mapping.md @@ -3,16 +3,31 @@ title: Package Source Mapping description: Describes package source mapping functionality and how to onboard author: nkolev92 ms.author: nikolev -ms.date: 03/15/2022 -ms.topic: conceptual +ms.date: 10/18/2023 +ms.topic: how-to --- # Package Source Mapping -Safeguarding your software supply chain is crucial if you use a mix of public and private package sources. -Use Package Source Mapping along side other [best practices](..\concepts\Security-Best-Practices.md) to help you fortify your supply chain against attacks. +Package Source Mapping is a tool that can be used to improve your supply chain security, especially if you use a mix of public and private package sources. -Starting with [NuGet 6.0](..\release-notes\NuGet-6.0.md), you can centrally declare which source each package in your solution should restore from in your nuget.config file. +By default, NuGet will search all configured package sources when it needs to download a package. +When a package exists on multiple sources, it may not be deterministic which source the package will be downloaded from. +With Package Source Mapping, you can filter, per package, which source(s) NuGet will search. + +We also have suggestions for other [best practices](..\concepts\Security-Best-Practices.md) to help you fortify your supply chain against attacks. + +Package Source Mapping was added in [NuGet 6.0](..\release-notes\NuGet-6.0.md). +Starting with Visual Studio 17.5, you can add and remove Package Source Mappings with the Visual Studio Options Dialog. +For detailed information on all Visual Studio NuGet options, see [NuGet Options in Visual Studio](nuget-visual-studio-options.md). + +### Visual Studio support + +| Visual Studio | Package Source Mapping | Support in Tools -> Options | Support in Package Manager UI | +|-----|---------------------|---------------------|---------------------| +| 17.0 - 17.4 | ✅ Available | ❌ Not available | ❌ Not available | +| 17.5 | ✅ Available | ✅ Available | ❌ Not available | +| 17.7 Preview 3| ✅ Available | ✅ Available | ✅ Status displayed | The feature is available across all NuGet integrated tooling. @@ -32,33 +47,61 @@ For a video-based overview of the Package Source Mapping feature, consider watch To opt into this feature, you must have a `nuget.config` file. Having a single `nuget.config` at the root of your repository is considered a best practice. See [nuget.config documentation](../reference/nuget-config-file.md) to learn more. +### Enable by using Visual Studio Options Dialog + +1. Open your solution in Visual Studio. +2. Navigate to the `Package Source Mappings` Options Dialog. + +_From the Package Manager UI_ + +* Select a package from the list to show it in the Details Pane. +* Press the `Configure` button to open the Package Source Mappings options page. + +![The NuGet Package Manager window in Visual Studio showing a selected package, and a highlight around the "Package source mapping is off" status with a `Configure` button.](media/packageSourceMapping_PMUI_Status_Off_Annotated.png) + +_From the Visual Studio Options Dialog_ + +* Go to the `Tools` menu in the main Visual Studio toolbar, and choose `NuGet Package Manager` -> `Package Manager Settings`. +* Navigate to the `Package Source Mappings` page. + +For details about managing NuGet package source mappings, see [NuGet Options in Visual Studio](nuget-visual-studio-options.md#package-source-mapping). + +The NuGet Package Manager window will refresh and reflect the new status of the selected package's source mappings. +![The NuGet Package Manager window in Visual Studio showing a selected package with the "Package source mapping found" status with a `Configure` button.](media/packageSourceMapping_PMUI_Status_Mapped.png) + +### Enable by manually editing `nuget.config` + * Declare your desired package sources in your `nuget.config` file. * Following your source declarations, add a `` element that specifies the desired mappings for each source. * Declare exactly one `packageSource` element for each source in use. * Add as many patterns as you find necessary. ```xml - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + ``` Package Source Mapping settings are applied following [nuget.config precedence rules](configuring-nuget-behavior.md#how-settings-are-applied) when multiple `nuget.config` files at various levels (machine-level, user-level, repo-level) are present. @@ -69,16 +112,16 @@ For maximum flexibility and control, NuGet requires that all packages match a pa ### Package Pattern requirements -All requested packages must map to one or more sources by matching a defined package pattern. In other words, once you have defined a `packageSourceMapping` element you must explicitly define which sources *every* package - *including transitive packages* - will be restored from. +All requested packages must map to one or more sources by matching a defined package pattern. In other words, once you have defined a `packageSourceMapping` element you must explicitly define which sources _every_ package - _including transitive packages_ - will be restored from. -* Both top-level *and transitive* packages must match defined patterns. There is no requirement that a top level package and its dependencies come from the same source. +* Both top-level _and transitive_ packages must match defined patterns. There is no requirement that a top level package and its dependencies come from the same source. * The same ID pattern can be defined on multiple sources, allowing matching package IDs to be restored from any of the feeds that define the pattern. However, this isn't recommended due to the impact on restore predictability (a given package could come from multiple sources). This may be a valid configuration if you trust all respective sources. ### Package Pattern Syntax | Pattern | Example syntax | Description | -|-|--------|---------|-------------| -| Package prefix pattern | `*`, `NuGet.*`, `NuGet.*` | Must end with a `*`, where `*` matches 0 or more characters. `*` is the shortest allowed prefix pattern and matches all packages ids. | +|---------|---------|-------------| +| Package prefix pattern | `*`, `NuGet.*` | Must end with a `*`, where `*` matches 0 or more characters. `*` is the shortest allowed prefix pattern and matches all packages ids. | | Package ID pattern | `NuGet.Common`, `Contoso.Contracts` | Exact package ID. | ### Package Pattern precedence @@ -95,7 +138,7 @@ This configuration is advantageous if you primarily use packages from say, `nuge If your team doesn't use standard prefixes for internal package IDs or vets `nuget.org` packages prior to installation, then making a private source the default will suit your needs better. > [!Note] -> When the requested package already exists in the global packages folder, no source look-up will happen and the mappings will be ignored. Consider declaring a [global packages folder for your repo](../reference/nuget-config-file.md#config-section) to gain the full security benefits of this feature. Work to improve the experience with the default global packages folder in planned for a next iteration. +> When the requested package already exists in the global packages folder, no source look-up will happen and the mappings will be ignored. Consider declaring a [global packages folder for your repo](../reference/nuget-config-file.md#config-section) to gain the full security benefits of this feature. Work to improve the experience with the default global packages folder is planned for a next iteration. To learn more about how package installation works, see [the conceptual document.](../concepts/package-installation-process.md) ### Get started @@ -110,7 +153,7 @@ For manual onboarding you may take the following steps: 1. Run [dotnet restore](/dotnet/core/tools/dotnet-restore) to restore dependencies. 1. Run [`dotnet list package --include-transitive`](/dotnet/core/tools/dotnet-list-package#synopsis) to view all top-level and transitive packages in your solution. * For .NET framework projects using [`packages.config`](../reference/packages-config.md), the `packages.config` file will have a flat list of all direct and transitive packages. -1. Define mappings such that every package ID in your solution - *including transitive packages* - matches a pattern for the target source. +1. Define mappings such that every package ID in your solution - _including transitive packages_ - matches a pattern for the target source. 1. Run [dotnet nuget locals global-packages -c](/dotnet/core/tools/dotnet-nuget-locals) to clear global-packages directory. 1. Run restore to validate that you have configured your mappings correctly. If your mappings don't fully cover every package ID in your solution, the error messages will help you identify the issue. 1. When restore succeeds, you are done! Optionally consider: @@ -119,7 +162,7 @@ For manual onboarding you may take the following steps: #### Automated onboarding using tool -Many repositories have a large number of packages and doing the work manually can be time consuming. The [NuGet.PackageSourceMapper tool](https://www.nuget.org/packages/NuGet.PackageSourceMapper) can automatically generate a NuGet.config for you, based on your project's known packages and sources. +Many repositories have a large number of packages and doing the work manually can be time consuming. The [NuGet.PackageSourceMapper tool](https://www.nuget.org/packages/NuGet.PackageSourceMapper) can automatically generate a NuGet.config for you, based on your project's known packages and sources. The package source mapper tool requires you to have completed a successful package restore in which it will read each respective `.nupkg.metadata` file generated as part of your build to best understand how you map your respective packages and sources. Tool not only covers top dependencies it also considers all the transitive dependencies when generating mapping. @@ -128,6 +171,7 @@ Tool has several option how to generate mapping pattern depending on your need, For an idea of how your source mappings may look like, refer to our [samples repo](https://github.com/NuGet/Samples/tree/main/PackageSourceMappingExample). > [!Note] +> > * There are no nuget.exe or dotnet.exe commands for managing the package source mapping configuration, see [NuGet/Home#10735](https://github.com/NuGet/Home/issues/10735). > * There are no means of mapping packages at package installation time, see [NuGet/Home#10730](https://github.com/NuGet/Home/issues/10730). > * There is a limitation when using the `DotNetCoreCLI@2` Azure Pipelines task which can be worked around by using `feed-` prefixes in your source mapping configuration. It is recommended however to use `NuGetAuthenticate` for your authentication needs and call the dotnet cli directly from a script task. See [microsoft/azure-pipelines-tasks#15542](https://github.com/microsoft/azure-pipelines-tasks/issues/15542). diff --git a/docs/consume-packages/Package-restore-troubleshooting.md b/docs/consume-packages/Package-restore-troubleshooting.md index 704e12429..1bac3ac4f 100644 --- a/docs/consume-packages/Package-restore-troubleshooting.md +++ b/docs/consume-packages/Package-restore-troubleshooting.md @@ -4,12 +4,12 @@ description: A description of common NuGet restore errors in Visual Studio and h author: JonDouglas ms.author: jodou ms.date: 05/25/2018 -ms.topic: conceptual +ms.topic: troubleshooting-general --- # Troubleshooting package restore errors -This article focuses on common errors when restoring packages and steps to resolve them. +This article focuses on common errors when restoring packages and steps to resolve them. Package Restore tries to install all package dependencies to the correct state matching the package references in your project file (*.csproj*) or your *packages.config* file. (In Visual Studio, the references appear in Solution Explorer under the **Dependencies \ NuGet** or the **References** node.) To follow the required steps to restore packages, see [Restore packages](../consume-packages/package-restore.md#restore-packages). If the package references in your project file (*.csproj*) or your *packages.config* file are incorrect (they do not match your desired state following Package Restore), then you need to either install or update packages instead of using Package Restore. @@ -24,7 +24,7 @@ If you're using Visual Studio, first enable package restore as follows. Otherwis 1. Select **OK**. 1. Build your project again. -![Enable NuGet package restore in Tool/Options](../consume-packages/media/restore-01-autorestoreoptions.png) +![Enable NuGet package restore in Tool/Options](../consume-packages/media/vsoptions/general.png) These settings can also be changed in your `NuGet.Config` file; see the [consent](#consent) section. If your project is an older project that uses the MSBuild-integrated package restore, you may need to [migrate](package-restore.md#migrate-to-automatic-package-restore-visual-studio) to automatic package restore. diff --git a/docs/consume-packages/PackageDownload-Functionality.md b/docs/consume-packages/PackageDownload-Functionality.md index 2d926ad2e..8b5bb01b3 100644 --- a/docs/consume-packages/PackageDownload-Functionality.md +++ b/docs/consume-packages/PackageDownload-Functionality.md @@ -4,7 +4,7 @@ description: Describes the PackageDownload feature, which is a complement to Pac author: nkolev92 ms.author: nikolev ms.date: 12/22/2021 -ms.topic: conceptual +ms.topic: article --- # PackageDownload diff --git a/docs/consume-packages/Packages-and-Source-Control.md b/docs/consume-packages/Packages-and-Source-Control.md index dd01f03a7..2d7cb5516 100644 --- a/docs/consume-packages/Packages-and-Source-Control.md +++ b/docs/consume-packages/Packages-and-Source-Control.md @@ -4,7 +4,7 @@ description: Considerations for how to treat NuGet packages within version contr author: JonDouglas ms.author: jodou ms.date: 03/16/2018 -ms.topic: conceptual +ms.topic: how-to --- # Omitting NuGet packages in source control systems diff --git a/docs/consume-packages/Reinstalling-and-Updating-Packages.md b/docs/consume-packages/Reinstalling-and-Updating-Packages.md index 08d495522..f4465e821 100644 --- a/docs/consume-packages/Reinstalling-and-Updating-Packages.md +++ b/docs/consume-packages/Reinstalling-and-Updating-Packages.md @@ -1,52 +1,75 @@ --- -title: Reinstalling and Updating NuGet Packages -description: Details on when it's necessary to reinstall and update packages, as with broken package references in Visual Studio. +title: Reinstall and update NuGet packages in Visual Studio +description: Learn how to reinstall and update NuGet packages to address broken package references and broken projects in Visual Studio. author: JonDouglas ms.author: jodou -ms.date: 09/03/2021 -ms.topic: conceptual +ms.date: 11/03/2023 +ms.topic: how-to --- -# How to reinstall and update packages +# Reinstall and update NuGet packages in Visual Studio + +Sometimes package references can break within a Visual Studio project. Uninstalling and reinstalling the same version of the package often restores the references to working order. Updating a package, which installs an updated version, can also resolve the issue. This article describes how to reinstall and update NuGet packages to address broken package references and broken projects. > [!NOTE] -> The following section applies to [packages.config](../reference/packages-config.md) based projects only. [PackageReference](../consume-packages/Package-References-in-Project-Files.md) projects automatically fix broken references when restore is run. +> The guidance in this article applies only to projects that use the [packages.config](../reference/packages-config.md) management format. For [PackageReference](../consume-packages/Package-References-in-Project-Files.md) projects, a restore operation automatically fixes broken references. -There are a number of situations, described below under [When to Reinstall a Package](#when-to-reinstall-a-package), where references to a package might get broken within a Visual Studio project. In these cases, uninstalling and then reinstalling the same version of the package will restore those references to working order. Updating a package simply means installing an updated version, which often restores a package to working order. +## Common scenarios -In Visual Studio, the Package Manager Console provides many flexible options for updating and reinstalling packages. +Here are some common scenarios where you might encounter broken package references in your Visual Studio project. -Updating and reinstalling packages is accomplished as follows: +| Scenario | Description | Resolution | +|---|---|---| +| **Broken references after package restore** | You open your Visual Studio project and restore NuGet packages, but broken package references remain. | To fix the references, try reinstalling each package separately. | +| **Broken project due to deleted files** | Deleted (missing) package files cause your project to break. NuGet doesn't prevent deleting items that you add from packages. It can be easy to inadvertently modify contents installed from a package and break your project. | To restore your project, try reinstalling the affected packages. | +| **Broken project after package update** | A package update breaks your project. Companion updates to a dependency package generally cause this type of failure. | To restore the state of the dependency to its previous working order, try reinstalling the specific dependent package. | +| **Broken references after project retarget or upgrade** | A project retarget or upgrade process causes broken package references. After you retarget your project, NuGet shows a build error. Build warnings list packages that might need to be reinstalled. Or, after you upgrade your project, NuGet shows an error in the project upgrade log. The log file lists packages that might need to be reinstalled. | To resolve issues due to a change in target framework, try reinstalling one or more packages. | +| **Package changes under development** | Package authors often need to reinstall the same version of a package they're currently developing to test their changes. | The NuGet Package Manager Console in Visual Studio provides flexible options for updating and reinstalling packages. To reinstall a package under development, you can use the `Update-Package -reinstall` command. | -| Method | Update | Reinstall | -| --- | --- | --- | -| Package Manager console (described in [Using Update-Package](#using-update-package)) | `Update-Package` command | `Update-Package -reinstall` command | -| Package Manager UI | On the **Updates** tab, select one or more packages and select **Update** | On the **Installed** tab, select a package, record its name, then select **Uninstall**. Switch to the **Browse** tab, search for the package name, select it, then select **Install**). | -| nuget.exe CLI | `nuget update` command | For all packages, delete the package folder, then run `nuget install`. For a single package, delete the package folder and use `nuget install ` to reinstall the same one. | +## Implementation options -> [!NOTE] -> For the dotnet CLI, the equivalent procedure is not required. In a similar scenario, you can [restore packages with the dotnet CLI](package-restore.md#restore-using-the-dotnet-cli). +You have several choices for how to update and reinstall NuGet packages. Common methods include NuGet Package Manager UI options, the NuGet Package Manager Console, and the NuGet (Command Line Interface) CLI. + +### Package Manager UI + +In addition to the Console interface, the Package Manager UI also provides menu options to install, update, and uninstall packages. + +- To update a package, open the **Updates** tab, choose one or more packages, then select **Update**. + +- To reinstall a package, first uninstall the package and then install it again. Open the **Installed** tab, choose a package and record its name, then select **Uninstall**. Switch to the **Browse** tab and search for the package name, choose the package, then select **Install**. + +### Package Manager Console + +You can access the Package Manager Console under **Tools** > **NuGet Package Manager** > **Package Manager Console**. + +- To update a package, the Package Manager Console provides the `Update-Package` command. -In this article: +- To reinstall a package, you can use the same command with the `-reinstall` parameter. This approach is the easiest option, if it's compatible with your configuration. -- [When to Reinstall a Package](#when-to-reinstall-a-package) -- [Constraining upgrade versions](#constraining-upgrade-versions) +For more information, see the [Update-Package command](#update-package-command) and [Package reinstall considerations](#package-reinstall-considerations) sections. -## When to Reinstall a Package +### NuGet CLI -1. **Broken references after package restore**: If you've opened a project and restored NuGet packages, but still see broken references, try reinstalling each of those packages. -1. **Project is broken due to deleted files**: NuGet does not prevent you from removing items added from packages, so it's easy to inadvertently modify contents installed from a package and break your project. To restore the project, reinstall the affected packages. -1. **Package update broke the project**: If an update to a package breaks a project, the failure is generally caused by a dependency package which may have also been updated. To restore the state of the dependency, reinstall that specific package. -1. **Project retargeting or upgrade**: This can be useful when a project has been retargeted or upgraded and if the package requires reinstallation due to the change in target framework. NuGet shows a build error in such cases immediately after project retargeting, and subsequent build warnings let you know that the package may need to be reinstalled. For project upgrade, NuGet shows an error in the Project Upgrade Log. -1. **Reinstalling a package during its development**: Package authors often need to reinstall the same version of package they're developing to test the behavior. The `Install-Package` command does not provide an option to force a reinstall, so use `Update-Package -reinstall` instead. +The NuGet CLI, `nuget.exe`, is the command-line utility for Windows that provides all NuGet capabilities. -## Constraining upgrade versions +- To update an installed package, run the `nuget update` command. -By default, reinstalling or updating a package *always* installs the latest version available from the package source. +- To reinstall all NuGet packages, delete the package folder and then run the `nuget install` command. -In projects using the `packages.config` management format, however, you can specifically constrain the version range. For example, if you know that your application works only with version 1.x of a package but not 2.0 and above, perhaps due to a major change in the package API, then you'd want to constrain upgrades to 1.x versions. This prevents accidental updates that would break the application. +- To reinstall a single package, delete the package folder and then run the `nuget install ` command, where the `` argument is the ID of the specific package. -To set a constraint, open `packages.config` in a text editor, locate the dependency in question, and add the `allowedVersions` attribute with a version range. For example, to constrain updates to version 1.x, set `allowedVersions` to `[1,2)`: +> [!NOTE] +> For the **dotnet CLI**, the equivalent procedure isn't required. When you run the `dotnet restore` command, the dotnet CLI uses NuGet to determine dependencies and download any necessary NuGet packages. For more information, see [Restore NuGet packages with the dotnet CLI](package-restore.md#restore-using-the-dotnet-cli). + +## Constraints on upgrade versions + +By default, reinstalling or updating a package _always_ installs the latest version available from the package source. However, projects that use the `packages.config` management format can specifically limit the allowed NuGet package version range. + +Suppose your application works only with version 1.x of a package, but not with version 2.0 or later, due to a major change in the package API. To ensure your application works as expected, you want to constrain NuGet package upgrades to versions 1.x only. The limitation helps to prevent accidental updates that might break your application. + +To set a constraint, open the `packages.config` file in a text editor. Locate the dependency that you want to limit, and add the `allowedVersions` attribute with your desired version range. + +The following example shows how to constrain updates to version 1.x by setting the `allowedVersions` attribute to `[1,2)`: ```xml @@ -59,63 +82,104 @@ To set a constraint, open `packages.config` in a text editor, locate the depende In all cases, use the notation described in [Package versioning](../concepts/package-versioning.md#version-ranges). -## Using Update-Package +## Update-Package command + +The [Update-Package command](../reference/ps-reference/ps-ref-update-package.md) in the Package Manager Console is the easiest way to reinstall a package and address broken references. However, this approach isn't usable in all scenarios. You can use the command to update an installed package, but not to do an initial install. If you try to update or reinstall a package that isn't already installed in the configuration, the command returns an error. Be sure to review the [Package reinstall considerations](#package-reinstall-considerations) section before working with the command. + +Updating packages in a project or solution by using [PackageReference](../Consume-Packages/Package-References-in-Project-Files.md) always updates to the latest version of the package (excluding prerelease packages). Projects that use the `packages.config` management format can limit upgrade versions as described in [Constraints on upgrade versions](#constraints-on-upgrade-versions). + +The following sections provide examples for working with the command. -Being mindful of the [Considerations](#considerations) described below, you can easily reinstall any package using the [Update-Package command](../reference/ps-reference/ps-ref-update-package.md) in the Visual Studio Package Manager Console (**Tools** > **NuGet Package Manager** > **Package Manager Console**). +### Reinstall package options -```ps +Here's a basic usage of the command to do a reinstall. To identify a specific NuGet package, you can use the optional `-Id` parameter. + +```powershell +# Reinstall the package named Update-Package -Id –reinstall ``` -Using this command is much easier than removing a package and then trying to locate the same package in the NuGet gallery with the same version. Note that the `-Id` switch is optional. +Using the `Update-Package` command is easier than removing a package and then trying to locate the same package in the NuGet gallery with the same version. + +### Update package options -The same command without `-reinstall` updates a package to a newer version, if applicable. The command gives an error if the package in question is not already installed in a project; that is, `Update-Package` does not install packages directly. +The same command without the `-reinstall` parameter updates a package to a newer version, if applicable. The command returns an error if the specified package isn't already installed in a project. -```ps +```powershell +# Update the package named Update-Package ``` -By default, `Update-Package` affects all projects in a solution. To limit the action to a specific project, use the `-ProjectName` switch, using the name of the project as it appears in Solution Explorer: +### Project and solution options + +By default, the `Update-Package` command affects all projects in a solution. To limit the action to a specific project, use the `-ProjectName` parameter. Provide the name of the project as it appears in Visual Studio Solution Explorer. -```ps -# Reinstall the package in just MyProject +The following command reinstalls a NuGet package for a specific project in your solution. The name of the specific NuGet package to reinstall is provided in the `` parameter. + +```powershell +# Reinstall the package named in MyProject only Update-Package -ProjectName MyProject -reinstall ``` -To *update* all packages in a project (or reinstall using `-reinstall`), use `-ProjectName` without specifying any particular package: +If you want to reinstall all packages in your project, use the `-ProjectName` parameter by don't specify any particular package. You can follow this same approach to update the packages in your project, as shown in this example: -```ps +```powershell +# Update all packages in MyProject only Update-Package -ProjectName MyProject ``` -To update all packages in a solution, just use `Update-Package` by itself with no other arguments or switches. Use this form carefully, because it can take considerable time to perform all the updates: +To update all packages in a solution, just use the `Update-Package` command by itself with no other arguments or parameters. + +> [!IMPORTANT] +> Be sure to use the following form of the command carefully. The command process can take considerable time to perform all of the updates. -```ps -# Updates all packages in all projects in the solution +```powershell +# Update all packages in all projects in the solution Update-Package ``` -Updating packages in a project or solution using [PackageReference](../Consume-Packages/Package-References-in-Project-Files.md) always updates to the latest version of the package (excluding pre-release packages). Projects that use `packages.config` can, if desired, limit update versions as described below in [Constraining upgrade versions](#constraining-upgrade-versions). +## Package reinstall considerations + +If you intend to use the `Update-Package` command to reinstall packages, review the following considerations to ensure compatibility with your configuration scenario. + +- Packages and their dependencies might not support a retargeted project target framework. +- When the `requireReinstallation` attribute is set to `true`, Visual Studio issues build warnings for affected packages. +- Reinstall of a package and version constraints can introduce dependency version compatibility issues. +- Reinstall of a specific package can cause dependent packages to break. + +### Package doesn't support project target framework + +If you retarget your project target framework, one or more packages might not support the new target configuration. + +Usually, reinstalling a package with the `Update-Package –reinstall ` command works. A package installed against an old target framework is uninstalled and the same package is installed against the new target framework of the project. + +In some cases, a package might not support the new target framework. Here are some of the issues you might encounter: + +- If a package supports portable class libraries (PCLs), and you retarget the project to a combination of platforms no longer supported by the package, references to the package can be missing after reinstalling. + +- This issue can surface for packages you use directly or for packages installed as dependencies. Any package that you use directly might support the new target framework while their dependencies don't. + +- If reinstalling packages after retargeting your application results in build or runtime errors, you might need to revert your target framework or search for alternative packages that properly support your new target framework. + +### requireReinstallation attribute set to true + +After you retarget your project target framework or upgrade NuGet packages, NuGet might add the `requireReinstallation` attribute to the `packages.config` file for your project. If NuGet detects affected packages during the retargeting or upgrading process, it adds a `requireReinstallation="true"` attribute to the `packages.config` file for all affected package references. As a result, each subsequent build of your project in Visual Studio raises build warnings for those packages. The warnings are presented as a reminder to reinstall the affected package. + +### Package dependency version incompatibility -For full details on the command, see the [Update-Package](../reference/ps-reference/ps-ref-update-package.md) reference. +The `Update-Package –reinstall` command reinstalls the **same** version of an installed package and the **latest** version of any dependencies. To address version incompatibility issues, you can set version range constraints to control the configuration. NuGet adheres to the constraints and updates the package dependencies to newer versions only as required to fix an issue. -### Considerations +- If your constraint settings cause a dependency to revert to an earlier version during package reinstall, you can address the issue with the `Update-Package ` command. This command reinstalls the specified dependency without affecting the dependent package. -The following may be affected when reinstalling a package: +- You can also use the `Update-Package –reinstall -ignoreDependencies` command. This option reinstalls the same version of the original package, but it doesn't reinstall dependencies. Use this approach when updating package dependencies might result in a broken configuration state. -1. **Reinstalling packages according to project target framework retargeting** - - In a simple case, just reinstalling a package using `Update-Package –reinstall ` works. A package that is installed against an old target framework gets uninstalled and the same package gets installed against the current target framework of the project. - - In some cases, there may be a package that does not support the new target framework. - - If a package supports portable class libraries (PCLs) and the project is retargeted to a combination of platforms no longer supported by the package, references to the package will be missing after reinstalling. - - This can surface for packages you're using directly or for packages installed as dependencies. It's possible for the package you're using directly to support the new target framework while its dependency does not. - - If reinstalling packages after retargeting your application results in build or runtime errors, you may need to revert your target framework or search for alternative packages that properly support your new target framework. +### Broken dependent package -1. **requireReinstallation attribute added in packages.config after project retargeting or upgrade** - - If NuGet detects that packages were affected by retargeting or upgrading a project, it adds a `requireReinstallation="true"` attribute in `packages.config` to all affected package references. Because of this, each subsequent build in Visual Studio raises build warnings for those packages so you can remember to reinstall them. +When you reinstall a specific package, any installed packages that depend on the reinstalled package aren't updated. The versions of these other installed packages remain the same. As a result, reinstalling a dependency can break a dependent package. -1. **Reinstalling packages with dependencies** - - `Update-Package –reinstall` reinstalls the same version of the original package, but installs the latest version of dependencies unless specific version constraints are provided. This allows you to update only the dependencies as required to fix an issue. However, if this rolls a dependency back to an earlier version, you can use `Update-Package ` to reinstall that one dependency without affecting the dependent package. - - `Update-Package –reinstall -ignoreDependencies` reinstalls the same version of the original package but does not reinstall dependencies. Use this when updating package dependencies might result in a broken state +## Related articles -1. **Reinstalling packages when dependent versions are involved** - - As explained above, reinstalling a package does not change versions of any other installed packages that depend on it. It's possible, then, that reinstalling a dependency could break the dependent package. +- Review the [packages.config](../reference/packages-config.md) management format. +- Implement [PackageReference](../consume-packages/Package-References-in-Project-Files.md) in project files. +- Use the [Update-Package command](../reference/ps-reference/ps-ref-update-package.md) in the NuGet Package Manager Console in Visual Studio. +- Explore [package versioning](../concepts/package-versioning.md#version-ranges) notation formats. diff --git a/docs/consume-packages/Team-Foundation-Build.md b/docs/consume-packages/Team-Foundation-Build.md index 31ad42f2a..7b631ef7e 100644 --- a/docs/consume-packages/Team-Foundation-Build.md +++ b/docs/consume-packages/Team-Foundation-Build.md @@ -4,7 +4,7 @@ description: A walkthrough of how NuGet package restore with with Team Foundatio author: JonDouglas ms.author: jodou ms.date: 01/09/2017 -ms.topic: conceptual +ms.topic: concept-article --- # Setting up package restore with Team Foundation Build @@ -81,7 +81,7 @@ The source code is under the `src` folder. Although our demo only uses a single ### Ignore files > [!Note] -> There is currently a [known bug in the NuGet client](https://nuget.codeplex.com/workitem/4072) that causes the client to still add the `packages` folder to version control. A workaround is to disable the source control integration. In order to do that, you need a `Nuget.Config ` file in the `.nuget` folder that is parallel to your solution. If this folder doesn't exist yet, you need to create it. In [`Nuget.Config`](../consume-packages/configuring-nuget-behavior.md), add the following content: +> There is currently a `[known bug in the NuGet client](https://nuget.codeplex.com/workitem/4072)` that causes the client to still add the `packages` folder to version control. A workaround is to disable the source control integration. In order to do that, you need a `Nuget.Config ` file in the `.nuget` folder that is parallel to your solution. If this folder doesn't exist yet, you need to create it. In [`Nuget.Config`](../consume-packages/configuring-nuget-behavior.md), add the following content: ```xml diff --git a/docs/consume-packages/configuring-nuget-behavior.md b/docs/consume-packages/configuring-nuget-behavior.md index 6091482cb..388cafd94 100644 --- a/docs/consume-packages/configuring-nuget-behavior.md +++ b/docs/consume-packages/configuring-nuget-behavior.md @@ -1,23 +1,23 @@ --- title: Common NuGet configurations -description: NuGet.Config files control NuGet's behavior both globally and on a per-project basis, and are modified with nuget config command. +description: NuGet.Config files control NuGet's behavior, and can be modified with nuget config command. author: JonDouglas ms.author: jodou ms.date: 01/10/2022 -ms.topic: conceptual +ms.topic: article --- # Common NuGet configurations -NuGet's behavior is driven by the accumulated settings in one or more `NuGet.Config` (XML) files that can exist at project-, user-, and computer-wide levels. A global `NuGetDefaults.Config` file also specifically configures package sources. Settings apply to all commands issued in the CLI, the Package Manager Console, and the Package Manager UI. +NuGet's behavior is driven by the accumulated settings in one or more config (XML) files that can exist at solution- (project if no solution is used), user-, and computer-wide levels. ## Config file locations and uses | Scope | `NuGet.Config` file location | Description | | --- | --- | --- | -| Solution | Current folder (aka Solution folder) or any folder up to the drive root.| In a solution folder, settings apply to all projects in subfolders. Note that if a config file is placed in a project folder, it has no effect on that project. | -| User | **Windows:** `%appdata%\NuGet\NuGet.Config`
**Mac/Linux:** `~/.config/NuGet/NuGet.Config` or `~/.nuget/NuGet/NuGet.Config` (varies by tooling)
Additional configs are supported on all platforms. These configs cannot be edited by the tooling.
**Windows:** `%appdata%\NuGet\config\*.Config`
**Mac/Linux:** `~/.config/NuGet/config/*.config` or `~/.nuget/config/*.config` | Settings apply to all operations, but are overridden by any project-level settings. | -| Computer | **Windows:** `%ProgramFiles(x86)%\NuGet\Config`
**Mac/Linux:** `$XDG_DATA_HOME`. If `$XDG_DATA_HOME` is null or empty, `~/.local/share` or `/usr/local/share` will be used (varies by OS distribution) | Settings apply to all operations on the computer, but are overridden by any user- or project-level settings. | +| Solution | Current folder (aka Solution folder) or any folder up to the drive root.| In a solution folder, settings apply to all projects in subfolders. Note that if a config file is placed in a project folder, it has no effect on that project. When restoring a project on the command line, the project's directory is treated as the solution directory, which can lead to differences in behaviour when restoring the project vs solution. | +| User | **Windows:** `%appdata%\NuGet\NuGet.Config`
**Mac/Linux:** `~/.config/NuGet/NuGet.Config` or `~/.nuget/NuGet/NuGet.Config` (varies by tooling)
Additional configs are supported on all platforms. These configs cannot be edited by the tooling.
**Windows:** `%appdata%\NuGet\config\*.Config`
**Mac/Linux:** `~/.config/NuGet/config/*.config` or `~/.nuget/config/*.config` | Settings apply to all operations, but are overridden by any solution-level settings. | +| Computer | **Windows:** `%ProgramFiles(x86)%\NuGet\Config`
**Mac/Linux:** `/etc/opt/NuGet/Config` (Linux) or `/Library/Application Support` (Mac) by default. If `$NUGET_COMMON_APPLICATION_DATA` is neither null nor empty, then `$NUGET_COMMON_APPLICATION_DATA/NuGet/Config` instead | Settings apply to all operations on the computer, but are overridden by any user- or solution-level settings. | > [!Note] > On Mac/Linux, the user config file location varies by tooling. .NET CLI uses `~/.nuget/NuGet` folder, while Mono uses `~/.config/NuGet` folder. @@ -33,7 +33,7 @@ These other tools look for the user config file under the `~/.config/NuGet` fold If the tooling you use involves both locations, consider consolidating them by following these steps to allow you to work with only one user-level config file: 1. Check the contents of the two user-level config files and keep the one you want under `~/.nuget/NuGet` folder. -2. Set symbolic link from `~/.nuget/NuGet` to `~/.config/Nuget`. E.g. Run bash command: `ln -s ~/.nuget/NuGet ~/.config/Nuget`. +2. Set symbolic link from `~/.nuget/NuGet` to `~/.config/NuGet`. E.g. Run bash command: `ln -s ~/.nuget/NuGet ~/.config/NuGet`. Notes for earlier versions of NuGet: @@ -58,29 +58,35 @@ Settings are managed using the NuGet CLI [config command](../reference/cli-refer Windows: ```cli -# Set repositoryPath in the user-level config file -nuget config -set repositoryPath=c:\packages +# Set globalPackagesFolder in the user-level config file +dotnet nuget config set globalPackagesFolder "C:\packages" -# Set repositoryPath in project-level files -nuget config -set repositoryPath=c:\packages -configfile c:\my.Config -nuget config -set repositoryPath=c:\packages -configfile .\myApp\NuGet.Config +# Set repositoryPath (available for packages.config only) in the user-level config file +dotnet nuget config set repositoryPath "C:\packages" + +# Set repositoryPath in solution-level files +dotnet nuget config set repositoryPath "C:\packages" --configfile "C:\my.config" +dotnet nuget config set repositoryPath "c:\packages" --configfile "..\..\my.config" # Set repositoryPath in the computer-level file (requires elevation) -nuget config -set repositoryPath=c:\packages -configfile %ProgramFiles(x86)%\NuGet\Config\NuGet.Config +dotnet nuget config set repositoryPath "c:\packages" --configfile "%appdata%\NuGet\NuGet.Config" ``` Mac/Linux: ```cli -# Set repositoryPath in the user-level config file -nuget config -set repositoryPath=/home/packages +# Set globalPackagesFolder in the user-level config file +dotnet nuget config set globalPackagesFolder /home/packages + +# Set repositoryPath (available for packages.config only) in the user-level config file +dotnet nuget config set repositoryPath /home/packages -# Set repositoryPath in project-level files -nuget config -set repositoryPath=/home/projects/packages -configfile /home/my.Config -nuget config -set repositoryPath=/home/packages -configfile home/myApp/NuGet.Config +# Set repositoryPath in solution-level files +dotnet nuget config set repositoryPath /home/projects/packages --configfile /home/my.Config +dotnet nuget config set repositoryPath /home/packages --configfile home/myApp/NuGet.Config # Set repositoryPath in the computer-level file (requires elevation) -nuget config -set repositoryPath=/home/packages -configfile $XDG_DATA_HOME/NuGet.Config +dotnet nuget config set repositoryPath /home/packages --configfile $XDG_DATA_HOME/NuGet.Config ``` > [!Note] @@ -100,7 +106,10 @@ nuget config -set repositoryPath= -configfile /home/my.Config ### Creating a new config file -Copy the template below into the new file and then use `nuget config -configFile ` to set values: +Using the .NET CLI, create a default nuget.config by running `dotnet new nugetconfig`. +For more information, see [dotnet CLI commands](../reference/dotnet-commands.md#package-consumption). + +Alternatively, manually copy the template below into the new file and then use `nuget config -configFile ` to set values: ```xml @@ -110,24 +119,27 @@ Copy the template below into the new file and then use `nuget config -configFile ## How settings are applied -Multiple `NuGet.Config` files allow you to store settings in different locations so that they apply to a single project, a group of projects, or all projects. These settings collectively apply to any NuGet operation invoked from the command line or from Visual Studio, with settings that exist "closest" to a project or the current folder taking precedence. +Multiple `NuGet.Config` files allow you to store settings in different locations so that they apply to a single solution, or a group of solutions. +These settings collectively apply to any NuGet operation invoked from the command line or from Visual Studio, with settings that exist "closest" to a solution or the current folder taking precedence. +If a command line tool is used on a project file, rather than a solution file, then the project directory is used as the "solution directory", which can lead to inconsistent behaviour when there is a `NuGet.Config` file in a subdirectory of the solution file. -Specifically, NuGet loads settings from the different config files in the following order: +Specifically, when a config file is not specified explicitly on the command line, NuGet loads settings from the different config files in the following order: -1. The [`NuGetDefaults.Config` file](#nuget-defaults-file), which contains settings related only to package sources. +1. (*Uncommon*) The [`NuGetDefaults.Config` file](#nuget-defaults-file), which contains settings related only to package sources. 1. The computer-level file. 1. The user-level file. -1. The file specified with `-configFile`. -1. Files found in every folder in the path from the drive root to the current folder (where `nuget.exe` is invoked or the folder containing the Visual Studio project). For example, if a command is invoked in `c:\A\B\C`, NuGet looks for and loads config files in `c:\`, then `c:\A`, then `c:\A\B`, and finally `c:\A\B\C`. +1. Files found in every folder in the path from the drive root to the current folder (where `nuget.exe` is invoked or the folder containing the Visual Studio solution). For example, if a command is invoked in `c:\A\B\C`, NuGet looks for and loads config files in `c:\`, then `c:\A`, then `c:\A\B`, and finally `c:\A\B\C`. + +When a config file is explicitly specified on the command line, for example `nuget -configFile my.config` or `dotnet restore --configfile my.config`, only the settings from the specified file will be used. As NuGet finds settings in these files, they are applied as follows: -1. For single-item elements, NuGet replaced any previously-found value for the same key. This means that settings that are "closest" to the current folder or project override any others found earlier. For example, the `defaultPushSource` setting in `NuGetDefaults.Config` is overridden if it exists in any other config file. +1. For single-item elements, NuGet replaced any previously-found value for the same key. This means that settings that are "closest" to the current folder or solution override any others found earlier. For example, the `defaultPushSource` setting in `NuGetDefaults.Config` is overridden if it exists in any other config file. 1. For collection elements (such as ``), NuGet combines the values from all configuration files into a single collection. 1. When `` is present for a given node, NuGet ignores previously defined configuration values for that node. > [!Tip] -> Add a `nuget.config` file in the root of your project repository. This is considered a best practice as it promotes repeatability and ensures that different users have the same NuGet configuration. +> Add a `nuget.config` file in the root of your solution repository. This is considered a best practice as it promotes repeatability and ensures that different users have the same NuGet configuration. ### Settings walkthrough @@ -151,9 +163,9 @@ File A. User-level file, (`%appdata%\NuGet\NuGet.Config` on Windows, `~/.config/ ```xml - - - + + + ``` @@ -223,7 +235,9 @@ These files cannot be edited by the standard tooling. ## NuGet defaults file -The `NuGetDefaults.Config` file exists to specify package sources from which packages are installed and updated, and to control the default target for publishing packages with `nuget push`. Because administrators can conveniently (using Group Policy, for example) deploy consistent `NuGetDefaults.Config` files to developer and build machines, they can ensure that everyone in the organization is using the correct package sources rather than nuget.org. +The `NuGetDefaults.Config` is uncommon and can only specify package sources from which packages are installed and updated, or control the default target for publishing packages with `nuget push`. + +Because administrators can conveniently (using Group Policy, for example) deploy consistent `NuGetDefaults.Config` files to developer and build machines, they can ensure that everyone in the organization is using consistent package sources, whether or not that includes nuget.org. > [!Important] > The `NuGetDefaults.Config` file never causes a package source to be removed from a developer's NuGet configuration. That means if the developer has already used NuGet and therefore has the nuget.org package source registered, it won't be removed after the creation of a `NuGetDefaults.Config` file. diff --git a/docs/consume-packages/consuming-packages-authenticated-feeds.md b/docs/consume-packages/consuming-packages-authenticated-feeds.md index 66a12bbdc..126662636 100644 --- a/docs/consume-packages/consuming-packages-authenticated-feeds.md +++ b/docs/consume-packages/consuming-packages-authenticated-feeds.md @@ -3,98 +3,147 @@ title: Consuming packages from authenticated feeds description: Consuming packages from authenticated feeds in all NuGet client scenarios author: nkolev92 ms.author: nikolev -ms.date: 02/28/2020 -ms.topic: conceptual +ms.date: 12/22/2023 +ms.topic: how-to +ms.custom: sfi-ropc-nochange --- # Consuming packages from authenticated feeds -In addition to the nuget.org [public feed](https://api.nuget.org/v3/index.json), NuGet clients have the ability to interact with file feeds and private http feeds. +Many NuGet operations, such as restore and install, require communication with one or more package sources, which [can be configured in *nuget.config* files](../reference/nuget-config-file.md#packagesources). +> [!NOTE] +> Use package sources that you trust. -To authenticate with private http feeds, the 2 approaches are: +For HTTP feeds, NuGet will make an unauthenticated request, and if the server responds with an HTTP 401 response, NuGet will search for credentials in the following order: -* Add credentials in the [NuGet.config](../reference/nuget-config-file.md#packagesourcecredentials) -* Authenticate using one of the many extensibility models depending on the client used. +1. [An environment variable `NuGetPackageSourceCredentials_{name}`](#credentials-in-environment-variables). +1. [Credentials in *nuget.config* files](#credentials-in-nugetconfig-files). +1. [Use a NuGet credential provider, if your package source provides one](#credential-providers). -## NuGet clients' authentication extensibility +The credentials you need to use are determined by the package source. +Therefore, unless you're using a credential provider, you should check with your package source for what credentials to use. +It is very common for package sources to forbid you from using your password (that you log into the website with) with NuGet. +Typically you need to create a Personal Access Token to use as NuGet's password, but you should check the documentation for the NuGet server you're using. +Some package sources, such as Azure DevOps and GitHub, have scoped access tokens, so you may need to ensure that any tokens you create include the required scope. -For the various NuGet clients, the private feed provider itself is responsible for authentication. -All NuGet clients have extensibility methods to support this. These are either a Visual Studio extension or a plugin that can communicate with NuGet to retrieve credentials. +## Security best practices for managing credentials -### Visual Studio +Although NuGet searches for credentials in the order mentioned above, we recommend the following sequence for securely managing credentials when authenticating with private feeds: -In Visual Studio, NuGet exposes an interface that feed providers can implement and provide to their customers. For more details, please refer to the documentation on [how to create a Visual Studio credential provider](../reference/extensibility/NuGet-Credential-Providers-for-Visual-Studio.md). +1. **Credential Provider**: It is highly recommended to use a credential provider whenever possible. +This approach avoids storing secrets in plain text and minimizes the risk of accidentally exposing secrets through source control. +Moreover, it generally reduces the number of places you need to update when a credential expires or changes. +If the credential provider supports single sign-on, it may decrease the frequency of logins or the number of places where credentials need to be saved. +Refer to the [credential providers](#credential-providers) section for more information. -#### Available NuGet credential providers for Visual Studio +1. **Encrypted Credentials in nuget.config**: If a credential provider is not available, you should consider using encrypted credentials. +This approach provides an extra layer of security by storing the credentials in an encrypted format. +For more information, refer to the section on [credentials in *nuget.config* files](#credentials-in-nugetconfig-files). -There is a credential provider built into Visual Studio to support Azure DevOps. + > [!NOTE] + > Be aware that encrypted passwords are only supported on Windows. + > Moreover, they can only be decrypted on the same machine and by the same user who originally encrypted them. +1. **Using Environment Variable Macros in nuget.config**: If using encrypted credentials is not possible, consider storing the credentials in the *nuget.config* file with environment variable macros. +This approach allows you to reference environment variables that contain the actual credentials. +It enhances transparency and helps end users understand how their credentials are configured. +For more information, refer to the section on [credentials in *nuget.config* files](#credentials-in-nugetconfig-files). -Available plug-in credential providers include: +1. **Using Environment Variables Directly**: As a fallback option, you can store the credentials directly in environment variables. +However, be aware that this approach may offer less visibility and control compared to using environment variable macros in the *nuget.config* file. +For more information, refer to the section on [credentials in environment variables](#credentials-in-environment-variables). -* [MyGet Credential Provider for Visual Studio](http://docs.myget.org/docs/reference/credential-provider-for-visual-studio) +1. **Clear Text Credentials in NuGet.Config**: It is highly recommended to use one of the previously mentioned options. +If these options are not feasible, you can store the credentials in the *nuget.config* file. +However, this option should only be used in environments where no other secure option is available. +For more information, refer to the section on [credentials in *nuget.config* files](#credentials-in-nugetconfig-files). -### nuget.exe + > [!WARNING] + > Storing credentials in clear text in the *nuget.config* file, especially when saving the file in source control, is risky as it increases the chances of accidental credential leaks. + > If you must store credentials in the *nuget.config* file, consider using one of the more secure options mentioned above. -When `nuget.exe` needs credentials to authenticate with a feed, it looks for them in the following manner: +By adhering to these best practices, you can securely authenticate private feeds while minimizing the risk of sensitive information exposure. -1. Look for credentials in `NuGet.config` files. -1. Use V2 plug-in credential providers -1. Use V1 plug-in credential providers -1. NuGet then prompts the user for credentials on the command line. +## Credentials in environment variables -#### nuget.exe and V2 credential providers +NuGet will search for an environment variable named `NuGetPackageSourceCredentials_{name}`, where `{name}` is the value of `key="name"` in your *nuget.config* file's package source. +The value of the environment variable must be `Username={username};Password={password}`, and may optionally include `;ValidAuthenticationTypes={types}`. +If the environment variable doesn't match NuGet's convention, or the value doesn't meet NuGet's expected pattern, NuGet will silently ignore the environment variable, and continue searching for credentials for the package source elsewhere. +There are no logs to signal that NuGet uses the credential from the environment variable, which can cause difficulties in debugging authentication problems if the environment variable contains an expired secret, and the new secret is added to a *nuget.config* file, since the config file has lower precedence. -In version `4.8` NuGet defined a new authentication plugin mechanism, hereafter referred to as V2 credential providers. -For the installation and discovery of those providers, refer to [NuGet cross platform plugins](../reference/extensibility/NuGet-Cross-Platform-Plugins.md#plugin-installation-and-discovery). +> [!TIP] +> Using environment variables in CI/CD pipelines is an excellent choice to minimize the risk of secrets being captured in logs. -#### nuget.exe and V1 credential providers +For example, consider the following *nuget.config* file: -In version `3.3` NuGet introduced the first version of authentication plugins. -For the installation and discovery of those providers refer to [nuget.exe credential providers](../reference/extensibility/nuget-exe-Credential-Providers.md#nugetexe-credential-provider-discovery) +```xml + + + + + + +``` -#### Available credential providers for nuget.exe +In this case, the source name is `Contoso` and NuGet will look for the environment variable name `NuGetPackageSourceCredentials_Contoso`. +Some platforms are case-sensitive, so take care about using the correct upper and lower case characters for the environment name and the source name, as defined in your *nuget.config* file. -* [Azure DevOps V2 Credential Providers](/azure/devops/artifacts/nuget/nuget-exe#add-a-feed-to-nuget-482-or-later) or [Azure Artifacts Credential Provider](https://github.com/microsoft/artifacts-credprovider) +If the username is `nugetUser` and the password is `secret123`, the environment variable's value should be set to `Username=nugetUser;Password=secret123`. +If NuGet should only use this credential for HTTP Basic authentication, but not other authentication schemes, you can set the environment variable's value to `Username=nugetUser;Password=secret123;ValidAuthenticationTypes=Basic`. +For more information about valid authentication types, see [the docs on package credentials in *nuget.config* files](../reference/nuget-config-file.md#packagesourcecredentials). -With Visual Studio 2017 version 15.9 and later, the Azure DevOps credential provider is bundled in Visual Studio. -If `nuget.exe` uses MSBuild from that specific Visual Studio toolset, then the plugin will be discovered automatically. +> [!NOTE] +> Environment variables have restrictions on allowed characters, and different operating systems may have different restrictions. +> For example, spaces are not allowed. +> Therefore, you use this environment variable feature to specify NuGet credentials for package sources that use any characters that are invalid for your platform's environment variables. +> In such cases, you should rename the package source in your *nuget.config* file. -### dotnet.exe +## Credentials in *nuget.config* files -When `dotnet.exe` needs credentials to authenticate with a feed, it looks for them in the following manner: +*nuget.config* files can contain package source credentials. +See [the *nuget.config* file reference doc section on package source credentials](../reference/nuget-config-file.md#packagesourcecredentials) for more information, including syntax. +However, it's easier to use [`dotnet nuget update source`](/dotnet/core/tools/dotnet-nuget-update-source) on the command line to set the credentials. -1. Look for credentials in `NuGet.config` files. -1. Use V2 plug-in credential providers +> [!WARNING] +> Take care when setting credentials in *nuget.config* files, especially when saving the credential as plain text. +> If the credential is written to a *nuget.config* file that is in source control, there is an increased risk of accidentally leaking the secret. +> +> As [NuGet accumulates settings from multiple files](../consume-packages/configuring-nuget-behavior.md), it is recommended to save credentials to your user *nuget.config* file. +> We also recommend to save package sources in the solution (source code repository) *nuget.config* file, including a `` element, for build reliability. -By default `dotnet.exe` is not interactive, so you might need to pass an `--interactive` flag to get the tool to block for authentication. +The username and plain text password in a *nuget.config* file can use an environment variable by adding `%` to the beginning and end of the environment variable name you would like to use. +For more information, see [the *nuget.config* reference docs on using environment variables](../reference/nuget-config-file.md#using-environment-variables). -#### dotnet.exe and V2 credential providers +## Credential providers -In version `2.2.100` of the SDK, NuGet defined an authentication plugin mechanism that works in all clients. -For the installation and discovery of those providers, refer to [NuGet cross platform plugins](../reference/extensibility/NuGet-Cross-Platform-Plugins.md#plugin-installation-and-discovery). +NuGet has an extensibility model, allowing [plugins to provide NuGet credentials](../reference/extensibility/NuGet-Cross-Platform-Authentication-Plugin.md). +The [path that credential providers must be installed](../reference/extensibility/NuGet-Cross-Platform-Plugins.md#plugin-installation-and-discovery), for NuGet to discover, is different for .NET Framework (NuGet.exe, MSBuild, and Visual Studio), and the .NET SDK (running on the .NET 5+ runtime). -#### Available credential providers for dotnet.exe +NuGet has a concept of being run in interactive mode or non-interactive mode. +When in non-interactive mode, credential providers are asked not to block NuGet. +While in interactive mode, the credential provider may prompt you to log in. +Different tools have different defaults, so interactive mode may need to be opt-in or opt-out, depending on your scenario. -* [Azure Artifacts Credential Provider](https://github.com/microsoft/artifacts-credprovider) +|Tool|Default|Toggle| +|--|--|--| +|`dotnet` CLI|non-interactive|`--interactive` argument. For example, `dotnet restore --interactive`.| +|MSBuild|non-interactive|`NuGetInteractive` MSBuild property. For example, `msbuild -t:restore -p:NuGetInteractive=true`.| +|NuGet.exe|interactive|`-NonInteractive` argument. For example, `nuget.exe restore -NonInteractive`.| +|Visual Studio|interactive|not possible to run in non-interactive mode.| -### MSBuild.exe +[NuGet.exe supports both V1 and V2 credential providers](../reference/extensibility/nuget-exe-Credential-Providers.md), while MSBuild and the .NET SDK only support the cross platform (V2) plugins. -When `MSBuild.exe` needs credentials to authenticate with a feed, it looks for them in the following manner: +In Visual Studio, NuGet has a [Visual Studio Credential Provider interface](../reference/extensibility/NuGet-Credential-Providers-for-Visual-Studio.md), which credential providers can use to provide a graphical login experience, or call Visual Studio APIs if necessary. +NuGet in Visual Studio will fall back to the command line credential providers if it can't find a Visual Studio credential provider that handles the source. -1. Look for credentials in `NuGet.config` files -1. Use V2 plug-in credential providers +Visual Studio 2017 version 15.9, and above, includes a credential provider for [Azure Artifacts](/azure/devops/artifacts/), that works within Visual Studio, MSBuild, and NuGet.exe. +However, the credential provider for the .NET SDK is not included by Visual Studio, so [must be installed separately](https://github.com/microsoft/artifacts-credprovider?tab=readme-ov-file#setup) to work with the `dotnet` CLI. -By default `MSBuild.exe` is not interactive, so you might need to set the `/p:NuGetInteractive=true` property to get the tool to block for authentication. +### List of credential providers -#### MSBuild.exe and V2 credential providers +Here is a list of credential providers we are aware of: -In Visual Studio 2019 Update 9, NuGet defined an authentication plugin mechanism that works in all clients. -For the installation and discovery of those providers, refer to [NuGet cross platform plugins](../reference/extensibility/NuGet-Cross-Platform-Plugins.md#plugin-installation-and-discovery). - -#### Available credential providers for MSBuild.exe - -* [Azure Artifacts Credential Provider](https://github.com/microsoft/artifacts-credprovider) - -With Visual Studio 2017 Update 9 and later, the Azure DevOps credential provider is bundled in Visual Studio. No additional steps are required. +* [AWS CodeArtifact NuGet Credential Provider](https://docs.aws.amazon.com/codeartifact/latest/ug/nuget-cli.html#nuget-configure-cli) +* [Azure Artifacts Credential Provider](https://github.com/microsoft/artifacts-credprovider). This link is just for the command line credential provider. +* [MyGet Credential Provider for Visual Studio](http://docs.myget.org/docs/reference/credential-provider-for-visual-studio). diff --git a/docs/consume-packages/install-use-packages-dotnet-cli.md b/docs/consume-packages/install-use-packages-dotnet-cli.md index 2858415ba..44e878149 100644 --- a/docs/consume-packages/install-use-packages-dotnet-cli.md +++ b/docs/consume-packages/install-use-packages-dotnet-cli.md @@ -3,8 +3,8 @@ title: Install and manage NuGet packages with the dotnet CLI description: See how to use the dotnet CLI to install, list, remove, and update NuGet packages. author: mikejo5000 ms.author: mikejo -ms.date: 08/29/2022 -ms.topic: conceptual +ms.date: 03/03/2025 +ms.topic: install-set-up-deploy --- # Install and manage NuGet packages with the dotnet CLI diff --git a/docs/consume-packages/install-use-packages-nuget-cli.md b/docs/consume-packages/install-use-packages-nuget-cli.md index 0c12d383e..3b6639dc4 100644 --- a/docs/consume-packages/install-use-packages-nuget-cli.md +++ b/docs/consume-packages/install-use-packages-nuget-cli.md @@ -3,8 +3,8 @@ title: Manage NuGet packages with the NuGet CLI description: Instructions for using the NuGet CLI, nuget.exe, to manage NuGet packages. author: mikejo5000 ms.author: mikejo -ms.date: 08/29/2022 -ms.topic: conceptual +ms.date: 03/03/2025 +ms.topic: how-to --- # Manage NuGet packages with the NuGet CLI diff --git a/docs/consume-packages/install-use-packages-powershell.md b/docs/consume-packages/install-use-packages-powershell.md index 02e97c7e2..0e7881326 100644 --- a/docs/consume-packages/install-use-packages-powershell.md +++ b/docs/consume-packages/install-use-packages-powershell.md @@ -3,8 +3,8 @@ title: Manage NuGet packages with the Visual Studio Package Manager Console description: See how to work with NuGet packages by using PowerShell commands in the Visual Studio Package Manager Console. author: JonDouglas ms.author: jodou -ms.date: 08/29/2022 -ms.topic: conceptual +ms.date: 03/03/2025 +ms.topic: how-to f1_keywords: - "vs.nuget.packagemanager.console" --- diff --git a/docs/consume-packages/install-use-packages-visual-studio.md b/docs/consume-packages/install-use-packages-visual-studio.md index ff2f5ced7..db1eb5d54 100644 --- a/docs/consume-packages/install-use-packages-visual-studio.md +++ b/docs/consume-packages/install-use-packages-visual-studio.md @@ -3,12 +3,9 @@ title: Install and manage packages in Visual Studio using the NuGet Package Mana description: Learn how to use the NuGet Package Manager UI in Visual Studio for working with NuGet packages. author: JonDouglas ms.author: jodou -ms.date: 08/30/2022 -ms.topic: conceptual +ms.date: 03/03/2025 +ms.topic: install-set-up-deploy f1_keywords: - - "vs.toolsoptionspages.nuget_package_manager" - - "vs.toolsoptionspages.nuget_package_manager.general" - - "vs.toolsoptionspages.nuget_package_manager.package_sources" - "vs.nuget.packagemanager.ui" --- @@ -38,9 +35,24 @@ To find and install a NuGet package with Visual Studio, follow these steps: The **NuGet Package Manager** window opens. -1. Select the **Browse** tab to display packages by popularity from the currently selected source (see [Package sources](#package-sources)). To search for a specific package, use the search box on the upper left. Select a package from the list to display its information on the right pane, which enables you to select a version to install. +1. Select the **Browse** tab to display packages by popularity from the currently selected source (see [Package sources](#package-sources)). - :::image type="content" source="media/package-manager-install-tab.png" alt-text="Screenshot showing the NuGet Package Manager window with the Browse tab selected."::: + - To search for a specific package, use the search box on the upper left. + - Abbreviated information may be shown beside each package ID to help identify the correct package, and varies based on the selected package source(s). + Examples include package download count, author, or owner profile hyperlinks. + + > [!Note] + > In Visual Studio 17.11 and higher, package owners are shown as profile hyperlinks when supported by the selected package source. + > Package ownership is defined by the package source. For example, see [Manage package owners on nuget.org](../nuget-org/publish-a-package.md#manage-package-owners-on-nugetorg). + > + > In Visual Studio 17.10 and earlier, the package *author* metadata is shown, which appears as plain-text. + > For more information, see [Authors package metadata](../create-packages/package-authoring-best-practices.md#authors). + + - Select a package to see detailed package information. + The details pane on the right appears and enables you to select a version to install. + ![Screenshot showing the NuGet Package Manager window with the Browse tab, details pane, and "Package Details" tab selected.](media/package-manager-package-details.png) + You can see package metadata, information about the owner(s), author(s), license, etc., in the Package Details tab and the package README file (if it is provided by the package author) in the README tab. + ![Screenshot showing the NuGet Package Manager window with the README tab selected.](media/package-manager-package-readme.png) 1. In the right pane, select a **Version** from the dropdown list. If you want to include prerelease versions in the **Version** list, select **Include prerelease**. @@ -114,8 +126,6 @@ In this example, the ClassLibrary1 project is using EntityFramework 6.2.0, where Visual Studio ignores the order of package sources, and uses the package from whichever source is the first to respond to a request. For more information, see [Restore packages](package-restore.md). For information about how to load a package from a specific source, see [Package source mapping](package-source-mapping.md). -To manage NuGet package sources, follow these steps: - 1. To change the source from which Visual Studio loads package metadata, select a source from the **Package source** selector. ![Screenshot showing the Package source selector highlighted.](media/package-source-selector.png) @@ -124,21 +134,7 @@ To manage NuGet package sources, follow these steps: ![Screenshot showing the Package source settings icon highlighted.](media/package-source-settings.png) -1. In the **Options** window, expand the **NuGet Package Manager** node and select **Package Sources**. - - ![Screenshot showing the Options window with Package Sources selected.](media/package-sources.png) - -1. To add a source, select **+**, edit the **Name**, enter the URL or path in **Source**, and then select **Update**. - - The source now appears in the **Package source** dropdown list. - -1. To change a package source, select it, make edits in the **Name** and **Source** boxes, and select **Update**. - -1. To disable a package source, clear the box to the left of the name in the list. - -1. To remove a package source, select it, and then select the **X** button. - - If a package source reappears after you delete it, it might be listed in a computer-level or user-level *NuGet.config* file. For the location of these files, see [Common NuGet configurations](../consume-packages/configuring-nuget-behavior.md). Remove the package source in the files by editing them manually or using the [nuget sources command](../reference/nuget-exe-CLI-reference.md). +1. To manage NuGet package sources, see [NuGet Options in Visual Studio](nuget-visual-studio-options.md#package-sources). ## NuGet Package Manager Options control @@ -182,8 +178,7 @@ These options are available only for certain project types: ## Related video -- [Install and Use a NuGet Package with Visual Studio](/shows/nuget-101/install-and-use-a-nuget-package-with-visual-studio-2-of-5/player) -- Find more NuGet videos on [Channel 9](/shows/nuget-101/) and [YouTube](https://www.youtube.com/playlist?list=PLdo4fOcmZ0oVLvfkFk8O9h6v2Dcdh2bh_). +- Find NuGet videos on [Channel 9](/shows/nuget-101/) and [YouTube](https://www.youtube.com/playlist?list=PLdo4fOcmZ0oVLvfkFk8O9h6v2Dcdh2bh_). ## See also diff --git a/docs/consume-packages/installing-signed-packages.md b/docs/consume-packages/installing-signed-packages.md index 0814218f4..ad5e83f29 100644 --- a/docs/consume-packages/installing-signed-packages.md +++ b/docs/consume-packages/installing-signed-packages.md @@ -4,7 +4,7 @@ description: Describes the process of installing signed NuGet packages and confi author: JonDouglas ms.author: jodou ms.date: 11/29/2018 -ms.topic: conceptual +ms.topic: install-set-up-deploy --- # Manage package trust boundaries diff --git a/docs/consume-packages/managing-the-global-packages-and-cache-folders.md b/docs/consume-packages/managing-the-global-packages-and-cache-folders.md index afa31e2a2..faac424cd 100644 --- a/docs/consume-packages/managing-the-global-packages-and-cache-folders.md +++ b/docs/consume-packages/managing-the-global-packages-and-cache-folders.md @@ -4,29 +4,77 @@ description: How to manage the global package installation folder, the package c author: JonDouglas ms.author: jodou ms.date: 03/19/2018 -ms.topic: conceptual +ms.topic: how-to --- # Managing the global packages, cache, and temp folders Whenever you install, update, or restore a package, NuGet manages packages and package information in several folders outside of your project structure: -| Name | Description and Location (per user)| +| Name | Location | | --- | --- | -| global-packages | The *global-packages* folder is where NuGet installs any downloaded package. Each package is fully expanded into a subfolder that matches the package identifier and version number. Projects using the [PackageReference](package-references-in-project-files.md) format always use packages directly from this folder. When using the [packages.config](../reference/packages-config.md), packages are installed to the *global-packages* folder, then copied into the project's `packages` folder.
  • Windows: `%userprofile%\.nuget\packages`
  • Mac/Linux: `~/.nuget/packages`
  • Override using the NUGET_PACKAGES environment variable, the `globalPackagesFolder` or `repositoryPath` [configuration settings](../reference/nuget-config-file.md#config-section) (when using PackageReference and `packages.config`, respectively), or the `RestorePackagesPath` MSBuild property (MSBuild only). The environment variable takes precedence over the configuration setting.
| -| http-cache | The Visual Studio Package Manager (NuGet 3.x+) and the `dotnet` tool store copies of downloaded packages in this cache (saved as `.dat` files), organized into subfolders for each package source. Packages are not expanded, and the cache has an expiration time of 30 minutes.
  • Windows: `%localappdata%\NuGet\v3-cache`
  • Mac/Linux: `~/.local/share/NuGet/v3-cache`
  • Override using the NUGET_HTTP_CACHE_PATH environment variable.
| -| temp | A folder where NuGet stores temporary files during its various operations.
  • Windows: `%temp%\NuGetScratch`
  • Mac/Linux: `/tmp/NuGetScratch`
    • | -| plugins-cache **4.8+** | A folder where NuGet stores the results from the operation claims request.
    • Windows: `%localappdata%\NuGet\plugins-cache`
    • Mac/Linux: `~/.local/share/NuGet/plugins-cache`
    • Override using the NUGET_PLUGINS_CACHE_PATH environment variable.
    | +| [global-packages](#global-packages) |
    • Windows: `%userprofile%\.nuget\packages`
    • Mac/Linux: `~/.nuget/packages`
    • Override using the NUGET_PACKAGES environment variable, the `globalPackagesFolder` or `repositoryPath` [configuration settings](../reference/nuget-config-file.md#config-section) (when using PackageReference and `packages.config`, respectively), or the `RestorePackagesPath` MSBuild property (MSBuild only). The environment variable takes precedence over the configuration setting.
    | +| [http-cache](#http-cache) |
    • Windows: `%localappdata%\NuGet\v3-cache`
    • Mac/Linux: `~/.local/share/NuGet/v3-cache`
    • Override using the NUGET_HTTP_CACHE_PATH environment variable.
    | +| [temp](#temp) |
  • Windows: `%temp%\NuGetScratch`
  • Mac: `/tmp/NuGetScratch`
  • Linux: `/tmp/NuGetScratch`
  • Override using the NUGET_SCRATCH environment variable.
    • | +| [plugins-cache](#plugin-cache) **4.8+** |
    • Windows: `%localappdata%\NuGet\plugins-cache`
    • Mac/Linux: `~/.local/share/NuGet/plugins-cache`
    • Override using the NUGET_PLUGINS_CACHE_PATH environment variable.
    | > [!Note] > NuGet 3.5 and earlier uses *packages-cache* instead of the *http-cache*, which is located in `%localappdata%\NuGet\Cache`. By using the cache and *global-packages* folders, NuGet generally avoids downloading packages that already exist on the computer, improving the performance of install, update, and restore operations. When using PackageReference, the *global-packages* folder also avoids keeping downloaded packages inside project folders, where they might be inadvertently added to source control, and reduces NuGet's overall impact on computer storage. -When asked to retrieve a package, NuGet first looks in the *global-packages* folder. If the exact version of package is not there, then NuGet checks all non-HTTP package sources. If the package is still not found, NuGet looks for the package in the *http-cache* unless you specify `--no-cache` with `dotnet.exe` commands or `-NoCache` with `nuget.exe` commands. If the package is not in the cache, or the cache isn't used, NuGet then retrieves the package over HTTP . +When asked to retrieve a package, NuGet first looks in the *global-packages* folder. If the exact version of package is not there, then NuGet checks all non-HTTP package sources. If the package is still not found, NuGet looks for the package in the *http-cache* unless you specify `--no-http-cache` with `dotnet.exe` commands or `-NoHttpCache` with `nuget.exe` commands. If the package is not in the cache, or the cache isn't used, NuGet then retrieves the package over HTTP . For more information, see [What happens when a package is installed?](../concepts/package-installation-process.md). +## global-packages + +The *global-packages* folder is where NuGet installs any downloaded package. +Each package is fully expanded into a subfolder that matches the package identifier and version number. +Projects using the [PackageReference](package-references-in-project-files.md) format always use packages directly from this folder. +When using the [packages.config](../reference/packages-config.md), packages are installed to the *global-packages* folder, then copied into the project's `packages` folder. + +### Cleaning the global-packages directory + +The global-packages directory needs to be manually cleaned to remove packages that are no longer used. +You can do this with the `dotnet nuget locals global-packages --clean` command, or the "clear NuGet local resources" button in Visual Studio's options (equivalent to `dotnet nuget locals all --clear`). +After clearing the global-packages directory, you will need to restore your projects again to redownload all required packages. +In Visual Studio, you may need to reload your solution to clear NuGet's "up to date restores" cache, or alternatively do a command line restore (for example, within Visual Studio's terminal window) with `msbuild -t:restore your.sln`. + +To clean only unused packages, it's a two step process. +First, there is a [nuget.config setting `updatePackageLastAccessTime`](../reference/nuget-config-file.md) that should be enabled. +This setting will cause NuGet to update each package's `.nupkg.metadata` file when it is used in a restore. +When restore runs, but a project is considered already up to date, the package timestamps are *not* updated. +The `.nupkg.metadata` file is the last file that NuGet will create when downloading and extracting packages during a restore or install, and is the file that restore uses to check if a package has been extracted successfully. + +Second, run a tool to perform the cleanup. +After the `updatePackageLastAccessTime` setting is enabled, we recommend waiting a few days to make sure that all the packages you use regularly have had their timestamps updated. + +At this time, NuGet does not provide a tool or command to do this. +You can [add a 👍 reaction to this GitHub issue](https://github.com/NuGet/Home/issues/4980) to signal your interest. +Some community members have created their own open source NuGet cleaner tools that you can search for. + +If you are going to write your own cleanup tool, it is important that the `.nupkg.metadata` file is deleted if any of the other package files are deleted, so we recommend that this file is deleted first. +Otherwise projects referencing the package may have unexpected behavior. +If writing a cleanup tool in .NET, consider using `ConcurrencyUtilities.ExecuteWithFileLocked[Async](..)` from the [NuGet.Common package](https://www.nuget.org/packages/NuGet.Common), passing the full nupkg path of the package directory you're going to delete as the key, to avoid deleting a package that restore is trying to extract at the same time. +The global packages directory can be programatically found with the [NuGet.Configuration package](https://www.nuget.org/packages/NuGet.Configuration). +Use `Settings.LoadDefaultSettings(path)` to get an `ISettings` instance (you can pass `null` as the path, or pass a directory if you want to handle solutions with a nuget.config that redirects the global-packages directory), and then use `SettingsUtility.GetGlobalPackagesFolder(settings)`. +Alternatively, you can run `dotnet nuget locals global-packages --list` as a child process and parse the output. + +## http-cache + +NuGet will cache copies of most NuGet feed communications (excluding search), organized into subfolders for each package source. +Packages are not expanded, and files with a last modified date older than 30 minutes are typically considered expired. + +## temp + +A folder where NuGet may store temporary files during its various operations. + +## plugin-cache + +A folder where NuGet stores the results from the operation claims request. +See the [cross platform plugins reference](../reference/extensibility/NuGet-Cross-Platform-Plugins.md) for more information. + ## Viewing folder locations You can view locations using the [nuget locals command](../reference/cli-reference/cli-ref-locals.md): @@ -53,7 +101,7 @@ You can also view folder locations using the [dotnet nuget locals command](/dotn dotnet nuget locals all --list ``` -Typical output (Mac/Linux; "user1" is the current username): +Typical output (Mac; "user1" is the current username): ```output info : http-cache: /home/user1/.local/share/NuGet/v3-cache @@ -62,10 +110,21 @@ info : temp: /tmp/NuGetScratch info : plugins-cache: /home/user1/.local/share/NuGet/plugins-cache ``` +Typical output (Linux; "user1" is the current username): + +```output +info : http-cache: /home/user1/.local/share/NuGet/v3-cache +info : global-packages: /home/user1/.nuget/packages/ +info : temp: /tmp/NuGetScratchuser1 +info : plugins-cache: /home/user1/.local/share/NuGet/plugins-cache +``` + To display the location of a single folder, use `http-cache`, `global-packages`, `temp`, or `plugins-cache` instead of `all`. ## Clearing local folders +### Command-line + If you encounter package installation problems or otherwise want to ensure that you're installing packages from a remote gallery, use the `locals --clear` option (dotnet.exe) or `locals -clear` (nuget.exe), specifying the folder to clear, or `all` to clear all folders: ```cli @@ -95,9 +154,23 @@ nuget locals all -clear Any packages used by projects that are currently open in Visual Studio are not cleared from the *global-packages* folder. -Starting in Visual Studio 2017, use the **Tools > NuGet Package Manager > Package Manager Settings** menu command, then select **Clear All NuGet Cache(s)**. Managing the cache isn't presently available through the Package Manager Console. In Visual Studio 2015, use the CLI commands instead. +### Visual Studio + +Visual Studio supports clearing all local folders in the "NuGet Package Manager" options found under the **Tools > NuGet Package Manager > Package Manager Settings** menu command. + +On the General page, select **Clear NuGet local resources**. +Once started, this action cannot be cancelled. +A progress bar will be shown and will contain the final status of the command. + +The [Output Window](/visualstudio/ide/output-window) when selecting Show output from "Package Manager" will show additional details about the clear command, including any error messages. + +### Clear NuGet Local Resources + +![Clear NuGet local resources button highlighted in the General page of NuGet options](media/vsoptions/general.png) + +Managing the cache isn't presently available through the Package Manager Console. -![NuGet option command for clearing caches](media/options-clear-caches.png) +For more information, see [NuGet Options in Visual Studio](nuget-visual-studio-options.md#clear-nuget-local-resources). ## Troubleshooting errors diff --git a/docs/consume-packages/media/Finding-07-MostPopular.png b/docs/consume-packages/media/Finding-07-MostPopular.png new file mode 100644 index 000000000..ac05cde3d Binary files /dev/null and b/docs/consume-packages/media/Finding-07-MostPopular.png differ diff --git a/docs/consume-packages/media/Finding-08-FiltersAndSorts.png b/docs/consume-packages/media/Finding-08-FiltersAndSorts.png new file mode 100644 index 000000000..3f4ef4dfd Binary files /dev/null and b/docs/consume-packages/media/Finding-08-FiltersAndSorts.png differ diff --git a/docs/consume-packages/media/Finding-09-FrameworkFilterPanel.png b/docs/consume-packages/media/Finding-09-FrameworkFilterPanel.png new file mode 100644 index 000000000..e8a2ba20a Binary files /dev/null and b/docs/consume-packages/media/Finding-09-FrameworkFilterPanel.png differ diff --git a/docs/consume-packages/media/Finding-10-FrameworkBadgesInSearch.png b/docs/consume-packages/media/Finding-10-FrameworkBadgesInSearch.png new file mode 100644 index 000000000..fd8703fe3 Binary files /dev/null and b/docs/consume-packages/media/Finding-10-FrameworkBadgesInSearch.png differ diff --git a/docs/consume-packages/media/Restore-01-AutoRestoreOptions.png b/docs/consume-packages/media/Restore-01-AutoRestoreOptions.png deleted file mode 100644 index 4283c072e..000000000 Binary files a/docs/consume-packages/media/Restore-01-AutoRestoreOptions.png and /dev/null differ diff --git a/docs/consume-packages/media/Restore-02-PackageFormatOptions.png b/docs/consume-packages/media/Restore-02-PackageFormatOptions.png deleted file mode 100644 index 204b39e0e..000000000 Binary files a/docs/consume-packages/media/Restore-02-PackageFormatOptions.png and /dev/null differ diff --git a/docs/consume-packages/media/options-clear-caches.png b/docs/consume-packages/media/options-clear-caches.png deleted file mode 100644 index 0a99c9b38..000000000 Binary files a/docs/consume-packages/media/options-clear-caches.png and /dev/null differ diff --git a/docs/consume-packages/media/package-manager-browse-tab.png b/docs/consume-packages/media/package-manager-browse-tab.png new file mode 100644 index 000000000..d48ddbd1b Binary files /dev/null and b/docs/consume-packages/media/package-manager-browse-tab.png differ diff --git a/docs/consume-packages/media/package-manager-package-details.png b/docs/consume-packages/media/package-manager-package-details.png new file mode 100644 index 000000000..4ec7cc9a7 Binary files /dev/null and b/docs/consume-packages/media/package-manager-package-details.png differ diff --git a/docs/consume-packages/media/package-manager-package-readme.png b/docs/consume-packages/media/package-manager-package-readme.png new file mode 100644 index 000000000..855595145 Binary files /dev/null and b/docs/consume-packages/media/package-manager-package-readme.png differ diff --git a/docs/consume-packages/media/package-sources.png b/docs/consume-packages/media/package-sources.png deleted file mode 100644 index 20d91f19e..000000000 Binary files a/docs/consume-packages/media/package-sources.png and /dev/null differ diff --git a/docs/consume-packages/media/packageSourceMapping_PMUI_Status_Mapped.png b/docs/consume-packages/media/packageSourceMapping_PMUI_Status_Mapped.png new file mode 100644 index 000000000..e27bf3920 Binary files /dev/null and b/docs/consume-packages/media/packageSourceMapping_PMUI_Status_Mapped.png differ diff --git a/docs/consume-packages/media/packageSourceMapping_PMUI_Status_Off_Annotated.png b/docs/consume-packages/media/packageSourceMapping_PMUI_Status_Off_Annotated.png new file mode 100644 index 000000000..c2d698f20 Binary files /dev/null and b/docs/consume-packages/media/packageSourceMapping_PMUI_Status_Off_Annotated.png differ diff --git a/docs/consume-packages/media/vsoptions/configuration-files.png b/docs/consume-packages/media/vsoptions/configuration-files.png new file mode 100644 index 000000000..73d576337 Binary files /dev/null and b/docs/consume-packages/media/vsoptions/configuration-files.png differ diff --git a/docs/consume-packages/media/vsoptions/general.png b/docs/consume-packages/media/vsoptions/general.png new file mode 100644 index 000000000..debce051c Binary files /dev/null and b/docs/consume-packages/media/vsoptions/general.png differ diff --git a/docs/consume-packages/media/vsoptions/package-source-add.png b/docs/consume-packages/media/vsoptions/package-source-add.png new file mode 100644 index 000000000..69113b750 Binary files /dev/null and b/docs/consume-packages/media/vsoptions/package-source-add.png differ diff --git a/docs/consume-packages/media/vsoptions/package-source-http-error.png b/docs/consume-packages/media/vsoptions/package-source-http-error.png new file mode 100644 index 000000000..9ce2f2722 Binary files /dev/null and b/docs/consume-packages/media/vsoptions/package-source-http-error.png differ diff --git a/docs/consume-packages/media/vsoptions/package-source-http-warn.png b/docs/consume-packages/media/vsoptions/package-source-http-warn.png new file mode 100644 index 000000000..f1a4569d4 Binary files /dev/null and b/docs/consume-packages/media/vsoptions/package-source-http-warn.png differ diff --git a/docs/consume-packages/media/vsoptions/package-source-machine-wide.png b/docs/consume-packages/media/vsoptions/package-source-machine-wide.png new file mode 100644 index 000000000..aae8df7eb Binary files /dev/null and b/docs/consume-packages/media/vsoptions/package-source-machine-wide.png differ diff --git a/docs/consume-packages/media/vsoptions/package-source-mapping-add.png b/docs/consume-packages/media/vsoptions/package-source-mapping-add.png new file mode 100644 index 000000000..7c9fc5183 Binary files /dev/null and b/docs/consume-packages/media/vsoptions/package-source-mapping-add.png differ diff --git a/docs/consume-packages/media/vsoptions/package-source-mapping-missing-source.png b/docs/consume-packages/media/vsoptions/package-source-mapping-missing-source.png new file mode 100644 index 000000000..120c2374b Binary files /dev/null and b/docs/consume-packages/media/vsoptions/package-source-mapping-missing-source.png differ diff --git a/docs/consume-packages/media/vsoptions/package-source-mapping.png b/docs/consume-packages/media/vsoptions/package-source-mapping.png new file mode 100644 index 000000000..eb4c24d0b Binary files /dev/null and b/docs/consume-packages/media/vsoptions/package-source-mapping.png differ diff --git a/docs/consume-packages/media/vsoptions/package-sources-page.png b/docs/consume-packages/media/vsoptions/package-sources-page.png new file mode 100644 index 000000000..8edf71c39 Binary files /dev/null and b/docs/consume-packages/media/vsoptions/package-sources-page.png differ diff --git a/docs/consume-packages/migrate-packages-config-to-package-reference.md b/docs/consume-packages/migrate-packages-config-to-package-reference.md index ee975de2d..1bb9a436f 100644 --- a/docs/consume-packages/migrate-packages-config-to-package-reference.md +++ b/docs/consume-packages/migrate-packages-config-to-package-reference.md @@ -4,7 +4,7 @@ description: Details on how to migrate a project from the packages.config manage author: JonDouglas ms.author: jodou ms.date: 08/23/2021 -ms.topic: conceptual +ms.topic: upgrade-and-migration-article --- # Migrate from packages.config to PackageReference @@ -25,7 +25,7 @@ Visual Studio 2017 Version 15.7 and later supports migrating a project from the * Migration is not currently available for C++ and ASP.NET projects. * Some packages may not be fully compatible with PackageReference. For more information, see [package compatibility issues](#package-compatibility-issues). -In addition, there are some differences in how PackageReferences work compared to packages.config. For example, [constraining upgrade versions](../consume-packages/reinstalling-and-updating-packages.md#constraining-upgrade-versions) is not supported by PackageReference, but PackageReference adds support for [Floating Versions](../consume-packages/package-references-in-project-files.md#floating-versions). +In addition, there are some differences in how PackageReferences work compared to packages.config. For example, [Constraints on upgrade versions](../consume-packages/reinstalling-and-updating-packages.md#constraints-on-upgrade-versions) is not supported by PackageReference, but PackageReference adds support for [Floating Versions](../consume-packages/package-references-in-project-files.md#floating-versions). ### Known Issues @@ -87,7 +87,9 @@ You should now be able to see the migration option. Note that this option is not ## Create a package after migration -Once the migration is complete, we recommend that you add a reference to the [nuget.build.tasks.pack](https://www.nuget.org/packages/nuget.build.tasks.pack) nuget package, and then use [msbuild -t:pack](../reference/msbuild-targets.md#pack-target) to create the package. Although in some scenarios you could use `dotnet.exe pack` instead of `msbuild -t:pack`, it is not recommended. +Once the migration is complete, we recommend that you copy your package metadata from a `.nuspec` file to [MSBuild properties](../reference/msbuild-targets.md#pack-target), and then you can use `msbuild -t:pack` to create the package. +If you are using Visual Studio 2022 or earlier, you will also need to install the NuGet.Build.Tasks.Pack package. +From Visual Studio 2026, pack is built into MSBuild. ## Package compatibility issues @@ -109,7 +111,7 @@ Some aspects that were supported in packages.config are not supported in Package * **Description**: XDT transforms are not supported with PackageReference and `.xdt` files are ignored when installing or uninstalling a package. -* **Potential impact**: XDT transforms are not applied to any project XML files, most commonly, `web.config.install.xdt` and `web.config.uninstall.xdt`, which means the project's` web.config` file is not updated when the package is installed or uninstalled. +* **Potential impact**: XDT transforms are not applied to any project XML files, most commonly, `web.config.install.xdt` and `web.config.uninstall.xdt`, which means the project's `web.config` file is not updated when the package is installed or uninstalled. ### Assemblies in the lib root are ignored when the package is installed after the migration diff --git a/docs/consume-packages/nuget-https-everywhere.md b/docs/consume-packages/nuget-https-everywhere.md new file mode 100644 index 000000000..47c97e01d --- /dev/null +++ b/docs/consume-packages/nuget-https-everywhere.md @@ -0,0 +1,97 @@ +--- +title: NuGet HTTPS Everywhere +description: Learn why NuGet enforces HTTPS connections for package sources, what errors like NU1302 mean, and how to safely allow HTTP feeds when necessary. +author: Nigusu-Allehu +ms.author: nyenework +ms.date: 10/28/2025 +ms.topic: conceptual +ai-usage: ai-generated +--- + +# NuGet HTTPS Everywhere + +NuGet requires all package sources to use **HTTPS** instead of **HTTP**. +This enforcement protects the software supply chain by preventing tampering and interception during package restore and related operations. +NuGet enforces this requirement by producing an error and stopping the operation when an HTTP source is used. + +## Understanding the HTTP Error + +This error occurs when one or more package sources in your configuration use an **HTTP** URL instead of **HTTPS**. + +In earlier NuGet versions, this scenario produced a **warning** ([`NU1803`](../reference/errors-and-warnings/nu1803.md)). +Beginning with [**NuGet 6.12**](../release-notes/NuGet-6.12.md) and later, it now results in an **error** unless the use of HTTP sources is explicitly permitted. + +### Recommended Resolution + +Before allowing HTTP connections, confirm whether your package source supports HTTPS. +If it does, update the feed URL to use the secure protocol: + +```xml + +``` + +Switching to HTTPS ensures end-to-end encryption and is the recommended and more secure approach. + +### Allowing Insecure HTTP Feeds (Opt-Out) + +If HTTPS is not available and you operate in a trusted or isolated environment, you can explicitly allow HTTP sources. + +#### Option 1: Set allowInsecureConnections in your `NuGet.Config` + +* **Use Visual Studio** + + Enable or disable allowing insecure HTTP connections with the [Package Sources settings](/nuget/consume-packages/nuget-visual-studio-options#allow-insecure-connections) under the Visual Studio options > **NuGet Package Manager**. + +* **Edit `NuGet.Config` manually** + + Add the `allowInsecureConnections="true"` attribute to the affected source: + + ```xml + + + + + + + ``` + +#### Option 2: Use the Command-Line Parameter + +For commands that support it, include the following flag to temporarily permit HTTP connections: + +For **dotnet** commands: + +```bash +--allow-insecure-connections +``` + +For **NuGet.exe** commands, use: + +```powershell +-AllowInsecureConnections +``` + +#### Commands that support opt-out options + +| Tool | Commands | Support for Allow Insecure Connection | +| -------------- | ------------------------- | ------------------------------------- | +| **nuget.exe** | `push` | NuGet **7.0** | +| **dotnet CLI** | `dotnet nuget push` | .NET **10.0.1xx** and newer | +| **dotnet CLI** | `dotnet nuget add source` | .NET **9.0.1xx** and newer | + +## HTTPS Enforcement Rollout Across Tools + +NuGet’s HTTPS enforcement was introduced gradually across releases. +The following table summarizes the progression from [**warnings (NU1803)**](../reference/errors-and-warnings/nu1803.md) to [**errors (NU1302)**](../reference/errors-and-warnings/nu1302.md). + +| Versions Affected | Behavior | +| ----------------------------------------------------- | --------------------------------------------------------------------- | +| [NuGet.exe 6.3](../release-notes/NuGet-6.3.md)+, Visual Studio 17.3+, .NET 6.0.100+ | ⚠️ **Warning (NU1803)** – HTTP sources allowed but discouraged | +| [NuGet.exe 6.12](../release-notes/NuGet-6.12.md)+, Visual Studio 17.12+, .NET 9.0.100+ | ❌ **Error (NU1302)** – HTTP sources blocked unless explicitly allowed| + +## See Also + +* [NU1302](../reference/errors-and-warnings/nu1302.md) +* [NU1803](../reference/errors-and-warnings/nu1803.md) +* [NuGet.Config Reference](../reference/nuget-config-file.md#packagesources) +* [NuGet Visual Studio Options](../consume-packages/nuget-visual-studio-options.md) diff --git a/docs/consume-packages/nuget-visual-studio-options.md b/docs/consume-packages/nuget-visual-studio-options.md new file mode 100644 index 000000000..b773e33e8 --- /dev/null +++ b/docs/consume-packages/nuget-visual-studio-options.md @@ -0,0 +1,161 @@ +--- +title: NuGet Options in Visual Studio +description: Reference guide for NuGet Package Manager options in Visual Studio, including General, Configuration Files, Package Sources, and Package Source Mapping settings. +author: donnie-msft +ms.author: eagoodso +ms.date: 10/03/2025 +ms.topic: reference +f1_keywords: + - "vs.toolsoptionspages.nuget_package_manager" + - "vs.toolsoptionspages.nuget_package_manager.general" + - "vs.toolsoptionspages.nuget_package_manager.configuration_files" + - "vs.toolsoptionspages.nuget_package_manager.package_sources" + - "vs.toolsoptionspages.nuget_package_manager.package_source_mapping" +--- + +# NuGet Package Manager Options in Visual Studio + +Visual Studio provides several options pages for configuring NuGet Package Manager behavior. +Configuration settings for NuGet are stored in your [NuGet.Config file(s)](../reference/nuget-config-file.md). + +## Accessing NuGet Options + +There are multiple ways to access NuGet Package Manager options: + +1. **From the main menu**: Go to **Tools > Options**, then expand **NuGet Package Manager** in the left pane. +1. **From the NuGet menu** found under the **Tools > NuGet Package Manager > Package Manager Settings** menu command. +1. **Quick search**: Use [Visual Studio search](/visualstudio/ide/visual-studio-search) to search for "NuGet" or a NuGet-related setting name to quickly jump to its Options page. +1. **From Package Manager UI**: Press the settings (gear) icon in the Package Manager UI toolbar. +1. **From Package Manager Console**: Click the settings (gear) icon in the Package Manager Console toolbar. + +## General + +The General options page contains settings that control NuGet's package management behavior. + +![Clear NuGet local resources button highlighted in the General page of NuGet options](media/vsoptions/general.png) + +### Package Restore + +Settings for automatic package restore during build operations: + +- **Allow NuGet to download missing packages**: Select to enable package restore and the Restore NuGet Packages command. +- **Automatically check for missing packages during build in Visual Studio**: Select to automatically restore any missing packages when you run a build from Visual Studio. + +See [Package Restore](Package-Restore.md) for more information on package restore behavior. + +### Binding Redirects + +- **Skip applying binding redirects**: When enabled, NuGet will not automatically add or update binding redirects in app.config or web.config files during package installation or updates + +### Package Management + +- **Default package management format**: Choose between the NuGet formats [PackageReference](package-references-in-project-files.md) (recommended for most projects) and [packages.config](../reference/packages-config.md) (legacy format for older projects). + For more information, see [Choose default package management format](package-restore.md#choose-default-package-management-format). + + - **PackageReference**: Stores package references directly in project files. This is the modern format that supports better dependency resolution and is required for SDK-style projects + - **packages.config**: Legacy XML file format that stores package information separately from the project file + +- **Prompt for format selection on first package install**: When enabled, Visual Studio will ask you to choose between PackageReference and packages.config the first time you install a package in a project that doesn't already have packages. + +### Clear NuGet Local Resources + +The **Clear NuGet Local Resources** command button allows you to clear NuGet's local caches, including: + +- **http-cache**: Downloaded package metadata and packages +- **global-packages**: Installed packages folder +- **temp**: Temporary files +- **plugins-cache**: Plugin operation results + +For more information on NuGet caches and folders, see [Managing the global packages, cache, and temp folders](managing-the-global-packages-and-cache-folders.md). + +## Configuration Files + +The Configuration Files options page displays the NuGet.Config files that apply to your current solution and allows you to open them directly in Visual Studio for editing. + +To edit a file, select a File Path and press the "Open" button. +The file will open in a new tab in Visual Studio where it may be edited directly. + +![Configuration files page of NuGet options with the Open button highlighted](media/vsoptions/configuration-files.png) + +Configuration files are listed in order from highest to lowest priority. +NuGet uses a hierarchical configuration system where settings from multiple config files are merged. +For more information, see [Common NuGet configurations](configuring-nuget-behavior.md). + +## Package Sources + +The Package Sources options page allows you to manage the sources from which NuGet downloads packages. + +![Package Sources page of NuGet options](media/vsoptions/package-sources-page.png) + +### Managing Package Sources + +Lists all configured package sources according to your NuGet.Config files. + +- **Name**: Display name for the source +- **Source**: URL or file path for the package source +- **Enabled checkbox**: Enable or disable a source without removing it. +- **Allow Insecure Connections**: Enable or disable allowing insecure HTTP connections + +To modify, use the **Add, Edit, and Remove buttons** below the table. +Checkboxes may be toggled directly in the table. +Press "Save" on the Add/Edit dialog and the changes will be updated in the relevant NuGet.Config file. + +![Add dialog on the Package Sources page](media/vsoptions/package-source-add.png) + +### Machine-wide Package Sources + +Package sources defined at the machine level appear in a dedicated section below. +These are generally provisioned by Visual Studio workloads and can only be enabled or disabled using the checkbox in the Enabled column. + +![Machine-wide sources table on the Package Sources page](media/vsoptions/package-source-machine-wide.png) + +### Allow Insecure Connections + +For security reasons, NuGet enforces the use of HTTPS sources by default. +If you need to use an HTTP source, you must explicitly allow it. +When an HTTP source is used, the first column of the Package Sources table will show an icon with information about a warning or an error with the package source in that row. + +⚠️ When an HTTP package source is used and Allow Insecure Connections is enabled, a warning is shown in the leftmost status column: + +> HTTP sources are insecure. Consider using HTTPS instead. 'AllowInsecureConnections' is enabled, permitting HTTP access. + +![Package Sources page with an HTTP source Warning and Allow Insecure Connections enabled](media/vsoptions/package-source-http-warn.png) + +❌ When an HTTP source is used and Allow Insecure Connections is disabled, an error is shown in the leftmost status column and NuGet restore will fail: + +> NuGet requires HTTPS sources. To use an HTTP source, you must explicitly set 'allowInsecureConnections' to true in your NuGet.Config file. + +![Package Sources page with an HTTP source Error and Allow Insecure Connections disabled](media/vsoptions/package-source-http-error.png) + +For more information on configuring HTTP source permissions, see . + +## Package Source Mapping + +Package Source Mapping allows you to control which package sources are used for specific packages, improving supply chain security. + +![Package Source Mapping page of NuGet options](media/vsoptions//package-source-mapping.png) + +To modify, use the **Add, Edit, and Remove buttons** below the table. + +### Managing Package Source Mappings + +Lists all configured package source mappings according to your NuGet.Config files. + +- **Package pattern**: Package pattern that is currently mapped (e.g., `Microsoft.*` or `Contoso.Contracts`) +- **Source**: One or more package sources mapped to the package pattern. + Package sources must be enabled to be shown. + +To modify, use the **Add, Edit, and Remove buttons** below the table. +Press "Save" on the Add/Edit dialog and the changes will be updated in the relevant NuGet.Config file. + +![Package Source Mapping add dialog](media/vsoptions/package-source-mapping-add.png) + +For more information, see [Package Source Mapping](Package-Source-Mapping.md). + +### Invalid Source Mappings + +If a package source listed in your existing source mapping isn't enabled in your NuGet.Config file(s), an error will appear in the leftmost column. + +Make sure all Source values in your mappings refer to package sources that are both available and enabled. Otherwise, the mapping may not work as expected. + +![Package Source Mapping with an invalid package source](media/vsoptions/package-source-mapping-missing-source.png) diff --git a/docs/create-packages/Creating-Localized-Packages.md b/docs/create-packages/Creating-Localized-Packages.md index e232765ba..92f7e6d15 100644 --- a/docs/create-packages/Creating-Localized-Packages.md +++ b/docs/create-packages/Creating-Localized-Packages.md @@ -4,7 +4,7 @@ description: Details on the two ways to create localized NuGet packages, either author: JonDouglas ms.author: jodou ms.date: 01/18/2018 -ms.topic: conceptual +ms.topic: how-to --- # Creating localized NuGet packages diff --git a/docs/create-packages/Creating-a-Package.md b/docs/create-packages/Creating-a-Package.md index 6f55dd936..d853b0e8b 100644 --- a/docs/create-packages/Creating-a-Package.md +++ b/docs/create-packages/Creating-a-Package.md @@ -2,9 +2,9 @@ title: Create a NuGet package using nuget.exe CLI description: A detailed guide on designing and creating a NuGet package, including files and versioning. author: JonDouglas -ms.author: feaguila -ms.date: 07/14/2022 -ms.topic: conceptual +ms.author: jodou +ms.date: 03/03/2025 +ms.topic: how-to --- # Create a package using the nuget.exe CLI diff --git a/docs/create-packages/Overview-and-Workflow.md b/docs/create-packages/Overview-and-Workflow.md index 96984557b..ddda6fd80 100644 --- a/docs/create-packages/Overview-and-Workflow.md +++ b/docs/create-packages/Overview-and-Workflow.md @@ -4,7 +4,7 @@ description: An overview of the process of creating and publishing a NuGet packa author: JonDouglas ms.author: jodou ms.date: 07/26/2017 -ms.topic: conceptual +ms.topic: concept-article --- # Package creation workflow diff --git a/docs/create-packages/Package-authoring-best-practices.md b/docs/create-packages/Package-authoring-best-practices.md index b44f70071..f4451cbe0 100644 --- a/docs/create-packages/Package-authoring-best-practices.md +++ b/docs/create-packages/Package-authoring-best-practices.md @@ -4,7 +4,7 @@ description: A general guide of best practices for creating high quality NuGet p author: nkolev92 ms.author: nikolev ms.date: 11/15/2021 -ms.topic: conceptual +ms.topic: best-practice --- # Package authoring best practices @@ -60,11 +60,11 @@ Below is a table mapping and describing available package metadata elements: | [`Authors`](#authors) | [`Authors`](/nuget/reference/msbuild-targets#pack-target) | [`authors`](/nuget/reference/nuspec#authors) | A comma-separated list of package authors, often using the individual's or an organization's "pretty name." | | [`Description`](#description) | [`Description`](/nuget/reference/msbuild-targets#pack-target) | [`description`](/nuget/reference/nuspec#description) | A description of the package. | | [`Copyright`](#copyright) | [`Copyright`](/nuget/reference/msbuild-targets#pack-target) | [`copyright`](/nuget/reference/nuspec#copyright) | Copyright details for the package. | -| [`Project URL`](#project-url) | `PackageProjectUrl` | [`projectUrl`](/nuget/reference/nuspec#projecturl) | A URL for the project homepage. | +| [`Project URL`](#project-url) | [`PackageProjectUrl`](/nuget/reference/msbuild-targets#pack-target) | [`projectUrl`](/nuget/reference/nuspec#projecturl) | A URL for the project homepage. | | [`Icon File`](#icon) | [`PackageIcon`](/nuget/reference/msbuild-targets#packing-an-icon-image-file) | [`icon`](/nuget/reference/nuspec#icon) | Path to the package icon image file. | | [`README`](#readme) | [`PackageReadmeFile`](/nuget/reference/msbuild-targets#packagereadmefile) | [`readme`](/nuget/reference/nuspec#readme) | Path to the package README markdown file. | | [`Repository URL`](#repository-type-and-url) | [`RepositoryUrl`](/nuget/reference/msbuild-targets#pack-target) | [`repository url`](/nuget/reference/nuspec#repository) | URL to the repository from which the package was built. | -| [`Repository type`](#repository-type-and-url) | [`RespositoryType`](/nuget/reference/msbuild-targets#pack-target) | [`repository type`](/nuget/reference/nuspec#repository) | Type of repository the repository URL is pointing to (i.e. "git"). | +| [`Repository type`](#repository-type-and-url) | [`RepositoryType`](/nuget/reference/msbuild-targets#pack-target) | [`repository type`](/nuget/reference/nuspec#repository) | Type of repository the repository URL is pointing to (i.e. "git"). | | [`Tags`](#tags) | [`PackageTags`](/nuget/reference/msbuild-targets#pack-target) | [`tags`](/nuget/reference/nuspec#tags) | A space-delimited list of tags and keywords that describe the package. Tags are used when searching for packages. | | [`Release notes`](#release-notes) | [`PackageReleaseNotes`](/nuget/reference/msbuild-targets#pack-target) | [`releaseNotes`](/nuget/reference/nuspec#releasenotes) | A description of the changes made in this release of the package. | | [`Licensing - Expression`](#licensing) | [`PackageLicenseExpression`](/nuget/reference/msbuild-targets#packing-a-license-expression-or-a-license-file) | [`license type="expression"`](/nuget/reference/nuspec#license) | An SPDX license expression. | @@ -124,8 +124,8 @@ Example: Copyright (c) Contoso 2020 ❌ DO NOT use the deprecated `IconUrl` metadata property. ### README -✔️ DO add a README markdown file that provides an overview of what your package does and how to get started. -> A package README will significantly improve the quality perception of your package as well as new user onboarding. Also consider [previewing your README](../nuget-org/package-readme-on-nuget-org.md#preview-your-readme) before you upload it! +✔️ DO [add a README markdown file](/nuget/reference/msbuild-targets#packagereadmefile) that provides an overview of what your package does and how to get started. +> A package README will significantly improve the quality perception of your package as well as new user onboarding. Also consider [previewing your README](../nuget-org/package-readme-on-nuget-org.md#preview-your-readme) before you upload it! See [how to include a README file in your NuGet package](/nuget/reference/msbuild-targets#packagereadmefile) for more details. ### Repository Type and URL diff --git a/docs/create-packages/Prerelease-Packages.md b/docs/create-packages/Prerelease-Packages.md index 3b487f89b..89ffc0d19 100644 --- a/docs/create-packages/Prerelease-Packages.md +++ b/docs/create-packages/Prerelease-Packages.md @@ -4,7 +4,7 @@ description: Guidance for building pre-release packages author: JonDouglas ms.author: jodou ms.date: 08/14/2017 -ms.topic: conceptual +ms.topic: concept-article --- # Building pre-release packages @@ -52,38 +52,4 @@ By default, NuGet does not include pre-release versions when working with packag ## Semantic versioning The [Semantic Versioning or SemVer convention](https://semver.org/spec/v1.0.0.html) describes how to utilize strings in version numbers to convey the meaning of the underlying code. - -In this convention, each version has three parts, `Major.Minor.Patch`, with the following meaning: - -- `Major`: Breaking changes -- `Minor`: New features, but backwards compatible -- `Patch`: Backwards compatible bug fixes only - -Pre-release versions are then denoted by appending a hyphen and a string after the patch number. Technically speaking, you can use *any* string after the hyphen and NuGet will treat the package as pre-release. NuGet then displays the full version number in the applicable UI, leaving consumers to interpret the meaning for themselves. - -With this in mind, it's generally good to follow recognized naming conventions such as the following: - -- `-alpha`: Alpha release, typically used for work-in-progress and experimentation -- `-beta`: Beta release, typically one that is feature complete for the next planned release, but may contain known bugs. -- `-rc`: Release candidate, typically a release that's potentially final (stable) unless significant bugs emerge. - -> [!Note] -> NuGet 4.3.0+ supports [Semantic Versioning v2.0.0](https://semver.org/spec/v2.0.0.html), which supports pre-release numbers with dot notation, as in `1.0.1-build.23`. Dot notation is not supported with NuGet versions before 4.3.0. In earlier versions of NuGet, you could use a form like `1.0.1-build23` but this was always considered a pre-release version. - -Whatever suffixes you use, however, NuGet will give them precedence in reverse alphabetical order: - -``` -1.0.1 -1.0.1-zzz -1.0.1-rc -1.0.1-open -1.0.1-beta.12 -1.0.1-beta.5 -1.0.1-beta -1.0.1-alpha.2 -1.0.1-alpha -``` - -As shown, the version without any suffix will always take precedence over pre-release versions. - -Leading 0s are not needed with semver2, but they are with the old version schema. If you use numerical suffixes with pre-release tags that might use double-digit numbers (or more), use leading zeroes as in beta.01 and beta.05 to ensure that they sort correctly when the numbers get larger. This recommendation only applies to the old version schema. +[Learn more](../concepts/Package-Versioning.md) about the package versioning basics. diff --git a/docs/create-packages/Select-assemblies-referenced-by-projects.md b/docs/create-packages/Select-assemblies-referenced-by-projects.md index c984846e1..6eebd9a66 100644 --- a/docs/create-packages/Select-assemblies-referenced-by-projects.md +++ b/docs/create-packages/Select-assemblies-referenced-by-projects.md @@ -4,7 +4,7 @@ description: Make a subset of assemblies in the package available to the compile author: zivkan ms.author: zivkan ms.date: 05/24/2019 -ms.topic: conceptual +ms.topic: how-to --- # Select Assemblies Referenced By Projects diff --git a/docs/create-packages/Sign-a-Package.md b/docs/create-packages/Sign-a-Package.md index 992ea16d3..098353fe7 100644 --- a/docs/create-packages/Sign-a-Package.md +++ b/docs/create-packages/Sign-a-Package.md @@ -4,8 +4,9 @@ description: Explains how signed packages can be used to enable content integrit author: rido-min ms.author: rmpablos ms.date: 03/06/2018 -ms.topic: conceptual +ms.topic: how-to ms.reviewer: anangaur +ms.custom: sfi-image-nochange --- # Sign a NuGet package @@ -14,7 +15,15 @@ A signed package allows for content integrity verification checks, which provide ## Get a code signing certificate -Valid certificates can be obtained from a public certificate authority such as [DigiCert](https://www.digicert.com/code-signing/), [Global Sign](https://www.globalsign.com/en/code-signing-certificate/), [Comodo](https://www.comodo.com/e-commerce/code-signing/code-signing-certificate.php), or [Certum](https://www.certum.eu/certum/cert,offer_en_open_source_cs.xml). You can obtain the complete list of certification authorities trusted by Windows from [http://aka.ms/trustcertpartners](/security/trusted-root/participants-list). +Valid certificates can be obtained from a public certificate authority such as: + +- [Certum](https://www.certum.eu/certum/cert,offer_en_open_source_cs.xml) +- [Comodo](https://www.comodo.com/e-commerce/code-signing/code-signing-certificate.php) +- [DigiCert](https://www.digicert.com/code-signing/) +- [GlobalSign](https://www.globalsign.com/en/code-signing-certificate/) +- [SSL.com](https://www.ssl.com/certificates/code-signing/) + +The complete list of certification authorities trusted by Windows can also be obtained from [http://aka.ms/trustcertpartners](/security/trusted-root/participants-list). You can use self-issued certificates for testing purposes. However, packages signed using self-issued certificates are not accepted by NuGet.org. Learn more about [creating a test certificate](#create-a-test-certificate) diff --git a/docs/create-packages/Source-and-Config-File-Transformations.md b/docs/create-packages/Source-and-Config-File-Transformations.md index 79402e54c..65f9f7659 100644 --- a/docs/create-packages/Source-and-Config-File-Transformations.md +++ b/docs/create-packages/Source-and-Config-File-Transformations.md @@ -4,7 +4,7 @@ description: Details on the ability for NuGet packages to transform source code author: JonDouglas ms.author: jodou ms.date: 04/24/2017 -ms.topic: conceptual +ms.topic: how-to ms.reviewer: anangaur --- @@ -174,4 +174,4 @@ To remove only the `MyNuModule` element during package uninstall, the `web.confi     -``` \ No newline at end of file +``` diff --git a/docs/create-packages/Supporting-Multiple-Target-Frameworks.md b/docs/create-packages/Supporting-Multiple-Target-Frameworks.md index 91576a3c8..14fc9ffe4 100644 --- a/docs/create-packages/Supporting-Multiple-Target-Frameworks.md +++ b/docs/create-packages/Supporting-Multiple-Target-Frameworks.md @@ -4,7 +4,7 @@ description: Description of the various methods to target multiple .NET Framewor author: JonDouglas ms.author: jodou ms.date: 07/15/2019 -ms.topic: conceptual +ms.topic: concept-article --- # Support multiple .NET versions @@ -189,4 +189,4 @@ With `packages.config`, content files and PowerShell scripts can be grouped by t If a framework folder is left empty, NuGet doesn't add assembly references or content files or run the PowerShell scripts for that framework. > [!Note] -> Because `init.ps1` is executed at the solution level and not dependent on project, it must be placed directly under the `tools` folder. It's ignored if placed under a framework folder. \ No newline at end of file +> Because `init.ps1` is executed at the solution level and not dependent on project, it must be placed directly under the `tools` folder. It's ignored if placed under a framework folder. diff --git a/docs/create-packages/Symbol-Packages.md b/docs/create-packages/Symbol-Packages.md index 3226ec766..ae6f7387b 100644 --- a/docs/create-packages/Symbol-Packages.md +++ b/docs/create-packages/Symbol-Packages.md @@ -4,7 +4,7 @@ description: How to create NuGet packages that contain only symbols to support d author: JonDouglas ms.author: jodou ms.date: 09/12/2017 -ms.topic: conceptual +ms.topic: how-to ms.reviewer: anangaur --- diff --git a/docs/create-packages/author-packages-with-COM-interop-assemblies.md b/docs/create-packages/author-packages-with-COM-interop-assemblies.md index e37c68ce4..6c4a61385 100644 --- a/docs/create-packages/author-packages-with-COM-interop-assemblies.md +++ b/docs/create-packages/author-packages-with-COM-interop-assemblies.md @@ -4,7 +4,7 @@ description: Describes how to create packages that contain COM interop assemblie author: JonDouglas ms.author: jodou ms.date: 07/09/2019 -ms.topic: conceptual +ms.topic: article --- # Create NuGet packages that contain COM interop assemblies @@ -25,4 +25,4 @@ Note that when using the `packages.config` management format, adding references Additionally, by default the [build assets do not flow transitively](../consume-packages/package-references-in-project-files.md#controlling-dependency-assets). Packages authored as described here work differently when they are pulled as a transitive dependency from a project to project reference. The package consumer can allow them to flow by modifying the PrivateAssets default value to not include build. - \ No newline at end of file + diff --git a/docs/create-packages/creating-a-package-dotnet-cli.md b/docs/create-packages/creating-a-package-dotnet-cli.md index 048cb9cbc..2917a2ec0 100644 --- a/docs/create-packages/creating-a-package-dotnet-cli.md +++ b/docs/create-packages/creating-a-package-dotnet-cli.md @@ -3,8 +3,8 @@ title: Create a NuGet package with the dotnet CLI description: Read a detailed guide about the process of designing and creating a NuGet package, including key decision points like files and versioning. author: JonDouglas ms.author: jodou -ms.date: 08/29/2022 -ms.topic: conceptual +ms.date: 03/03/2025 +ms.topic: how-to --- # Create a NuGet package with the dotnet CLI diff --git a/docs/create-packages/creating-a-package-msbuild.md b/docs/create-packages/creating-a-package-msbuild.md index d8b92dee3..48f58e902 100644 --- a/docs/create-packages/creating-a-package-msbuild.md +++ b/docs/create-packages/creating-a-package-msbuild.md @@ -3,8 +3,8 @@ title: Create a NuGet package using MSBuild description: A detailed guide to the process of designing and creating a NuGet package using MSBuild, including key decision points like files and versioning. author: JonDouglas ms.author: jodou -ms.date: 07/14/2022 -ms.topic: conceptual +ms.date: 08/17/2023 +ms.topic: how-to --- # Create a NuGet package using MSBuild @@ -13,9 +13,12 @@ When you create a NuGet package from your code, you package that functionality i For .NET Core and .NET Standard projects that use the [SDK-style format](../resources/check-project-format.md), and any other SDK-style projects, NuGet uses information in the project file directly to create a package. For a non-SDK-style project that uses ``, NuGet also uses the project file to create a package. -SDK-style projects have the pack functionality available by default. For non SDK-style PackageReference projects, you need to add the NuGet.Build.Tasks.Pack package to the project dependencies. For detailed information about MSBuild pack targets, see [NuGet pack and restore as MSBuild targets](../reference/msbuild-targets.md). +SDK-style projects have the pack functionality available by default. +For non-SDK-style PackageReference projects, it is also available by default starting from Visual Studio 2026. +In earlier versions of Visual Studio you need to add the NuGet.Build.Tasks.Pack package to the project dependencies and we recommend removing this package reference when upgrading to Visual Studio 2026. +For detailed information about MSBuild pack targets, see [NuGet pack and restore as MSBuild targets](../reference/msbuild-targets.md). -The command that creates a package, `msbuild -t:pack`, is functionally equivalent to `dotnet pack`. +For SDK-style projects, `msbuild -t:pack` is functionally equivalent to `dotnet pack`. > [!IMPORTANT] > This topic applies to [SDK-style](../resources/check-project-format.md) projects, typically .NET Core and .NET Standard projects, and to non-SDK-style projects that use PackageReference. @@ -77,25 +80,45 @@ For details on declaring dependencies and specifying version numbers, see [Packa [!INCLUDE [choose-package-id](includes/choose-package-id.md)] -## Add the NuGet.Build.Tasks.Pack package +## Configure project for pack -If you are using MSBuild with a non-SDK-style project and PackageReference, add the NuGet.Build.Tasks.Pack package to your project. +SDK-style projects do not require any additional configuration. -1. Open the project file and add the following after the `` element: +Non-SDK-style projects either need at least one package installed (via PackageReference, not packages.config), or the project explicitly needs to instruct NuGet to treat the project as a PackageReference project via the `RestoreProjectStyle` property. + +Visual Studio 2022 and earlier does not have pack built-in, so you also need to install the NuGet.Build.Tasks.Pack package. +When upgrading to Visual Studio 2026 or later, we recommend uninstalling the package, so that you benefit from new features and bug fixes. + +1. Edit the project file. + + If you want to explicitly instruct NuGet to treat the project as PackageReference (the project does not have any packages installed), find or add a `` that does not have any `Condition` statement, and add: + + ```xml + + + PackageReference + + + ``` + + If you are using Visual Studio 2022 or earlier, add the following after the `` element: ```xml - + ``` + + > [!NOTE] + > [Consider using the latest version of this package available.](https://www.nuget.org/packages/nuget.build.tasks.pack) 2. Open a Developer command prompt (In the **Search** box, type **Developer command prompt**). You typically want to start the Developer Command Prompt for Visual Studio from the **Start** menu, as it will be configured with all the necessary paths for MSBuild. -3. Switch to the folder containing the project file and type the following command to install the NuGet.Build.Tasks.Pack package. +3. Switch to the folder containing the project file and type the following command to restore the NuGet.Build.Tasks.Pack package. ```cmd # Uses the project file in the current folder by default diff --git a/docs/create-packages/multiple-target-frameworks-project-file.md b/docs/create-packages/multiple-target-frameworks-project-file.md index 326dc1e6f..bd321d0d1 100644 --- a/docs/create-packages/multiple-target-frameworks-project-file.md +++ b/docs/create-packages/multiple-target-frameworks-project-file.md @@ -4,7 +4,7 @@ description: Description of the various methods to target multiple .NET Framewor author: JonDouglas ms.author: jodou ms.date: 07/15/2019 -ms.topic: conceptual +ms.topic: how-to --- # Support multiple .NET Framework versions in your project file diff --git a/docs/create-packages/native-files-in-net-packages.md b/docs/create-packages/native-files-in-net-packages.md new file mode 100644 index 000000000..2b4d6ef95 --- /dev/null +++ b/docs/create-packages/native-files-in-net-packages.md @@ -0,0 +1,183 @@ +--- +title: Native files in .NET packages +description: How to pack native libraries in .NET packages +author: zivkan +ms.author: zivkan +ms.date: 09/26/2023 +ms.topic: concept-article +--- + +# Including native libraries in .NET packages + +This document explains how to create packages that work for projects targeting .NET (5+), where a .NET managed assembly uses [Platform Invoke (P/Invoke)](/dotnet/standard/native-interop/pinvoke) from a .NET managed language project, with the .NET runtime using [probing paths](/dotnet/core/dependency-loading/default-probing) to load and locate the native library. + +If you wish to support .NET Framework with your package, see the [section on projects targeting .NET Framework](#projects-targeting-net-framework). +In general, your best option is to package your own [MSBuild props and targets files](../concepts/MSBuild-props-and-targets.md), and handle build and publish targets yourself. +By not using NuGet and the .NET runtime's built in feature, you need to be sufficiently knowledgeable in MSBuild and the build systems for the relevant project types. + +While NuGet has a [`contentFiles/` feature](../reference/msbuild-targets.md#including-content-in-a-package), it is not recommended to use this, as it doesn't support per-RID selection, and therefore doesn't participate in the .NET runtime's probing paths features. + +## Background + +First we'll consider a project referencing packages. +When the app is published for a specific [Runtime Identifier (RID)](/dotnet/core/rid-catalog), then NuGet package assets for that RID will be copied into the output directory. +When the app is published without a specific RID, all RID specific content will be published in subdirectories, and a `{project}.deps.json` file is created that the .NET runtime loads to determine which directory to use as a probing path. + +Also, be aware that .NET 8 introduces breaking changes regarding [how it determines compatible RIDs from the `.deps.json` file](/dotnet/core/compatibility/deployment/8.0/rid-asset-list) and [which RIDs are recognized by the SDK](/dotnet/core/compatibility/sdk/8.0/rid-graph). + +## Understanding NuGet package asset selection + +There are three types of assets in a NuGet file that are most relevant to this scenario: compile, runtime, and native assets. +For a complete list of asset types, see the docs on [controlling dependency assets in `PackageReference` projects](../consume-packages/Package-References-in-Project-Files.md#controlling-dependency-assets). + +|Asset type|Short Description| +|--|--| +|[compile](#compile-assets)|Managed assemblies passed to the compiler. `ref/{tfm}/` if it exists, otherwise `lib/{tfm}/`.| +|[runtime](#runtime-assets)|Managed assemblies copied to the output directory. `runtimes/{rid}/lib/{tfm}/` if it exists, otherwise `lib/{tfm}/`.| +|[native](#native-assets)|Native libraries copied to the output directory. `runtimes/{rid}/native/`.| + +In all cases, NuGet chooses the "most compatible" directory for a given RID and Target Framework, and only the files in that directory are copied. +Therefore, you cannot put common assets in an inherited RID (such as `any`), because if any other RID is a better match, the `any` RID contents will not be considered. + +To inspect the implementation of NuGet's asset selection, see [`NuGet.Client`'s `ManagedCodeConventions.cs` file](https://github.com/NuGet/NuGet.Client/blob/dev/src/NuGet.Core/NuGet.Packaging/ContentModel/ManagedCodeConventions.cs). + +### Compile assets + +Compile assets are passed to the compiler, and therefore must only contain .NET assemblies. +NuGet will select compile assets from `ref/{tfm}/`, and if that directory does not exist, it will fall back to `lib/{tfm}`, where `{tfm}` is the target framework that is the closest match the project referencing the package. +However, in this scenario of creating a .NET package with native libraries, it is recommended to use `ref/` because if `lib/` is used, NuGet will think the package is compatible with projects using `packages.config`, but those projects will fail at runtime because the native files will not be copied. + +The .NET compiler will generate warnings when an assembly targets a different architecture than what the current compilation is targeting, so your package consumers will have the best experience if your `ref/` or `lib/` assemblies target `AnyCPU`. + +If your assembly contains a lot of managed code, not just P/Invoke method definitions, you can save space by making the `ref/` assembly a [reference assembly](/dotnet/standard/assembly/reference-assemblies#generating-reference-assemblies), but be sure to include it under `ref/` in your package, not `lib/`. + +Therefore, there is no capability to provide different compile-time assemblies for different RIDs, you will need to provide the same API surface for all RIDs, and do runtime checks (for example, throw `PlatformNotSupportedException`). + +### Runtime assets + +Runtime assets are .NET managed assemblies copied to the output directory on build and publish, and the .NET SDK generates the `deps.json` with all the RID-specific asset information. +NuGet will select runtime assets from `runtimes/{rid}/lib/{tfm}/`, and if that doesn't exist, then it will fall back to `lib/{tfm}/`. +The best `{rid}` directory is selected first, followed by `{tfm}`. +However, in this scenario of creating a .NET package with native libraries, it is recommended to use `runtimes/` because if `lib/` is used, NuGet will think the package is compatible with projects using `packages.config`, but those projects will fail at runtime because the native assets will not be copied. + +### Native assets + +Native assets are also copied to the output directory on build and publish, and are present in the `deps.json` file. +NuGet will select native assets from the `runtimes/{rid}/native/` directory. + +> [!NOTE] +> The [.NET SDK flattens any directory structure](https://github.com/dotnet/sdk/issues/9643) under `runtimes/{rid}/native/` when copying to the output directory. + +## Putting it together + +How to build any binaries native libraries is out of scope of this document. +It is assumed that all the native binaries and the .NET assemblies have been completed and copied to a machine for packing. + +When packing with [NuGet's MSBuild Pack target](../reference/msbuild-targets.md#pack-target), you can include arbitrary files in arbitrary package paths using `Pack="true" PackagePath="{path}"` metadata on MSBuild items. +For example, ``. + +Consider a package `Contoso.Native` that provides .NET APIs to `contoso.dll` on Windows, `libcontoso.dylib` on OSX, and `libcontoso.so` on Linux, using `[DllImport("contoso")]`. +The package contents should be (excluding files required by the [Open Packaging Conventions](https://en.wikipedia.org/wiki/Open_Packaging_Conventions)) + +### Example 1 + +If `Contoso.Native` is built as AnyCPU: + +```text +Contoso.Native.1.0.0.nuspec +ref/net8.0/Contoso.Native.dll +runtimes/any/lib/net8.0/Contoso.Native.dll +runtimes/linux-arm64/native/libcontoso.so +runtimes/linux-x64/native/libcontoso.so +runtimes/osx-arm64/native/libcontoso.dylib +runtimes/osx-x64/native/libcontoso.dylib +runtimes/win-arm64/native/contoso.dll +runtimes/win-x64/native/contoso.dll +``` + +While the `ref/` and `runtimes/any/lib` copies of `Contoso.Native.dll` could be deduplicated into a single `lib/net8.0/Contoso.Native.dll` file, this is not recommended because NuGet will believe this package is compatible with projects using `packages.config`, and these projects will fail at runtime when the native `contoso.dll` is not found. + +### Example 2 + +If `Contoso.Native` has any differences between architectures. +For example, but not limited to, using `#if` to compile difference code for different RIDs, or using `` (or anything else that causes `-platform:` to be passed to the compiler) with a value other than `AnyCPU`. + +```text +Contoso.Native.1.0.0.nuspec +ref/net8.0/Contoso.Native.dll +runtimes/linux-arm64/lib/net8.0/Contoso.Native.dll +runtimes/linux-arm64/native/libcontoso.so +runtimes/linux-x64/lib/net8.0/Contoso.Native.dll +runtimes/linux-x64/native/libcontoso.so +runtimes/osx-arm64/lib/net8.0/Contoso.Native.dll +runtimes/osx-arm64/native/libcontoso.dylib +runtimes/osx-x64/lib/net8.0/Contoso.Native.dll +runtimes/osx-x64/native/libcontoso.dylib +runtimes/win-arm64/lib/net8.0/Contoso.Native.dll +runtimes/win-arm64/native/contoso.dll +runtimes/win-x64/lib/net8.0/Contoso.Native.dll +runtimes/win-x64/native/contoso.dll +``` + +### Example 3 + +If `Contoso.Native` has conditional compilation per operating system, but not per CPU architecture. + +```text +Contoso.Native.1.0.0.nuspec +ref/net8.0/Contoso.Native.dll +runtimes/linux/lib/net8.0/Contoso.Native.dll +runtimes/linux-arm64/native/libcontoso.so +runtimes/linux-x64/native/libcontoso.so +runtimes/osx/lib/net8.0/Contoso.Native.dll +runtimes/osx-arm64/native/libcontoso.dylib +runtimes/osx-x64/native/libcontoso.dylib +runtimes/win/lib/net8.0/Contoso.Native.dll +runtimes/win-arm64/native/contoso.dll +runtimes/win-x64/native/contoso.dll +``` + +## Projects Targeting .NET Framework + +.NET has evolved over time, causing project and package incompatibility when certain features are used. +What was described above assumes that the project using the package targets .NET 5 or higher, or .NET Core (`netcoreapp`), which uses the maximum features to simplify the package contents as much as possible. +Projects targeting .NET Standard are not particularly relevant to this document, as those projects can only be class libraries, which cannot be run directly. +However, projects targeting .NET Framework can use either SDK style or non-SDK style projects, and non-SDK style projects may use either `PackageReference` or `packages.config` to use NuGet packages. +All of these combinations have different levels of support, and impose constraints on package authors who wish to support .NET Framework projects using the package. + +Our recommendation is to split the package into 3 packages. +The first is a meta-package (a package with no contents/assets, only dependencies to other packages), that has dependencies to one of the other two packages, depending on target framework. +The second package contains the .NET 5+ `ref/*` and `runtimes/*` assets as described above. +The last package will contain the .NET Framework assets, and will not use the `ref/*` or `runtime/*` conventions. +This is due to the build system having (partial) support for these NuGet conventions, but the runtime working sufficiently differently that it's easier to avoid it, to maximize project compatibility. + +The package with .NET Framework native libraries should have custom [MSBuild targets and props files](../concepts/MSBuild-props-and-targets.md), under `buildTransitive//.[props|targets]`. +For example, `buildTransitive/net472/Contoso.Native.targets`. +To support `packages.config` projects, also have a `build//.[props|targets]` which imports the `buildTransitive` file. +This MSBuild script should copy the native library to subdirectories. +Alternatively, the native libraries should have different filenames per CPU architecture, so they can all be copied into the same directory. + +Finally, the managed library, that uses P/Invoke to call into the native library, it should have runtime checks to determine what platform the current executable is running in (x86, x64, or ARM64), and then P/Invoke into the native library with the correct filename or in the correct subdirectory. + +### SDK style projects targeting .NET Framework + +When the .NET SDK builds a project targeting the .NET Framework, if one of `RuntimeIdentifier` or `PlatformTarget` is set, the .NET SDK will set the other property to an appropriate value, and package `runtimes/` contents (that [follow NuGet's conventions](#understanding-nuget-package-asset-selection)) will be copied to the output directory. +If the project does not set either `RuntimeIdentifier` or `PlatformTarget`, but any package contains RID specific contents, then the .NET SDK will set `PlatformTarget` to `x86`. +Therefore, SDK style projects targeting .NET Framework will only use `AnyCPU` by default when none of the packages contain RID specific content. + +`dotnet build -r `, or the `publish` equivalent (for example, `dotnet publish -r win-arm64`) can be used to explicitly build or publish for a specific platform. + +In order to support `AnyCPU` projects, package authors must not use the `runtimes/` conventions in their package, and must use the MSBuild targets/props files [as suggested above](#projects-targeting-net-framework). + +### Non-SDK style projects targeting .NET Framework with `PackageReference` + +If you test a non-SDK style `PackageReference` project with a package using the `runtimes/*` convention, the following behavior occurs. +If the project's configuration targets the "Any CPU" platform, the build will not copy any of the RID specific assets from the package, and the app will fail at runtime. +Using Visual Studio's Configuration Manager, the .NET projects can be changed to target x64, x86, or ARM64, instead of "Any CPU", in which case the app will work correctly at runtime. + +In order to support `AnyCPU` projects, package authors must use the MSBuild targets/props files [as suggested above](#projects-targeting-net-framework). + +### `packages.config` + +NuGet's original restore style, `packages.config`, does not support `ref/*` or `runtimes/*` conventions. +Therefore, package authors must create their own MSBuild props and targets file to support projects still using `packages.config`. diff --git a/docs/create-packages/set-package-type.md b/docs/create-packages/set-package-type.md index b16004f8c..ee8847234 100644 --- a/docs/create-packages/set-package-type.md +++ b/docs/create-packages/set-package-type.md @@ -4,7 +4,7 @@ description: Describes packages types to indicate intended use of a package. author: JonDouglas ms.author: jodou ms.date: 07/09/2019 -ms.topic: conceptual +ms.topic: how-to --- # Set a NuGet package type @@ -17,8 +17,12 @@ Packages can be marked with one more more *package types* to indicate its intend - `DotnetTool` type packages are .NET tools that can be installed by the [dotnet CLI](/dotnet/articles/core/tools/index). +- `MSBuildSdk` type packages are [MSBuild project SDKs](/visualstudio/msbuild/how-to-use-project-sdk) that simplifies using software development kits. + - `Template` type packages provide [custom templates](/dotnet/core/tools/custom-templates) that can be used to create files or projects like an app, service, tool, or class library. +- `McpServer` type packages contain MCP servers. This package type is always accompanied by the `DotnetTool` package type, because a local MCP server is distributed as a .NET tool. For information on MCP server and NuGet, see [MCP servers in NuGet packages](../concepts/nuget-mcp.md). + Packages not marked with a type, including all packages created with earlier versions of NuGet, default to the `Dependency` type. > [!NOTE] diff --git a/docs/docfx.json b/docs/docfx.json index cec78c0ea..33e9af360 100644 --- a/docs/docfx.json +++ b/docs/docfx.json @@ -34,7 +34,8 @@ "externalReference": [], "globalMetadata": { "ms.service": "nuget", - "feedback_system": "GitHub", + "uhfHeaderId": "MSDocsHeader-DotNet", + "feedback_system": "Standard", "feedback_github_repo": "NuGet/docs.microsoft.com-nuget", "feedback_product_url": "https://github.com/NuGet/Home/issues/", "breadcrumb_path": "~/_breadcrumb/toc.yml", @@ -56,7 +57,6 @@ "searchScope": [ "NuGet" ], - "uhfHeaderId": [] }, "fileMetadata": {}, "template": [], diff --git a/docs/docs.csproj b/docs/docs.csproj new file mode 100644 index 000000000..e63c1c5b9 --- /dev/null +++ b/docs/docs.csproj @@ -0,0 +1,5 @@ + + + net472 + + \ No newline at end of file diff --git a/docs/guides/Create-UWP-Packages-CS.md b/docs/guides/Create-UWP-Packages-CS.md index 24edacd94..1efb113a9 100644 --- a/docs/guides/Create-UWP-Packages-CS.md +++ b/docs/guides/Create-UWP-Packages-CS.md @@ -1,9 +1,9 @@ --- title: Create NuGet Packages for the UWP Platform (C#) description: An end-to-end walkthrough of creating NuGet packages using a Windows Runtime Component for the Universal Windows Platform in C#. -author: rrelyea -ms.author: rrelyea -ms.date: 02/28/2020 +author: JonDouglas +ms.author: jodou +ms.date: 11/01/2023 ms.topic: tutorial --- @@ -15,17 +15,17 @@ In this walkthrough you create a NuGet package with a C# UWP component (includin ## Prerequisites -1. Visual Studio 2019. Install the 2019 Community edition for free from [visualstudio.com](https://www.visualstudio.com/); you can use the Professional and Enterprise editions as well. +1. Visual Studio 2019. Install the 2019 Community edition for free from [visualstudio.com](https://www.visualstudio.com/). You can also use the Professional and Enterprise editions. -1. NuGet CLI. Download the latest version of `nuget.exe` from [nuget.org/downloads](https://nuget.org/downloads), saving it to a location of your choice (the download is the `.exe` directly). Then add that location to your PATH environment variable if it isn't already. [More details](../reference/nuget-exe-cli-reference.md#windows). +1. NuGet CLI. Download the latest version of `nuget.exe` from [nuget.org/downloads](https://nuget.org/downloads) and save the tool to a location of your choice. (The download is the `.exe` file directly.) Add the tool file location to your PATH environment variable, if it isn't already. For more information, see [Installing nuget.exe](../reference/nuget-exe-cli-reference.md#installing-nugetexe). ## Create a UWP Windows Runtime component -1. In Visual Studio, choose **File > New > Project**, search for "uwp c#", select the **Windows Runtime Component (Universal Windows)** template, click next, change the name to ImageEnhancer, and click Create. Accept the default values for Target Version and Minimum Version when prompted. +1. In Visual Studio, select **File > New > Project**, and search for "uwp c#". Select the **Windows Runtime Component (Universal Windows)** template and select **Next**. Change the name to ImageEnhancer, and select **Create**. Accept the default values for Target Version and Minimum Version when prompted. ![Creating a new UWP Windows Runtime Component project](media/UWP-NewProject-CS.png) -1. Right click the project in Solution Explorer, select **Add > New Item**, select **Templated Control**, change the name to AwesomeImageControl.cs, and click **Add**: +1. Right-click the project in Solution Explorer, select **Add > New Item**, select **Templated Control**, change the name to AwesomeImageControl.cs, and select **Add**: ![Adding a new XAML Templated Control item to the project](media/UWP-NewXAMLControl-CS.png) @@ -33,27 +33,28 @@ In this walkthrough you create a NuGet package with a C# UWP component (includin ![Setting Generate XML Documentation Files to Yes](media/UWP-GenerateXMLDocFiles-CS.png) -1. Right click the *solution* now, select **Batch Build**, check the five build boxes in the dialog as shown below. This makes sure that when you do a build, you generate a full set of artifacts for each of the target systems that Windows supports. +1. Right-click the *solution* and select **Batch Build**. Select the five build boxes, as shown in the following image. This makes sure that when you do a build, you generate a full set of artifacts for each of the target systems that Windows supports. ![Batch Build](media/UWP-BatchBuild-CS.png) -1. In the Batch Build dialog, and click **Build** to verify the project and create the output files that you need for the NuGet package. +1. In the Batch Build dialog, and select **Build** to verify the project and create the output files that you need for the NuGet package. > [!Note] > In this walkthrough you use the Debug artifacts for the package. For non-debug package, check the Release options in the Batch Build dialog instead, and refer to the resulting Release folders in the steps that follow. ## Create and update the .nuspec file -To create the initial `.nuspec` file, do the three steps below. The sections that follow then guide you through other necessary updates. +To create the initial `.nuspec` file, complete the following steps. The subsequent sections guide you through other necessary updates. -1. Open a command prompt and navigate to the folder containing `ImageEnhancer.csproj` (this will be a subfolder below where the solution file is). -1. Run the [`NuGet spec`](../reference/cli-reference/cli-ref-spec.md) command to generate `ImageEnhancer.nuspec` (the name of the file is taken from the name of the `.csroj` file): +1. Open a command prompt and browse to the folder that contains the `ImageEnhancer.csproj` file, which should be a subfolder of the folder that contains the solution file. + +1. Run the [`NuGet spec`](../reference/cli-reference/cli-ref-spec.md) command to generate the `ImageEnhancer.nuspec` file. The name of the file is taken from the name of the `.csroj` file. ```cli nuget spec ``` -1. Open `ImageEnhancer.nuspec` in an editor and update it to match the following, replacing YOUR_NAME with an appropriate value. Do not leave any of the $propertyName$ values. The `` value, specifically, must be unique across nuget.org (see the naming conventions described in [Creating a package](../create-packages/creating-a-package.md#choose-a-unique-package-identifier-and-setting-the-version-number)). Also note that you must also update the author and description tags or you get an error during the packing step. +1. Open `ImageEnhancer.nuspec` in an editor and update it to match the following, replacing YOUR_NAME with an appropriate value. Don't leave any of the $propertyName$ values. The `` value, specifically, must be unique across nuget.org (see the naming conventions described in [Creating a package](../create-packages/creating-a-package.md#choose-a-unique-package-identifier-and-setting-the-version-number)). Also note that you must also update the author and description tags or you get an error during the packing step. ```xml diff --git a/docs/guides/Native-Packages.md b/docs/guides/Native-Packages.md index 14f5c5353..68f42f4a7 100644 --- a/docs/guides/Native-Packages.md +++ b/docs/guides/Native-Packages.md @@ -4,7 +4,7 @@ description: Details on creating native NuGet packages that contains C++ code in author: JonDouglas ms.author: jodou ms.date: 01/09/2017 -ms.topic: conceptual +ms.topic: concept-article --- # Creating native packages diff --git a/docs/guides/analyzers-conventions.md b/docs/guides/analyzers-conventions.md index 8122c81dc..78156098d 100644 --- a/docs/guides/analyzers-conventions.md +++ b/docs/guides/analyzers-conventions.md @@ -4,7 +4,7 @@ description: Conventions for .NET analyzers that are packaged and distributed wi author: JonDouglas ms.author: jodou ms.date: 01/09/2017 -ms.topic: conceptual +ms.topic: article --- # Analyzer NuGet formats diff --git a/docs/guides/api/query-for-all-published-packages.md b/docs/guides/api/query-for-all-published-packages.md index c287b2b87..6d747555e 100644 --- a/docs/guides/api/query-for-all-published-packages.md +++ b/docs/guides/api/query-for-all-published-packages.md @@ -79,7 +79,7 @@ After you have downloaded all of the catalog pages not filtered out, you have a At this point, you can perform any custom processing you'd like on the catalog items. If all you need is the ID and version of the package, you can inspect the `nuget:id` and `nuget:version` properties on the catalog item objects found in the pages. Make sure to look at the `@type` property to know if the catalog item concerns an existing package or a deleted package. -If you are interested in the metadata about the package (such at the description, dependencies, .nupkg size, etc), you can fetch the [catalog leaf document](../../api/catalog-resource.md#catalog-leaf) using the `@id` property. +If you are interested in the metadata about the package (such as the description, dependencies, .nupkg size, etc), you can fetch the [catalog leaf document](../../api/catalog-resource.md#catalog-leaf) using the `@id` property. ``` GET https://api.nuget.org/v3/catalog0/data/2015.02.01.11.18.40/windowsazure.storage.1.0.0.json diff --git a/docs/guides/create-packages-for-xamarin.md b/docs/guides/create-packages-for-xamarin.md deleted file mode 100644 index 0ec741a5f..000000000 --- a/docs/guides/create-packages-for-xamarin.md +++ /dev/null @@ -1,279 +0,0 @@ ---- -title: Create NuGet Packages for Xamarin (for iOS, Android, and Windows) with Visual Studio 2017 or 2019 -description: An end-to-end walkthrough of creating NuGet packages for Xamarin that use native APIs on iOS, Android, and Windows. -author: JonDouglas -ms.author: jodou -ms.date: 11/05/2019 -ms.topic: tutorial ---- - -# Create packages for Xamarin with Visual Studio 2017 or 2019 - -A package for Xamarin contains code that uses native APIs on iOS, Android, and Windows, depending on the run-time operating system. Although this is straightforward to do, it's preferable to let developers consume the package from a PCL or .NET Standard libraries through a common API surface area. - -In this walkthrough you use Visual Studio 2017 or 2019 to create a cross-platform NuGet package that can be used in mobile projects on iOS, Android, and Windows. - -1. [Prerequisites](#prerequisites) -1. [Create the project structure and abstraction code](#create-the-project-structure-and-abstraction-code) -1. [Write your platform-specific code](#write-your-platform-specific-code) -1. [Create and update the .nuspec file](#create-and-update-the-nuspec-file) -1. [Package the component](#package-the-component) -1. [Related topics](#related-topics) - -## Prerequisites - -1. Visual Studio 2017 or 2019 with Universal Windows Platform (UWP) and Xamarin. Install the Community edition for free from [visualstudio.com](https://www.visualstudio.com/); you can use the Professional and Enterprise editions as well, of course. To include UWP and Xamarin tools, select a Custom install and check the appropriate options. -1. NuGet CLI. Download the latest version of nuget.exe from [nuget.org/downloads](https://nuget.org/downloads), saving it to a location of your choice. Then add that location to your PATH environment variable if it isn't already. - -> [!Note] -> nuget.exe is the CLI tool itself, not an installer, so be sure to save the downloaded file from your browser instead of running it. - -## Create the project structure and abstraction code - -1. Download and run the [Cross-Platform .NET Standard Plugin Templates extension](https://marketplace.visualstudio.com/items?itemName=vs-publisher-473885.PluginForXamarinTemplates) for Visual Studio. These templates will make it easy to create the necessary project structure for this walkthrough. -1. In Visual Studio 2017, **File > New > Project**, search for `Plugin`, select the **Cross-Platform .NET Standard Library Plugin** template, change the name to LoggingLibrary, and click OK. - - ![New Blank App (Xamarin.Forms Portable) project in VS 2017](media/CrossPlatform-NewProject.png) - - In Visual Studio 2019, **File > New > Project**, search for `Plugin`, select the **Cross-Platform .NET Standard Library Plugin** template, and click Next. - - ![New Blank App (Xamarin.Forms Portable) project in VS 2019](media/CrossPlatform-NewProject19-Part1.png) - - Change the name to LoggingLibrary, and click Create. - - ![New Blank App (Xamarin.Forms Portable) configuration in VS 2019](media/CrossPlatform-NewProject19-Part2.png) - -The resulting solution contains two Shared projects, along with a variety of platform-specific projects: - -- The `ILoggingLibrary` project, which is contained in the `ILoggingLibrary.shared.cs` file, defines the public interface (the API surface area) of the component. This is where you define the interface to your library. -- The other Shared project contains code in `CrossLoggingLibrary.shared.cs` that will locate a platform-specific implementation of the abstract interface at run time. You typically don't need to modify this file. -- The platform-specific projects, such as `LoggingLibrary.android.cs`, each contain a native implementation of the interface in their respective `LoggingLibraryImplementation.cs` (VS 2017) or `LoggingLibrary..cs` (VS 2019) files. This is where you build out your library's code. - -By default, the ILoggingLibrary.shared.cs file of the `ILoggingLibrary` project contains an interface definition, but no methods. For the purposes of this walkthrough, add a `Log` method as follows: - -```cs -using System; -using System.Collections.Generic; -using System.Text; - -namespace Plugin.LoggingLibrary -{ - /// - /// Interface for LoggingLibrary - /// - public interface ILoggingLibrary - { - /// - /// Log a message - /// - void Log(string text); - } -} -``` - -## Write your platform-specific code - -To implement a platform-specific implementation of the `ILoggingLibrary` interface and its methods, do the following: - -1. Open the `LoggingLibraryImplementation.cs` (VS 2017) or `LoggingLibrary..cs` (VS 2019) file of each platform project and add the necessary code. For example (using the `Android` platform project): - - ```cs - using System; - using System.Collections.Generic; - using System.Text; - - namespace Plugin.LoggingLibrary - { - /// - /// Implementation for Feature - /// - public class LoggingLibraryImplementation : ILoggingLibrary - { - /// - /// Log a message - /// - public void Log(string text) - { - throw new NotImplementedException("Called Log on Android"); - } - } - } - ``` - -1. Repeat this implementation in the projects for each platform you want to support. -1. Right-click the solution and select **Build Solution** to check your work and produce the artifacts that you package next. If you get errors about missing references, right-click the solution, select **Restore NuGet Packages** to install dependencies, and rebuild. - -> [!Note] -> If you are using Visual Studio 2019, before selecting **Restore NuGet Packages** and trying to rebuild, you need to change the version of `MSBuild.Sdk.Extras` to `2.0.54` in `LoggingLibrary.csproj`. This file can only be accessed by first right-clicking the project (below the solution) and selecting `Unload Project`, after which you right-click on the unloaded project and select `Edit LoggingLibrary.csproj`. - -> [!Note] -> To build for iOS you need a networked Mac connected to Visual Studio as described on [Introduction to Xamarin.iOS for Visual Studio](https://developer.xamarin.com/guides/ios/getting_started/installation/windows/introduction_to_xamarin_ios_for_visual_studio/). If you don't have a Mac available, clear the iOS project in the configuration manager (step 3 above). - -## Create and update the .nuspec file - -1. Open a command prompt, navigate to the `LoggingLibrary` folder that's one level below where the `.sln` file is, and run the NuGet `spec` command to create the initial `Package.nuspec` file: - - ```cli - nuget spec - ``` - -1. Rename this file to `LoggingLibrary.nuspec` and open it in an editor. -1. Update the file to match the following, replacing YOUR_NAME with an appropriate value. The `` value, specifically, must be unique across nuget.org (see the naming conventions described in [Creating a package](../create-packages/creating-a-package.md#choose-a-unique-package-identifier-and-setting-the-version-number)). Also note that you must also update the author and description tags or you get an error during the packing step. - - ```xml - - - - LoggingLibrary.YOUR_NAME - 1.0.0 - LoggingLibrary - YOUR_NAME - YOUR_NAME - false - Awesome application logging utility - First release - Copyright 2018 - logger logging logs - - - ``` - -> [!Tip] -> You can suffix your package version with `-alpha`, `-beta` or `-rc` to mark your package as pre-release, check [Pre-release versions](../create-packages/prerelease-packages.md) for more information about pre-release versions. - -### Add reference assemblies - -To include platform-specific reference assemblies, add the following to the `` element of `LoggingLibrary.nuspec` as appropriate for your supported platforms: - -```xml - - - - - - - - - - - - - - - - - - - - -``` - -> [!Note] -> To shorten the names of the DLL and XML files, right-click on any given project, select the **Library** tab, and change the assembly names. - -### Add dependencies - -If you have specific dependencies for native implementations, use the `` element with `` elements to specify them, for example: - -```xml - - - - - - - - - - - - -``` - -For example, the following would set iTextSharp as a dependency for the UAP target: - -```xml - - - - - -``` - -### Final .nuspec - -Your final `.nuspec` file should now look like the following, where again YOUR_NAME should be replaced with an appropriate value: - -```xml - - - - LoggingLibrary.YOUR_NAME - 1.0.0 - LoggingLibrary - YOUR_NAME - YOUR_NAME - false - Awesome application logging utility - First release - Copyright 2018 - logger logging logs - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -``` - -## Package the component - -With the completed `.nuspec` referencing all the files you need to include in the package, you're ready to run the `pack` command: - -```cli -nuget pack LoggingLibrary.nuspec -``` - -This will generate `LoggingLibrary.YOUR_NAME.1.0.0.nupkg`. Opening this file in a tool like the [NuGet Package Explorer](https://github.com/NuGetPackageExplorer/NuGetPackageExplorer) and expanding all the nodes, you see the following contents: - -![NuGet Package Explorer showing the LoggingLibrary package](media/Cross-Platform-PackageExplorer.png) - -> [!Tip] -> A `.nupkg` file is just a ZIP file with a different extension. You can also examine package contents, then, by changing `.nupkg` to `.zip`, but remember to restore the extension before uploading a package to nuget.org. - -To make your package available to other developers, follow the instructions on [Publish a package](../nuget-org/publish-a-package.md). - -## Related topics - -- [Nuspec Reference](../reference/nuspec.md) -- [Symbol packages](../create-packages/symbol-packages.md) -- [Package versioning](../concepts/package-versioning.md) -- [Supporting Multiple .NET Framework Versions](../create-packages/supporting-multiple-target-frameworks.md) -- [Include MSBuild props and targets in a package](../create-packages/creating-a-package.md#include-msbuild-props-and-targets-in-a-package) -- [Creating Localized Packages](../create-packages/creating-localized-packages.md) diff --git a/docs/guides/media/CrossPlatform-NewProject.png b/docs/guides/media/CrossPlatform-NewProject.png deleted file mode 100644 index 449fa4d0c..000000000 Binary files a/docs/guides/media/CrossPlatform-NewProject.png and /dev/null differ diff --git a/docs/guides/media/CrossPlatform-NewProject19-Part1.png b/docs/guides/media/CrossPlatform-NewProject19-Part1.png deleted file mode 100644 index 25418b39a..000000000 Binary files a/docs/guides/media/CrossPlatform-NewProject19-Part1.png and /dev/null differ diff --git a/docs/guides/media/CrossPlatform-NewProject19-Part2.png b/docs/guides/media/CrossPlatform-NewProject19-Part2.png deleted file mode 100644 index 373e8ff4d..000000000 Binary files a/docs/guides/media/CrossPlatform-NewProject19-Part2.png and /dev/null differ diff --git a/docs/hosting-packages/Local-Feeds.md b/docs/hosting-packages/Local-Feeds.md index de95954d3..6b422460f 100644 --- a/docs/hosting-packages/Local-Feeds.md +++ b/docs/hosting-packages/Local-Feeds.md @@ -4,7 +4,7 @@ description: How to create a local feed for NuGet packages using folders on your author: JonDouglas ms.author: jodou ms.date: 12/06/2017 -ms.topic: conceptual +ms.topic: how-to --- # Local feeds diff --git a/docs/hosting-packages/NuGet-Server.md b/docs/hosting-packages/NuGet-Server.md index 19d2467c6..b79f0a22e 100644 --- a/docs/hosting-packages/NuGet-Server.md +++ b/docs/hosting-packages/NuGet-Server.md @@ -3,8 +3,8 @@ title: Using NuGet.Server to Host NuGet Feeds description: How to create and host a NuGet package feed on any server running IIS using NuGet.Server, making packages available through HTTP and OData. author: JonDouglas ms.author: jodou -ms.date: 03/13/2018 -ms.topic: conceptual +ms.date: 07/11/2023 +ms.topic: how-to --- # NuGet.Server @@ -12,6 +12,7 @@ ms.topic: conceptual NuGet.Server is a package provided by the .NET Foundation that creates an ASP.NET application that can host a package feed on any server that runs IIS. Simply said, NuGet.Server makes a folder on the server available through HTTP(S) (specifically OData). It's easy to set up and is best for simple scenarios. 1. Create an empty ASP.NET Web application in Visual Studio and add the NuGet.Server package to it. + - If you are using Visual Studio 2022, you must add the .NET Framework development tools. You need this so that you can create a new **ASP.NET Web Application (.NET Framework)** project. 1. Configure the `Packages` folder in the application and add packages. 1. Deploy the application to a suitable server. diff --git a/docs/hosting-packages/Overview.md b/docs/hosting-packages/Overview.md index 675c86c40..9d98050e0 100644 --- a/docs/hosting-packages/Overview.md +++ b/docs/hosting-packages/Overview.md @@ -1,10 +1,10 @@ --- title: Overview of Hosting Your Own NuGet Feeds -description: An overview of opens for hosting your own NuGet package feeds or galleries either locally or remotely. +description: An overview of options for hosting your own NuGet package feeds or galleries either locally or remotely. author: JonDouglas ms.author: jodou ms.date: 3/2/2022 -ms.topic: conceptual +ms.topic: concept-article ms.reviewer: anangaur --- @@ -23,19 +23,26 @@ There are also several other NuGet hosting products such as [Azure Artifacts](ht - [Artifactory](https://www.jfrog.com/artifactory/) from JFrog. - [Azure Artifacts](https://www.visualstudio.com/docs/package/nuget/publish), which is also available on Team Foundation Server 2017 and later. - [BaGet](https://github.com/loic-sharma/BaGet), an open-source implementation of NuGet V3 server built on ASP.NET Core +- [BaGetter](https://github.com/bagetter/BaGetter), an open-source and community driven fork of BaGet - [Bytesafe](https://docs.bytesafe.dev/package-managers/nuget/) A fully managed package and supply chain security platform - [Cloudsmith](https://cloudsmith.io/l/nuget-feed/), a fully managed package management SaaS -- [Gitea](https://gitea.io), an open-source, self-hostable Git service supports NuGet as a [package registry](https://docs.gitea.io/en-us/packages/nuget/) +- [Feedz.io](https://feedz.io) a fully managed package management SaaS +- [Gitea](https://gitea.io), an open-source, self-hostable Git service supports NuGet as a [package registry](https://docs.gitea.io/en-us/usage/packages/nuget/) - [GitHub package registry](https://help.github.com/articles/configuring-nuget-for-use-with-github-package-registry) - [GitLab Package Registry](https://docs.gitlab.com/ee/user/packages/nuget_repository/) - [JetBrains Space](https://www.jetbrains.com/help/space/nuget-feed.html) - [LiGet](https://github.com/ai-traders/liget), an open-source implementation of NuGet V2 server that runs on kestrel in docker - [MyGet](https://myget.org) -- [Nexus Repository OSS](https://www.sonatype.com/nexus-repository-oss) from Sonatype. +- [Nexus Repository OSS](https://www.sonatype.com/products/sonatype-nexus-oss-download) from Sonatype. - [NuGet Server (Open Source)](https://github.com/svenkle/nuget-server), an open-source implementation similar to Inedo's NuGet Server - [NuGet Server](http://nugetserver.net/), a community project from Inedo - [ProGet](https://inedo.com/proget) from Inedo - [Sleet](https://github.com/emgarten/sleet), an open-source NuGet V3 static feed generator - [TeamCity](https://www.jetbrains.com/teamcity/) from JetBrains. +- [RepoFlow](https://www.repoflow.io), a simple and easy-to-use package management platform. Regardless of how packages are hosted, you access them by adding them to the list of available sources in `NuGet.Config`. This can be done in Visual Studio as described in [Package Sources](../consume-packages/install-use-packages-visual-studio.md#package-sources), or from the command line using [`nuget sources`](../reference/cli-reference/cli-ref-sources.md). The path to a source can be a local folder pathname, a network name, or a URL. + +[NuGet's V3 protocol](../api/overview.md) uses a [service index](../api//service-index.md) that contains a list of URLs used by various NuGet operations. +All of the URLs in the service index must be accessible by developer and CI machines to avoid unexpected errors. +When installing any NuGet feed, it is important to validate that none of the service index resources are blocked by a company firewall, or if your network is disconnected from the Internet, that all service index resources are available on your private network. diff --git a/docs/includes/install-cli.md b/docs/includes/install-cli.md index 1cfc3aa01..f8a68be7b 100644 --- a/docs/includes/install-cli.md +++ b/docs/includes/install-cli.md @@ -1,30 +1,53 @@ -#### Windows +--- +title: Include +description: Installation steps for the nuget.exe CLI tool on Windows, macOS, and Linux. +author: JonDouglas +ms.author: jodou +ms.date: 11/03/2023 +ms.topic: include +--- -> [!Note] -> NuGet.exe 5.0 and later require .NET Framework 4.7.2 or later to execute. +# [Windows](#tab/windows) -1. Visit [nuget.org/downloads](https://nuget.org/downloads) and select NuGet 3.3 or higher (2.8.6 is not compatible with Mono). The latest version is always recommended, and 4.1.0+ is required to publish packages to nuget.org. -1. Each download is the `nuget.exe` file directly. Instruct your browser to save the file to a folder of your choice. The file is *not* an installer; you won't see anything if you run it directly from the browser. -1. Add the folder where you placed `nuget.exe` to your PATH environment variable to use the CLI tool from anywhere. +Always install the **latest** version of the tool that supports your configuration. -#### macOS/Linux +- You can download the latest recommended version at `https://dist.nuget.org/win-x86-commandline/latest/nuget.exe`. +- If you already have the `nuget.exe` CLI tool installed, you can update the tool to the latest version with the command `nuget update -self`. +- For compatibility with older continuous integration systems, a previous URL, `https://nuget.org/nuget.exe` currently provides the [deprecated version 2.8.6](https://github.com/NuGet/NuGetGallery/issues/5381) of the CLI tool. -Behaviors may vary slightly by OS distribution. +1. Visit [nuget.org/downloads](https://nuget.org/downloads) and download NuGet version 3.3 or later. -1. Install [Mono 4.4.2 or later](https://www.mono-project.com/docs/getting-started/install/). + - Version 5.0 and later requires the .NET Framework version 4.7.2 or later. + - Version 4.1.0 and later is required to publish packages to `nuget.org`. + - Version 2.8.6 isn't compatible with [Mono](https://www.mono-project.com/docs/getting-started/install/). + +1. Each download is the `nuget.exe` file directly. Instruct your browser to save the file to a folder of your choice. The download file isn't an installer, so you don't see anything if you run the file directly from the browser. + +1. To use the CLI tool from anywhere, add the folder location for the `nuget.exe` file to your PATH environment variable. + +# [macOS / Linux](#tab/macos+linux) + +Behaviors can vary slightly based on your operating system distribution. + +> [!NOTE] +> Visual Studio for Mac is scheduled for retirement by August 31, 2024 in accordance with [Microsoft's Modern Lifecycle Policy](/lifecycle/policies/modern). For more information, see [What's happening to Visual Studio for Mac](/visualstudio/mac/what-happened-to-vs-for-mac). + +1. Install [Mono version 4.4.2 or later](https://www.mono-project.com/docs/getting-started/install/). 1. Execute the following command at a shell prompt: - ```bash - # Download the latest stable `nuget.exe` to `/usr/local/bin` - sudo curl -o /usr/local/bin/nuget.exe https://dist.nuget.org/win-x86-commandline/latest/nuget.exe - ``` + ```bash + # Download the latest stable `nuget.exe` to `/usr/local/bin` + sudo curl -o /usr/local/bin/nuget.exe https://dist.nuget.org/win-x86-commandline/latest/nuget.exe + ``` + +1. Create an alias by adding the following script to the appropriate file for your operating system (typically `~/.bash_aliases` or `~/.bash_profile`): -1. Create an alias by adding the following script to the appropriate file for your OS (typically `~/.bash_aliases` or `~/.bash_profile`): + ```bash + # Create as alias for nuget + alias nuget="mono /usr/local/bin/nuget.exe" + ``` - ```bash - # Create as alias for nuget - alias nuget="mono /usr/local/bin/nuget.exe" - ``` +1. Reload the shell. Test the installation by entering the command `nuget` with no parameters. NuGet CLI help should display. -1. Reload the shell. Test the installation by entering `nuget` with no parameters. NuGet CLI help should display. +--- \ No newline at end of file diff --git a/docs/includes/nugetsolver-tool.md b/docs/includes/nugetsolver-tool.md new file mode 100644 index 000000000..3b06bad0e --- /dev/null +++ b/docs/includes/nugetsolver-tool.md @@ -0,0 +1,12 @@ +--- +title: Include +description: Suggest NuGetSolver experimental tool. +author: ErickYondon +ms.author: eryondon +ms.date: 1/16/2024 +ms.topic: include +--- + +> [!Tip] +> **Alternative solution**: NuGetSolver is a Visual Studio Extension developed by Microsoft DevLabs, designed to assist in resolving dependency conflicts. It automates the process of identifying and addressing these issues. For further details, visit the [NuGetSolver](https://marketplace.visualstudio.com/items?itemName=vsext.NuGetSolver) page on the Visual Studio Marketplace and we'd love to hear your feedback about your experience. + diff --git a/docs/index.yml b/docs/index.yml index 792a6b3f7..602660403 100644 --- a/docs/index.yml +++ b/docs/index.yml @@ -9,7 +9,7 @@ metadata: ms.topic: hub-page author: JonDouglas ms.author: jodou - ms.date: 01/13/2020 + ms.date: 03/03/2025 highlightedContent: items: diff --git a/docs/install-nuget-client-tools.md b/docs/install-nuget-client-tools.md index fbdb09bdc..1a2915b63 100644 --- a/docs/install-nuget-client-tools.md +++ b/docs/install-nuget-client-tools.md @@ -1,9 +1,9 @@ --- -title: Installing NuGet client tools -description: Guidance on installing client tools, the dotnet and nuget command-line interfaces (CLI), and the Package Manager for Visual Studio. +title: Install NuGet client tools +description: Learn how to install and use the dotnet and NuGet client command-line interface (CLI) tools and the Package Manager tool for Visual Studio. author: JonDouglas ms.author: jodou -ms.date: 06/20/2019 +ms.date: 03/03/2025 ms.topic: quickstart --- @@ -11,100 +11,132 @@ ms.topic: quickstart > **Looking to install a package? See [Ways to install NuGet packages](consume-packages/overview-and-workflow.md#ways-to-install-a-nuget-package).** -To work with NuGet, as a package consumer or creator, you can use command-line interface (CLI) tools as well as NuGet features in Visual Studio. This article briefly outlines the capabilities of the different tools, how to install them, and their comparative [feature availability](#feature-availability). To get started using NuGet to consume packages, see [Install and use a package (dotnet CLI)](quickstart/install-and-use-a-package-using-the-dotnet-cli.md) and [Install and use a package (Visual Studio)](quickstart/install-and-use-a-package-in-visual-studio.md). To get started creating NuGet packages, see [Create and publish a NET Standard package (dotnet CLI)](quickstart/create-and-publish-a-package-using-the-dotnet-cli.md) and [Create and publish a NET Standard package (Visual Studio)](quickstart/create-and-publish-a-package-using-visual-studio.md). +To work with NuGet as a package consumer or creator, you can use command-line interface (CLI) tools and NuGet features in Visual Studio. This article briefly outlines the capabilities of the different tools, how to install them, and their comparative [feature availability](#feature-availability). -| Tool                | Description | Download          | -|:------------- |:-------------|:-----| -| [dotnet.exe](#dotnetexe-cli) | CLI tool for .NET Core and .NET Standard libraries, and for any [SDK-style project](resources/check-project-format.md) such as one that targets .NET Framework. Included with the .NET Core SDK and provides core NuGet features on all platforms. (Starting in Visual Studio 2017, the dotnet CLI is automatically installed with any .NET Core related workloads.)| [.NET Core SDK](https://www.microsoft.com/net/download/) | -| [nuget.exe](#nugetexe-cli) | CLI tool for .NET Framework libraries and for any [non-SDK-style project](resources/check-project-format.md) such as one that targets .NET Standard libraries. Provides all NuGet capabilities on Windows, provides most features on Mac and Linux when running under Mono. | [nuget.exe](https://dist.nuget.org/win-x86-commandline/latest/nuget.exe) | -| [Visual Studio](#visual-studio) | On Windows, the **NuGet Package Manager** is included with Visual Studio 2012 and later. Visual Studio provides the [Package Manager UI](consume-packages/install-use-packages-visual-studio.md) and the [Package Manager Console](consume-packages/install-use-packages-powershell.md), through which you can run most NuGet operations. | [Visual Studio](https://www.visualstudio.com/downloads/) | -| [Visual Studio for Mac](/visualstudio/mac/nuget-walkthrough) | On Mac, certain NuGet capabilities are built-in directly. Package Manager Console is not presently available. For other capabilities, use the `dotnet.exe` or `nuget.exe` CLI tools. | [Visual Studio for Mac](https://visualstudio.microsoft.com/vs/mac/) | -| [Visual Studio Code](https://code.visualstudio.com/docs) | On Windows, Mac, or Linux, NuGet capabilities are available through marketplace extensions, or use the `dotnet.exe` or `nuget.exe` CLI tools. | [Visual Studio Code](https://code.visualstudio.com/Download/)| +To get started using NuGet to consume packages, see the following articles: -The [MSBuild CLI](reference/msbuild-targets.md) also provides the ability to restore and create packages, which is primarily useful on build servers. MSBuild is not a general-purpose tool for working with NuGet. +- [Install and use a package (dotnet CLI)](quickstart/install-and-use-a-package-using-the-dotnet-cli.md) +- [Install and use a package (Visual Studio on Windows)](quickstart/install-and-use-a-package-in-visual-studio.md) -Package Manager Console commands work only within Visual Studio on Windows and do not work within other PowerShell environments. +To get started creating NuGet packages, see these articles: + +- [Create and publish a NET Standard package (dotnet CLI)](quickstart/create-and-publish-a-package-using-the-dotnet-cli.md) +- [Create and publish a NET Standard package (Visual Studio on Windows)](quickstart/create-and-publish-a-package-using-visual-studio.md) + +| Tool | Description | Download | +|---|---|---| +| [dotnet SDK](#dotnet-sdk) | The CLI tool for .NET Core and .NET Standard libraries, and for any [SDK-style project](resources/check-project-format.md) such as one that targets the .NET Framework. This CLI tool is included with the .NET Core SDK and provides core NuGet features on all platforms. In Visual Studio 2017 and later, the dotnet CLI is automatically installed with any .NET Core related workloads. | [.NET Core SDK](https://www.microsoft.com/net/download/) | +| [nuget.exe](#nugetexe-cli) | The CLI tool for .NET Framework libraries and for any [**non**-SDK-style project](resources/check-project-format.md) such as one that targets .NET Standard libraries. This CLI tool provides all NuGet capabilities on Windows and most features on Mac and Linux when running under [Mono](https://www.mono-project.com/docs/getting-started/install/). | [nuget.exe](https://dist.nuget.org/win-x86-commandline/latest/nuget.exe) | +| [Visual Studio](#visual-studio) | On Windows, the **NuGet Package Manager** is included with Visual Studio 2012 and later. Visual Studio provides the [Package Manager UI](consume-packages/install-use-packages-visual-studio.md) and the [Package Manager Console (PowerShell on Windows)](consume-packages/install-use-packages-powershell.md). You can use these tools to run most NuGet operations. | [Visual Studio](https://www.visualstudio.com/downloads/) | +| [Visual Studio for Mac](/visualstudio/mac/nuget-walkthrough) | On Mac, certain NuGet capabilities are built in directly. Package Manager Console isn't currently available. For other capabilities, use the dotnet SDK or `nuget.exe` CLI tools. | [Visual Studio for Mac](https://visualstudio.microsoft.com/vs/mac/) | +| [Visual Studio Code](https://code.visualstudio.com/docs) | On Windows, Mac, and Linux, NuGet capabilities are available through marketplace extensions, or use the dotnet SDK or `nuget.exe` CLI tools. | [Visual Studio Code](https://code.visualstudio.com/Download/) | + +> [!NOTE] +> Visual Studio for Mac is scheduled for retirement by August 31, 2024 in accordance with [Microsoft's Modern Lifecycle Policy](/lifecycle/policies/modern). For more information, see [What's happening to Visual Studio for Mac](/visualstudio/mac/what-happened-to-vs-for-mac). + +The [MSBuild CLI](reference/msbuild-targets.md) also restores and creates packages. MSBuild isn't a general-purpose tool for working with NuGet. This CLI tool is primarily useful on build servers. + +Package Manager Console commands work only within Visual Studio on Windows and don't work within other PowerShell environments. + +## Support policy + +The Visual Studio for Windows support policy can be found at [Visual Studio Product Lifecycle and Servicing](/visualstudio/productinfo/vs-servicing). + + +The most recent version of NuGet.exe is fully supported and can be relied on for bug fixes, updates, and enhancements. +For more information on NuGet.exe's support policy, see the [Microsoft Modern Lifecycle Policy](https://aka.ms/lifecycle). + + +The .NET SDK support policy can be found at [.NET and .NET Core Support Policy](https://dotnet.microsoft.com/platform/support/policy/dotnet-core). + +### Patch Releases + +Patched versions of NuGet.exe will be released exclusively when critical security fixes are required for a long-term support (LTS) version of Visual Studio or .NET SDK. + +All security bugs should be reported to the Microsoft Security Response Center (MSRC) at [MSRC's report page](https://aka.ms/opensource/security/create-report). +Also, see the [security policy in the NuGet.Client repo](https://github.com/NuGet/NuGet.Client/blob/dev/SECURITY.md). + +### NuGet.exe unlisting + +Out-of-support, deprecated, or vulnerable NuGet.exe versions will be removed from [tools.json](./api/tools-json.md). ## Visual Studio -### Install on Visual Studio 2017 and newer -Starting in Visual Studio 2017, the installer includes the NuGet Package Manager with any workload that employs .NET. To install separately, or to verify that the Package Manager is installed, run the Visual Studio installer and check the option under **Individual Components > Code tools > NuGet package manager**. -### Install on Visual Studio 2015 and older -NuGet Extensions for Visual Studio 2013 and 2015 can be downloaded from [https://dist.nuget.org/index.html](https://dist.nuget.org/index.html). +In Visual Studio 2017 and later, the Visual Studio installer includes the NuGet Package Manager with any workload that employs .NET. + +You can also install the Package Manager separately or verify your installation. Run the Visual Studio installer and check the option setting under **Individual Components > Code tools > NuGet package manager**. For more information, see [Install and manage packages in Visual Studio by using the NuGet Package Manager](consume-packages/install-use-packages-visual-studio.md). -For Visual Studio 2010 and earlier, install the "NuGet Package Manager for Visual Studio" extension. Note, if you can't see the extension in the first page of search results, try changing the Sort By dropdown to "Most Downloads", or an alphabetical sort. +> [!NOTE] +> For earlier versions of Visual Studio, you can download NuGet extensions at [https://dist.nuget.org/index.html](https://dist.nuget.org/index.html). ## CLI tools -You can use either the `dotnet` CLI or the `nuget.exe` CLI to support NuGet features in the IDE. The `dotnet` CLI is installed with some Visual Studio workloads, such as .NET Core. The `nuget.exe` CLI must be installed separately as described earlier. -The two NuGet CLI tools are `dotnet.exe` and `nuget.exe`. See [feature availability](#feature-availability) for a comparison. +You can use either the dotnet CLI or the `nuget.exe` CLI to support NuGet features in the Visual Studio IDE. The dotnet CLI is installed with some Visual Studio workloads, such as .NET Core. The `nuget.exe` CLI must be installed separately as described earlier. For a feature comparison of the tools, see the [feature availability](#feature-availability) section. -* To target .NET Core or .NET Standard, use the dotnet CLI. The `dotnet` CLI is required for the SDK-style project format, which uses the [SDK attribute](/dotnet/core/tools/csproj#additions). -* To target .NET Framework (non-SDK-style project only), use the `nuget.exe` CLI. If the project is migrated from `packages.config` to PackageReference, use the dotnet CLI. +- To target .NET Core or .NET Standard, use the dotnet SDK CLI tool. This CLI is required for the SDK-style project format, which uses the [SDK attribute](/dotnet/core/tools/csproj#additions). -### dotnet.exe CLI +- To target the .NET Framework (non-SDK-style project only), use the `nuget.exe` CLI tool. If the project is migrated from `packages.config` to PackageReference, use the dotnet SDK CLI tool instead. -The .NET Core 2.0 CLI, `dotnet.exe`, works on all platforms (Windows, Mac, and Linux) and provides core NuGet features such as installing, restoring, and publishing packages. `dotnet` provides direct integration with .NET Core project files (such as `.csproj`), which is helpful in most scenarios. `dotnet` is also built directly for each platform and does not require you to install Mono. +### dotnet SDK -Installation: +The dotnet SDK is the .NET Core 2.0 CLI tool, which works on all platforms (Windows, Mac, and Linux) and provides core NuGet features such as installing, restoring, and publishing packages. The dotnet CLI provides direct integration with .NET Core project files (such as `.csproj`), which is helpful in most scenarios. This CLI is also built directly for each platform and doesn't require installation of [Mono](https://www.mono-project.com/docs/getting-started/install/). -- On developer computers, install the [.NET Core SDK](https://aka.ms/dotnetcoregs). Starting in Visual Studio 2017, the dotnet CLI is automatically installed with any .NET Core related workloads. -- For build servers, follow the instructions on [Using .NET Core SDK and tools in Continuous Integration](/dotnet/core/tools/using-ci-with-cli). +#### Install the dotnet SDK -To learn how to use basic commands with the dotnet CLI, see [Install and use packages using the dotnet CLI](consume-packages/install-use-packages-dotnet-cli.md). +- On developer computers, install the [.NET Core SDK](https://aka.ms/dotnetcoregs). In Visual Studio 2017 and later, the dotnet CLI is automatically installed with any .NET Core related workloads. -### nuget.exe CLI +- For build servers, follow the instructions to [Use the .NET Core SDK and tools in continuous integration](/dotnet/core/tools/using-ci-with-cli). -The `nuget.exe` CLI, `nuget.exe`, is the command-line utility for Windows that provides all NuGet capabilities; it can also be run on Mac OSX and Linux using [Mono](https://www.mono-project.com/docs/getting-started/install/) with some limitations. +To learn how to use basic commands with the dotnet SDK CLI tool, see [Install and manage NuGet packages with the dotnet CLI](consume-packages/install-use-packages-dotnet-cli.md). -To learn how to use basic commands with the `nuget.exe` CLI, see [Install and use packages using the nuget.exe CLI](consume-packages/install-use-packages-nuget-cli.md). +### nuget.exe CLI -Installation: +The NuGet CLI, `nuget.exe`, is the command-line utility for Windows that provides all NuGet capabilities. This CLI can also run on Mac OSX and Linux by using [Mono](https://www.mono-project.com/docs/getting-started/install/) with some limitations. -[!INCLUDE [install-cli](includes/install-cli.md)] +To learn how to use basic commands with the `nuget.exe` CLI tool, see [Manage NuGet packages with the nuget.exe CLI](consume-packages/install-use-packages-nuget-cli.md). -> [!Tip] -> Use `nuget update -self` on Windows to update an existing nuget.exe to the latest version. +#### Install nuget.exe -> [!Note] -> The latest recommended NuGet CLI is always available at `https://dist.nuget.org/win-x86-commandline/latest/nuget.exe`. For compatibility purposes with older continuous integration systems, a previous URL, `https://nuget.org/nuget.exe` currently provides the [deprecated 2.8.6 CLI tool](https://github.com/NuGet/NuGetGallery/issues/5381). +[!INCLUDE [install-cli](includes/install-cli.md)] ## Feature availability +The following table compares the available features for the dotnet and `nuget.exe` CLI tools for supported platforms. + | Feature | dotnet CLI | nuget CLI (Windows) | nuget CLI (Mono) | Visual Studio (Windows) | Visual Studio for Mac | | --- | --- | --- | --- | --- | --- | -| Search packages | | ✔ | ✔ | ✔ | ✔ | -| Install/uninstall packages | ✔ | ✔(1) | ✔ | ✔ | ✔ | +| Search packages | ✔ | ✔ | ✔ | ✔ | ✔ | +| Install/uninstall packages | ✔ | ✔ (1) | ✔ | ✔ | ✔ | | Update packages | ✔ | ✔ | | ✔ | ✔ | -| Restore packages | ✔ | ✔ | ✔(2) | ✔ | ✔ | -| Manage package feeds (sources) | | ✔ | ✔ | ✔ | ✔ | +| Restore packages | ✔ | ✔ | ✔ (2) | ✔ | ✔ | +| Manage package feeds (sources) | ✔ | ✔ | ✔ | ✔ | ✔ | | Manage packages on a feed | ✔ | ✔ | ✔ | | | | Set API keys for feeds | | ✔ | ✔ | | | -| Create packages(3) | ✔ | ✔ | ✔(4) | ✔ | | +| Create packages (3) | ✔ | ✔ | ✔ (4) | ✔ | | | Publish packages | ✔ | ✔ | ✔ | ✔ | | -| Replicate packages | | ✔ | ✔ | | | +| Replicate packages | | ✔ | ✔ | | | | Manage *global-package* and cache folders | ✔ | ✔ | ✔ | | | -| Manage NuGet configuration | | ✔ | ✔ | | | - -(1) Does not affect project files; use `dotnet.exe` instead. +| Manage NuGet configuration | ✔ | ✔ | ✔ | | | -(2) Works only with `packages.config` file and not with solution (`.sln`) files. +**Feature notes** -(3) Various advanced package features are available through the CLI only as they aren't represented in the Visual Studio UI tools. +- (1) Doesn't affect project files. Use the dotnet SDK CLI tool instead. +- (2) Works only with `packages.config` file and not with solution (`.sln`) files. +- (3) Various advanced package features are available through the CLI only as they aren't represented in the Visual Studio UI tools. +- (4) Works with `.nuspec` files but not with project files. -(4) Works with `.nuspec` files but not with project files. +## Upcoming features -## Upcoming Features -If you'd like to preview upcoming NuGet features, install a [Visual Studio Preview](https://www.visualstudio.com/vs/preview/), which works side-by-side with stable releases of Visual Studio. To report problems or share ideas for previews, open an issue on the [NuGet GitHub repository](https://github.com/Nuget/Home/issues). +If you want to preview upcoming NuGet features, install a [Visual Studio Preview](https://www.visualstudio.com/vs/preview/), which works side-by-side with stable releases of Visual Studio. To report problems or share ideas for previews, open an issue on the [NuGet GitHub repository](https://github.com/Nuget/Home/issues). -### Related topics +## Related articles -- [Install and manage packages using Visual Studio](consume-packages/install-use-packages-visual-studio.md) -- [Install and manage packages using PowerShell](consume-packages/install-use-packages-powershell.md) -- [Install and manage packages using dotnet CLI](consume-packages/install-use-packages-dotnet-cli.md) -- [Install and manage packages using nuget.exe CLI](consume-packages/install-use-packages-nuget-cli.md) +- [Install and manage packages by using Visual Studio](consume-packages/install-use-packages-visual-studio.md) +- [Install and manage packages by using the dotnet CLI](consume-packages/install-use-packages-dotnet-cli.md) +- [Install and manage packages by using the nuget.exe CLI](consume-packages/install-use-packages-nuget-cli.md) +- [Install and manage packages by using PowerShell](consume-packages/install-use-packages-powershell.md) +- [Create a package by using the nuget.exe CLI](create-packages/creating-a-package.md) +- [Publish NuGet packages](nuget-org/publish-a-package.md) - [Package Manager Console PowerShell reference](reference/powershell-reference.md) -- [Creating a package](create-packages/creating-a-package.md) -- [Publishing a Package](nuget-org/publish-a-package.md) -Developers working on Windows can also explore the [NuGet Package Explorer](https://github.com/NuGetPackageExplorer/NuGetPackageExplorer), an open-source, stand-alone tool to visually explore, create, and edit NuGet packages. It's very helpful, for example, to make experimental changes to a package structure without rebuilding the package. +Developers working on Windows can also explore the [NuGet Package Explorer](https://github.com/NuGetPackageExplorer/NuGetPackageExplorer). This application is an open-source standalone tool that lets you visually explore, create, and edit NuGet packages. It's helpful for many scenarios, such as making experimental changes to a package structure without rebuilding the package. diff --git a/docs/nuget-org/Deprecate-packages.md b/docs/nuget-org/Deprecate-packages.md index c9189ce99..e3a365978 100644 --- a/docs/nuget-org/Deprecate-packages.md +++ b/docs/nuget-org/Deprecate-packages.md @@ -4,7 +4,7 @@ description: Detailed description on the process of deprecating packages and how author: anangaur ms.author: anangaur ms.date: 09/23/2019 -ms.topic: conceptual +ms.topic: how-to ms.reviewer: karann-msft --- diff --git a/docs/nuget-org/Publish-a-package.md b/docs/nuget-org/Publish-a-package.md index b2df93f56..3dfe32091 100644 --- a/docs/nuget-org/Publish-a-package.md +++ b/docs/nuget-org/Publish-a-package.md @@ -4,7 +4,7 @@ description: See detailed instructions about how to publish a NuGet package and author: JonDouglas ms.author: jodou ms.date: 8/29/2022 -ms.topic: conceptual +ms.topic: how-to ms.reviewer: anangaur --- @@ -79,6 +79,21 @@ You can push packages to nuget.org with Azure Pipelines as part of your continuo To submit a signed package, you must first [register the certificate](../create-packages/Sign-a-Package.md#register-the-certificate-on-nugetorg) you used to sign the package. If you don't meet the [signed package requirements](../reference/Signed-Packages-Reference.md#signature-requirements-on-nugetorg), nuget.org rejects the package. +### Package size limits + +Nuget.org has a package size limit of about 250 MB. When a package exceeding that limit is uploaded the following error is displayed: + +> The package file exceeds the size limit. Please try again. + +If such package is pushed from the command line, the following output is produced: + +```text + RequestEntityTooLarge https://www.nuget.org/api/v2/package/ 13903ms +error: Response status code does not indicate success: 413 (The package file exceeds the size limit. Please try again.). +``` + +If you are getting this errors consider revising the package content to reduce its size. If you are packing debug symbols into your package consider publishing them [separately](../create-packages/Symbol-Packages-snupkg.md). Other assets can be published separately as one or more dependency packages to spread them into smaller chunks. + ## Package validation and indexing Packages pushed to nuget.org undergo several validations, such as virus checks, and existing packages are periodically scanned. When the package passes all validation checks, it might take awhile to be indexed and appear in search results. While the package is being indexed, it appears under **Unlisted Packages**, and you see the following message on the package page: diff --git a/docs/nuget-org/TOC.md b/docs/nuget-org/TOC.md index b102dd1e7..4c01db05f 100644 --- a/docs/nuget-org/TOC.md +++ b/docs/nuget-org/TOC.md @@ -8,6 +8,7 @@ ## [Package ID prefix reservation](id-prefix-reservation.md) ## [Package deprecation](deprecate-packages.md) ## [Package readme](package-readme-on-nuget-org.md) +## [Package sponsorship](package-sponsorship-on-nuget-org.md) # Policies ## [Data Requests](policies/Data-requests.md) ## [Dispute resolution](policies/dispute-resolution.md) diff --git a/docs/nuget-org/individual-accounts.md b/docs/nuget-org/individual-accounts.md index a1a1b95a7..f45e1b841 100644 --- a/docs/nuget-org/individual-accounts.md +++ b/docs/nuget-org/individual-accounts.md @@ -4,7 +4,8 @@ description: Individual acccounts on NuGet.org are required to publish packages author: mikejo5000 ms.author: mikejo ms.date: 06/05/2019 -ms.topic: conceptual +ms.topic: article +ms.custom: sfi-image-nochange --- # Individual accounts on NuGet.org diff --git a/docs/nuget-org/licenses.nuget.org.md b/docs/nuget-org/licenses.nuget.org.md index 735955e00..f1c85a295 100644 --- a/docs/nuget-org/licenses.nuget.org.md +++ b/docs/nuget-org/licenses.nuget.org.md @@ -1,7 +1,10 @@ --- title: licenses.nuget.org +description: Protocol and display information for licenses.nuget.org. Describes the SPDX data source and rationale. author: agr -ms.date: 02/22/2019 +ms.author: angrigor +ms.date: 03/02/2023 +ms.topic: article --- # licenses.nuget.org @@ -18,6 +21,18 @@ specify their license using a license expression. `nuget pack` or packing with o the [`licenseUrl`](../reference/nuspec.md#licenseurl) element to point to licenses.nuget.org to provide backwards compatibility with older clients that don't support the `license` element. +## License and exception text + +The license and license exception information displayed on licenses.nuget.org is copied from the SPDX project's [license list data repository](https://github.com/spdx/license-list-data). The format that the information is displayed closely mimics the format used by the SPDX website itself, e.g. see [MIT on licenses.nuget.org](https://licenses.nuget.org/MIT) and [MIT on SPDX.org](https://spdx.org/licenses/MIT.html). + +Licenses that are not approved by Open Source Initiative or the Free Software Foundation are not hosted on licenses.nuget.org and are excluded. + +Several styles in addition to plain text are used in the display of the license. According to the [SPDX license list data FAQ](https://github.com/spdx/license-list-XML/blob/main/DOCS/faq.md#what-does-the-blue-text-and-red-text-mean-in-the-license-list-entry), red text is considered replaceable and blue text is considered omitable. For more generally information about the SPDX license list data, see their [FAQ](https://github.com/spdx/license-list-XML/blob/main/DOCS/faq.md) and the [SPDX license template specification](https://spdx.github.io/spdx-spec/v2.3/license-matching-guidelines-and-templates/). + +Note that the data is copied from SPDX to licenses.nuget.org by the nuget.org on an ad hoc basis. If a license identifier is approved by the Open Source Initiative or the Free Software Foundation but does not appear on licenses.nuget.org, please [report an issue](https://github.com/NuGet/NuGetGallery/issues/new/choose), and the nuget.org team work to update licenses.nuget.org and nuget.org package upload validation with the latest data from SPDX. + +If you, as a package author, are not satisfied with the shared license text available on licenses.nuget.org, you can consider using [embedded license text](../reference/nuspec.md#license) (``) instead of a license expression for your NuGet package. This allows you to fully customize your licensing terms and include the customized text within the package. + ## Protocol Licenses.nuget.org is intended to be viewed by people in their browsers, no machine-readable responses are provided. @@ -40,7 +55,7 @@ licenses.nuget.org. | (LGPL-2.0-only WITH FLTK-exception OR Apache-2.0+) | | The service supports only license identifiers and license exception identifiers that are accepted by -nuget.org. All license expressions that contain unsupported license identifiers +nuget.org. Notably, this means only license identifiers that are approved by the Open Source Initiative or the Free Software Foundation will be accepted. All license expressions that contain unsupported license identifiers or license exception identifiers or that does not conform to license expression syntax are considered invalid. @@ -74,4 +89,4 @@ license exception identifier may present in the path portion of the URL. Licenses.nuget.org responds to a request with a known license exception identifier with a HTTP 200 response and a web page containing the reference text for the specified license exception. -Any request containing an unsupported license exception identifier results in an HTTP 404 response. \ No newline at end of file +Any request containing an unsupported license exception identifier results in an HTTP 404 response. diff --git a/docs/nuget-org/media/nuget-org-permissions.png b/docs/nuget-org/media/nuget-org-permissions.png index 024b5ecce..6ab466f4d 100644 Binary files a/docs/nuget-org/media/nuget-org-permissions.png and b/docs/nuget-org/media/nuget-org-permissions.png differ diff --git a/docs/nuget-org/media/nuget-org-register-2fa.png b/docs/nuget-org/media/nuget-org-register-2fa.png deleted file mode 100644 index eadbdcb64..000000000 Binary files a/docs/nuget-org/media/nuget-org-register-2fa.png and /dev/null differ diff --git a/docs/nuget-org/media/nuget-org-register.png b/docs/nuget-org/media/nuget-org-register.png index b159da110..bed06b459 100644 Binary files a/docs/nuget-org/media/nuget-org-register.png and b/docs/nuget-org/media/nuget-org-register.png differ diff --git a/docs/nuget-org/media/sponsorship-add-link.png b/docs/nuget-org/media/sponsorship-add-link.png new file mode 100644 index 000000000..3274427db Binary files /dev/null and b/docs/nuget-org/media/sponsorship-add-link.png differ diff --git a/docs/nuget-org/media/sponsorship-button-package-details-page.png b/docs/nuget-org/media/sponsorship-button-package-details-page.png new file mode 100644 index 000000000..a01f0644f Binary files /dev/null and b/docs/nuget-org/media/sponsorship-button-package-details-page.png differ diff --git a/docs/nuget-org/media/sponsorship-display-links.png b/docs/nuget-org/media/sponsorship-display-links.png new file mode 100644 index 000000000..c959b3972 Binary files /dev/null and b/docs/nuget-org/media/sponsorship-display-links.png differ diff --git a/docs/nuget-org/media/sponsorship-link-error-manage-package.png b/docs/nuget-org/media/sponsorship-link-error-manage-package.png new file mode 100644 index 000000000..8862f267a Binary files /dev/null and b/docs/nuget-org/media/sponsorship-link-error-manage-package.png differ diff --git a/docs/nuget-org/media/sponsorship-section-manage-package-page.png b/docs/nuget-org/media/sponsorship-section-manage-package-page.png new file mode 100644 index 000000000..7f9acd289 Binary files /dev/null and b/docs/nuget-org/media/sponsorship-section-manage-package-page.png differ diff --git a/docs/nuget-org/media/trusted-publishing.png b/docs/nuget-org/media/trusted-publishing.png new file mode 100644 index 000000000..8cd0ecfbf Binary files /dev/null and b/docs/nuget-org/media/trusted-publishing.png differ diff --git a/docs/nuget-org/media/unmanaged-aad-tenant.png b/docs/nuget-org/media/unmanaged-aad-tenant.png index 03e74d160..166896024 100644 Binary files a/docs/nuget-org/media/unmanaged-aad-tenant.png and b/docs/nuget-org/media/unmanaged-aad-tenant.png differ diff --git a/docs/nuget-org/nuget-org-faq.yml b/docs/nuget-org/nuget-org-faq.yml index 261a6ba55..0a8f1bf36 100644 --- a/docs/nuget-org/nuget-org-faq.yml +++ b/docs/nuget-org/nuget-org-faq.yml @@ -5,7 +5,8 @@ metadata: author: shishirx34 ms.author: shishirh ms.date: 06/05/2019 - ms.topic: conceptual + ms.topic: faq + ms.custom: sfi-image-nochange title: NuGet.org frequently-asked questions summary: | @@ -60,33 +61,55 @@ sections: It is possible to share dependencies between multiple packages, making the total download size for consumers of your NuGet packages smaller. Dependencies are mostly static and never change. When fixing a bug in code, the dependencies may not need to be updated. If you bundle dependencies, you end up reshipping larger packages every time. By splitting NuGet packages into related dependencies, upgrades are much more fine-grained for consumers of your package. - + - name: NuGet.org not accessible questions: - - question: Why can't I download packages from or upload packages to NuGet.org? + - question: What SSL/TLS version and cipher suites does NuGet.org support? answer: | - First, make sure you're using the latest versions of NuGet. If that version continues to fail, [contact support](https://www.nuget.org/policies/Contact) and provide additional connection troubleshooting information including: - - - The version of NuGet you're using + NuGet.org supports TLS 1.2 and the following cipher suites: + - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 + - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 + - TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 + - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 + + - question: Why can't I restore packages from NuGet.org? + answer: | + If you meet transient failures when restoring packages from NuGet.org, we suggest you: + - use the latest versions of NuGet clients with a better resilience support. + - use environment variables of NuGet clients to enhance the retry policy on CI machines. + + | Environment Variable | Description | Remarks | + | --- | --- | --- | + | NUGET_ENHANCED_MAX_NETWORK_TRY_COUNT | Configures the maximum number of times an HTTP connection should be retried when enhanced retries are enabled. | A number representing how many retries to perform, the default value is `6`. | + | NUGET_ENHANCED_NETWORK_RETRY_DELAY_MILLISECONDS | Configures the amount of time to wait in milliseconds before retrying an HTTP connection when enhanced retries are enabled. | Number of milliseconds to wait, the default value is `1000`. | + + > [!Note] + > These environment variables are available since [.NET CLI](https://learn.microsoft.com/nuget/reference/dotnet-commands) (.NET SDK) 6.0.100, [NuGet CLI](https://learn.microsoft.com/nuget/reference/nuget-exe-cli-reference) 6.0, Visual Studio 2022 version 17.0 and corresponding MSBuild version. See [NuGet Release Notes](https://learn.microsoft.com/nuget/release-notes/). + + > [!Important] + > NuGet.org recommends Alpine Linux users to upgrade to Alpine Linux 3.18.0 or newer. These versions support TCP fallback in the DNS resolver. If you use older versions of Alpine Linux that only support DNS over UDP, you may encounter DNS failures when accessing the [V3 API](https://learn.microsoft.com/nuget/nuget-org/overview-nuget-org#api-endpoint-for-nugetorg). + + If that version of NuGet client continues to fail, [contact support](https://www.nuget.org/policies/Contact) and provide additional connection troubleshooting information including: + - !!! Your geographical area - The package sources you're using + - The version of NuGet client you're using - A restore log with detailed verbosity - MTR or a Fiddler traces (see below) - - Your geographical area - Whether your machine is behind a proxy or firewall? - Is your machine located on a cloud providers' data center (Azure, AWS etc)? If yes, please provide the name of the provider and the region. - + *To capture MTR:* - + - Download [WinMTR](https://sourceforge.net/projects/winmtr/files/WinMTR-v092.zip/download). - Enter `api.nuget.org` as the hostname and click **Start**. - Wait until the **Sent** column is >= 100. - + ![Capturing MTR](media/mtr.png) - + - Copy text to clipboard. - + *To capture Fiddler:* - + - Install the latest version of [Fiddler](https://www.telerik.com/download/fiddler). - Start Fiddler and disable capturing traffic using the **File > Capture Traffic** menu. - Remove all sessions (select all items in the list, press the **Delete** key). @@ -95,11 +118,11 @@ sections: - Enable the **File > Capture Traffic** menu. - Start Visual Studio or nuget.exe .exe and perform the actions that are not working. The traffic generated by these actions should show up in Fiddler. - Once the actions have run, use **File > Save > All Sessions** to store the captured sessions. - + Note: it may be required to set the `HTTP_PROXY` environment variable to `http://127.0.0.1:8888` for routing NuGet traffic through Fiddler. - + If that fails, try the [tips mentioned in this StackOverflow post](https://stackoverflow.com/questions/21049908/using-fiddler-to-sniff-visual-studio-2013-requests-proxy-firewall). - + - name: NuGet.org account management questions: - question: How to recover NuGet.org password login? @@ -207,11 +230,18 @@ sections: - question: How do I change my NuGet.org account username? answer: | - You cannot. As a matter of policy we do not allow the change of usernames. Also, doing so is a breaking change for users that may have defined [package trust policies based on the package owner](../consume-packages/installing-signed-packages.md#trust-package-owners). The only way to change your username is to create a new account with the desired username. We recommend you delete your existing account before you create a new one, otherwise you will not be able to reuse your registered Microsoft account. + You can request a username change by sending an email to [support@nuget.org](mailto:support@nuget.org) from the email address that is attached to the account you want to update. + Be sure to include the old username and the new username you would like to change to. + We will then review your request and, upon approval, get confirmation from you that we are about to take the correct action and that you understand the consequences. + Once you have confirmed, we will change your username. + > [!Important] - > Deleting the user will still **reserve** the `username`. You will not be able to reuse the same username again and **this includes the change of casings**. As an example if you created a user with username `mycoolname` and you want to change this to `MyCoolName`(casing changes), it will not be possible after deleting the user. - - Follow the steps given in [delete your NuGet.org account](#how-to-delete-my-nuget-org-account) section and to [register a new account](individual-accounts.md) with correct username. + > - The old username will still be **reserved**. You will not be able to reuse the old username again and **this includes the change of casings**. + > - As a consequence of the above, we will not be able to revert this change either. + > - Any links to your old username profile page (e.g. ```https://www.nuget.org/profiles/OldUsername```) will not be redirected to your new profile. + > - Package versions currently owned by your account will still contain the old username in the repository signature. New package versions will contain the new username. + > - Any author-provided metadata in the existing package versions referring to the old username or other identifying information will not be changed. + > - NuGet client policies asserting trust of your old username will not implicitly trust packages published by your new username. Package consumers with these client policies configured will need to manual update them to trust your new username when they attempt to update to a newly published package version. - question: How to delete my NuGet.org account? answer: | @@ -232,3 +262,10 @@ sections: 2. Click on this url: [https://www.nuget.org/account/delete](https://www.nuget.org/account/delete) and follow the steps to submit the request for deleting the account. Our customer support will process this request and perform the account deletion. + + - question: What happens to my NuGet.org account when my Microsoft account gets deleted? + answer: | + When the Microsoft or Azure Active Directory account you use to sign in to your nuget.org account is deleted, your nuget.org account will be deleted as well. The account delete action is completed by the nuget.org customer support within 30 days from the date of the Microsoft account deletion. + + If you have packages associated with your account, we will notify you 3 business days before proceeding with deletion and offer assistance to transfer the packages to a different nuget.org account. + diff --git a/docs/nuget-org/organizations-on-nuget-org.md b/docs/nuget-org/organizations-on-nuget-org.md index 4129a65e9..36a65d2d3 100644 --- a/docs/nuget-org/organizations-on-nuget-org.md +++ b/docs/nuget-org/organizations-on-nuget-org.md @@ -4,10 +4,11 @@ description: Organizations on NuGet.org helps you to manage packages published b author: anangaur ms.author: anangaur ms.date: 04/10/2018 -ms.topic: conceptual +ms.topic: article ms.reviewer: - kraigb - camsoper +ms.custom: sfi-image-nochange --- # Your organization on NuGet.org @@ -101,4 +102,4 @@ You can delete an organization account by clicking the **Delete** button shown i ![Deleting an organization](media/org-delete-option.png) -To delete the organizaiton, you must confirm it by clicking the **Delete organization** confirmation button. +To delete the organization, you must confirm it by clicking the **Delete organization** confirmation button. diff --git a/docs/nuget-org/overview-nuget-org.md b/docs/nuget-org/overview-nuget-org.md index f0ac5eed3..aa160a850 100644 --- a/docs/nuget-org/overview-nuget-org.md +++ b/docs/nuget-org/overview-nuget-org.md @@ -4,7 +4,7 @@ description: Overview of NuGet.org author: mikejo5000 ms.author: mikejo ms.date: 06/05/2019 -ms.topic: conceptual +ms.topic: concept-article --- # Overview of NuGet.org @@ -33,6 +33,10 @@ Once you have a NuGet package (*.nupkg* file) to publish, you publish it to NuGe When you [publish a package](../create-packages/creating-a-package.md), you include the API key value in the CLI command. +## Trusted publishing + +NuGet.org supports [Trusted Publishing](trusted-publishing.md), which is a secure and streamlined way to publish NuGet packages. + ## ID prefixes When you publish packages, you can reserve and protect your identity by [reserving ID prefixes](id-prefix-reservation.md). When installing a package, package consumers are provided with additional information indicating that the package they are consuming is not deceptive in its identifying properties. diff --git a/docs/nuget-org/package-readme-on-nuget-org.md b/docs/nuget-org/package-readme-on-nuget-org.md index c49751501..f4ecd173c 100644 --- a/docs/nuget-org/package-readme-on-nuget-org.md +++ b/docs/nuget-org/package-readme-on-nuget-org.md @@ -4,7 +4,7 @@ description: Detailed explanation of how readme files on NuGet.org are rendered author: nkolev92 ms.author: nikolev ms.date: 08/31/2022 -ms.topic: conceptual +ms.topic: article ms.reviewer: anangaur --- @@ -27,8 +27,44 @@ Consider including the following items in your readme: * Where and how to leave feedback such as link to the project issues, Twitter, bug tracker, or other platform. * How to contribute, if applicable. +For example, you can start with this package README template: + +```text +# Package readme title, e.g., display name or title of the package (optional) + +Start with a clear and concise description: A brief overview of what your package is and does, also what problem it solves. + +## Getting started + +Explain how to use your package, provide clear and concise getting started instructions, including any necessary steps. + +### Prerequisites + +What are specific minimum requirements to use your packages? Consider excluding this section if your package works without any additional setup beyond simple package installation. + +## Usage + +Examples about how to use your package by providing code snippets/example images, or samples links on GitHub if applicable. + +- Provide sample code using code snippets +- Include screenshots, diagrams, or other visual help users better understand how to use your package + +## Additional documentation + +Provide links to more resources: List links such as detailed documentation, tutorial videos, blog posts, or any other relevant documentation to help users get the most out of your package. + +## Feedback + +Where and how users can leave feedback? + +- Links to a GitHub repository where could open issues, Twitter, a Discord channel, bug tracker, or other platforms where a package consumer can connect with the package author. +``` + Keep in mind, high quality readmes can come in a wide variety of formats, shapes, and sizes! If you already have a package available on NuGet.org, chances are that you already have a `readme.md` or other documentation file in your repository that would be a great addition to your NuGet.org details page. +> [!Note] +> Read through our [blog on writing a high-quality README](https://devblogs.microsoft.com/nuget/write-a-high-quality-readme-for-nuget-packages/) for some best practices. + ## Preview your readme To preview your readme file before it's live on NuGet.org, upload your package using the [Upload Package web portal on NuGet.org](/nuget/nuget-org/publish-a-package#web-portal-use-the-upload-package-tab-on-nugetorg) and scroll down to the "Readme File" section of the metadata preview. It should look something like this: @@ -41,35 +77,35 @@ Consider taking time to review and preview your readme file for [image complianc Due to security and privacy concerns, NuGet.org restricts the domains from which images and badges can be rendered to trusted hosts. NuGet.org allows all images, including badges, from the following trusted domains to be rendered: -* api.bintray.com * api.codacy.com -* app.codacy.com * api.codeclimate.com * api.dependabot.com -* api.travis-ci.com -* api.travis-ci.org * api.reuse.software -* app.fossa.com -* app.fossa.io -* badge.fury.io +* api.travis-ci.com +* app.codacy.com +* app.deepsource.com +* avatars.githubusercontent.com * badgen.net * badges.gitter.im -* bettercodehub.com -* buildstats.info * camo.githubusercontent.com +* caniuse.bitsofco.de * cdn.jsdelivr.net * cdn.syncfusion.com * ci.appveyor.com * circleci.com +* cloudback.it * codecov.io * codefactor.io * coveralls.io * dev.azure.com +* flat.badgen.net * github.com/.../workflows/.../badge.svg * gitlab.com -* img.shields.io * i.imgur.com +* img.shields.io +* infragistics.com * isitmaintained.com +* media.githubusercontent.com * opencollective.com * raw.github.com * raw.githubusercontent.com @@ -98,3 +134,4 @@ NuGet.org currently supports the following Markdown features: * [Emojis](https://github.com/xoofx/markdig/blob/master/src/Markdig.Tests/Specs/EmojiSpecs.md) * [Auto-links](https://github.com/xoofx/markdig/blob/master/src/Markdig.Tests/Specs/AutoLinks.md) +We also support syntax highlighting, You can add an language identifier to enable syntax highlighting in your code spans. diff --git a/docs/nuget-org/package-sponsorship-on-nuget-org.md b/docs/nuget-org/package-sponsorship-on-nuget-org.md new file mode 100644 index 000000000..af1f6e111 --- /dev/null +++ b/docs/nuget-org/package-sponsorship-on-nuget-org.md @@ -0,0 +1,118 @@ +--- +title: Package sponsorship on NuGet.org +description: Learn how to add sponsorship links to your NuGet packages and support package maintainers through NuGet.org's sponsorship feature. +author: pranathibora14 +ms.author: prabora +ms.date: 10/15/2025 +ms.topic: how-to +ai-usage: ai-generated +--- + +# Package sponsorship on NuGet.org + +The NuGet.org sponsorship feature makes it easier for package consumers to recognize and support the authors behind their favorite packages. + +NuGet.org enables package authors to add sponsorship URLs to their packages. These links appear when the "Sponsor" button on the package details page is selected. + + +## Setting up sponsorship for package publishers + +### Prerequisites + +- You must be the owner or co-owner of a package on NuGet.org +- Your sponsorship link platform must be from the approved list: + - GitHub Sponsors + - Patreon + - Open Collective + - Ko-fi + - Tidelift + - Liberapay + +### Navigate to your package management page + +1. Go to [NuGet.org](https://nuget.org) and sign in to your account. +2. Select your username in the top right corner. +3. Select **Manage Packages** from the dropdown menu. +4. Find the package you want to add sponsorship information for and select the edit button. + +### Access sponsorship settings + +1. On your package management page, scroll down to find the **Sponsorship Links** section. +2. Select to expand the collapsible **Sponsorship Links** section. +3. You'll see a form where you can add sponsorship URLs. + + ![Screenshot of the manage package page with the Sponsorship Links section](media/sponsorship-section-manage-package-page.png) + +### Add your sponsorship URLs + +1. Enter your sponsorship URL in the text field: + - Example: `https://github.com/sponsors/yourusername` + - Example: `https://www.patreon.com/yourusername` + + ![Screenshot of the sponsorship URL form with example URL filled in](media/sponsorship-add-link.png) + +2. Select the **Add** button. +3. The system automatically validates that your URL is from an approved platform. +4. If any URLs are invalid or from non-approved platforms, you'll see error messages to correct them. Otherwise, you'll see a confirmation message that your sponsorship link has been saved. + + ![Screenshot of a URL from a platform that is not approved](media/sponsorship-link-error-manage-package.png) + +5. Each added sponsorship URL will have a **Remove** button next to it if you need to delete it. +6. You can add up to 10 different sponsorship URLs per package ID. + +### Verify your sponsorship URLs display correctly + +1. Navigate to your package's public page on NuGet.org. +2. Look for the **Sponsor** button in the package details **About** section. +3. Select the **Sponsor** button to test that your URLs appear correctly in the popup. + + ![Screenshot of a package details page with the sponsorship links popup open](media/sponsorship-display-links.png) + +## Finding and supporting packages + +### Identify packages that need sponsorship + +1. Browse to any package page on NuGet.org. +2. Look for packages displaying a **Sponsor** button in the package details section. +3. The **Sponsor** button indicates that the package maintainer is seeking financial support. + + ![Screenshot of a package details page with a Sponsor button](media/sponsorship-button-package-details-page.png) + +### View available sponsorship options + +1. Select the **Sponsor** button on the package page. +2. A popup window appears showing all available sponsorship links for that package. + + ![Screenshot of a package details page with the sponsorship links popup open](media/sponsorship-display-links.png) + +### Choose your preferred sponsorship platform + +1. Review the available sponsorship options in the popup. +2. Select your preferred platform to be redirected to the external sponsorship page. +3. The link opens in a new tab or window, keeping the NuGet package page open. + +> [!IMPORTANT] +> These links take you to third-party platforms. Microsoft isn't affiliated with or responsible for the content or practices of third-party platforms, and we don't endorse them. Microsoft reserves the right to remove any allowed third-party platforms. + +## Frequently asked questions + +**Can I add sponsorship information to older versions of my package?** + +Yes! Sponsorship information is managed at the package ID level, so it automatically applies to all versions of your package, including previously published versions. + +**What happens if my sponsorship platform URL changes?** + +You can update your sponsorship URLs anytime through the package management page. Changes take effect immediately across all versions. + +**Can I see analytics on how many people selected my sponsorship links?** + +No, NuGet.org doesn't track sponsorship link selections. You'll need to check analytics on your sponsorship platform directly. + +**Can I add custom sponsorship platforms not on the approved list?** + +Currently, only the approved list of platforms is supported. This helps ensure security and legitimacy of sponsorship links. If you'd like to request a new platform to be added to the approved list, you can open an issue on the [NuGet Gallery repository](https://github.com/NuGet/NuGetGallery/issues). + +**Does NuGet.org store my financial information?** + +No personal or financial data is stored by NuGet.org. All transactions occur on secure external platforms that a maintainer chooses for sponsoring their packages. + diff --git a/docs/nuget-org/policies/data-requests.md b/docs/nuget-org/policies/data-requests.md index 57cab4356..9c29231ef 100644 --- a/docs/nuget-org/policies/data-requests.md +++ b/docs/nuget-org/policies/data-requests.md @@ -4,7 +4,7 @@ description: Policies for requesting user data export and delete author: JonDouglas ms.author: jodou ms.date: 05/01/2018 -ms.topic: conceptual +ms.topic: article --- # User Data Requests diff --git a/docs/nuget-org/policies/deleting-packages.md b/docs/nuget-org/policies/deleting-packages.md index 3a5502206..9e99d39ab 100644 --- a/docs/nuget-org/policies/deleting-packages.md +++ b/docs/nuget-org/policies/deleting-packages.md @@ -4,7 +4,7 @@ description: Policies for unlisting packages from nuget.org; permanent deletion author: JonDouglas ms.author: jodou ms.date: 01/18/2018 -ms.topic: conceptual +ms.topic: how-to --- # Deleting packages @@ -30,6 +30,7 @@ Packages that meet any of the following criteria are not allowed on the public N - Contains illegal content. - Are being used to squat on package identifiers, including packages that have zero productive content. Packages must contain code or the owners must concede the identifier to someone who actually has a product to ship. - Attempt to make the gallery do something that it's not explicitly designed to do. +- Violates the [nuget.org Terms of Use or Code of Conduct](https://www.nuget.org/policies/Terms) in any way. Terms such as "unexpected", "discriminatory", "hateful", and "abusive" are evaluated and decided at the sole discretion of the NuGet team. If you find a package that is in violation of any of these items, click the **Report Abuse** link on the package details page and submit a report. @@ -45,6 +46,6 @@ Steps to unlist a package: 1. Expand the "Listing" section and select the package version 1. Uncheck “List in search results” and select "Save" -The specific package version has now been unlisted. In order to verify this, logout of your account and navigate to the package page (without the version part) e.g.: https://www.nuget.org/packages/YOUR-PACKAGE-NAME/. You will see all versions of that package that have **not** been unlisted. However, the package owner, when logged in, can see all versions and their listing status. +The specific package version has now been unlisted. In order to verify this, logout of your account and navigate to the package page (without the version part) e.g.: ```https://www.nuget.org/packages/YOUR-PACKAGE-NAME/```. You will see all versions of that package that have **not** been unlisted. However, the package owner, when logged in, can see all versions and their listing status. It's also possible to deprecate a package version (in case you can't delete a package version). For more information about deprecating package versions, see [Deprecating packages](../deprecate-packages.md). diff --git a/docs/nuget-org/policies/dispute-resolution.md b/docs/nuget-org/policies/dispute-resolution.md index 94a1aea40..c9342a827 100644 --- a/docs/nuget-org/policies/dispute-resolution.md +++ b/docs/nuget-org/policies/dispute-resolution.md @@ -4,7 +4,7 @@ description: The process for resolving disputes between NuGet package publishers author: JonDouglas ms.author: jodou ms.date: 01/18/2018 -ms.topic: conceptual +ms.topic: how-to --- # Resolving disputes over NuGet package names diff --git a/docs/nuget-org/policies/export-control.md b/docs/nuget-org/policies/export-control.md index a0ce51d75..bc786531e 100644 --- a/docs/nuget-org/policies/export-control.md +++ b/docs/nuget-org/policies/export-control.md @@ -4,7 +4,7 @@ description: Policies governing export control laws author: JonDouglas ms.author: jodou ms.date: 06/27/2019 -ms.topic: conceptual +ms.topic: article --- # Export Control Policy diff --git a/docs/nuget-org/scoped-api-keys.md b/docs/nuget-org/scoped-api-keys.md index 6730218cf..f5b22ad84 100644 --- a/docs/nuget-org/scoped-api-keys.md +++ b/docs/nuget-org/scoped-api-keys.md @@ -4,7 +4,7 @@ description: Take control of API keys that you use to push packages author: mikejo5000 ms.author: mikejo ms.date: 06/04/2019 -ms.topic: conceptual +ms.topic: article --- # Scoped API keys @@ -99,4 +99,4 @@ You cannot modify the scope, but you can edit the package list it is applicable ### How do I know if any of my keys expired or are getting expired? -If any key expires, we will let you know through a warning message at the top of the page. We also send a warning e-mail to the account holder ten days before the expiration of the key so that you can act on it well in advance. \ No newline at end of file +If any key expires, we will let you know through a warning message at the top of the page. We also send a warning e-mail to the account holder ten days before the expiration of the key so that you can act on it well in advance. diff --git a/docs/nuget-org/trusted-publishing.md b/docs/nuget-org/trusted-publishing.md new file mode 100644 index 000000000..ca9faff1c --- /dev/null +++ b/docs/nuget-org/trusted-publishing.md @@ -0,0 +1,121 @@ +--- +title: Trusted Publishing +description: Trusted Publishing on nuget.org +author: etvorun +ms.author: evgenyt +ms.date: 07/01/2025 +ms.topic: article +--- + +# Trusted Publishing on nuget.org + +Trusted Publishing is a better way to publish NuGet packages. You don’t need to manage long-lived API keys anymore. Instead, you use short-lived credentials issued by your CI/CD system, like GitHub Actions. + +This makes your publishing process safer by reducing the risk of leaked credentials. It also makes automation easier because you don’t need to rotate or store secrets. This approach is part of a broader industry shift toward secure, keyless publishing. If you're curious, check out the OpenSSF initiative: https://repos.openssf.org/trusted-publishers-for-all-package-repositories. + +> ⚠️ **Heads up:** If you don’t see the **Trusted Publishing** option in your nuget.org account, it might not be available to you yet. We’re rolling it out gradually. + +## How it works + +When your GitHub Actions workflow runs, it requests an encrypted OIDC token from github.com. This token +includes information about your repository and workflow, and is cryptographically signed by GitHub Actions to prevent +tampering. The workflow forwards this token to nuget.org, which securely validates the token’s +authenticity with github.com using industry-standard cryptographic methods. A token exchange endpoint on nuget.org then checks +that the token’s details match a trusted publishing policy you’ve configured. If everything matches, +nuget.org issues a short-lived API key for your workflow to use when publishing your package. + +**Here’s the basic flow** + +1. Your CI/CD system (like GitHub Actions) runs a workflow. +2. It issues a short-lived token. +3. That token is sent to nuget.org. +4. NuGet verifies it and returns a temporary API key. +5. Your workflow uses that key to push the package. + +![Screenshot that shows Trusted Publishing page.](media/trusted-publishing.png) + +NuGet’s temporary API keys are valid for **1 hour**, so your workflow should request the key shortly before publishing. +If you request it too early, it might expire before the push happens. + +Each short-lived token can only be used once to obtain a single temporary API key—one token, one API key. + +This setup gives you a secure and automated way to publish packages, without the risks that come with long-lived secrets. + + +## GitHub Actions Setup + +To get started: + +1. Log into **nuget.org**. +2. Click your username and choose **Trusted Publishing**. +3. Add a new trusted publishing policy. For a GitHub repository `https://github.com/contoso/contoso-sdk` + with a workflow file `.github/workflows/build.yml` enter the following trusted policy details (case‑insensitive): + - **Repository Owner:** `contoso` + - **Repository:** `contoso-sdk` + - **Workflow File:** `build.yml` + > This corresponds to your workflow at `.github/workflows/build.yml`. Enter the **file name only** (`build.yml`)—do not include the `.github/workflows/` path. + - **Environment (optional):** `release` + > Enter environment if your workflow uses e.g. `environment: release` and you want to restrict this policy to that environment. Leave this empty if you do not use GitHub Actions environments. +4. In your **GitHub repo**, update your workflow to request a short‑lived API key and push your package. +Here’s a basic example: + +```yaml +jobs: + build-and-publish: + permissions: + id-token: write # enable GitHub OIDC token issuance for this job + + steps: + # Build your artifacts/my-sdk.nupkg package here + + # Get a short-lived NuGet API key + - name: NuGet login (OIDC → temp API key) + uses: NuGet/login@v1 + id: login + with: + user: contoso-bot # Recommended: use a secret like ${{ secrets.NUGET_USER }} for your nuget.org username (profile name), NOT your email address + + # Push the package + - name: NuGet push + run: dotnet nuget push artifacts/my-sdk.nupkg --api-key ${{steps.login.outputs.NUGET_API_KEY}} --source https://api.nuget.org/v3/index.json +``` + + +## Policy Ownership + +When you create a Trusted Publishing policy, you need to choose who owns it. The owner can be either: + +- **You (an individual user)** +- **An organization you belong to** + +The policy will apply to all packages owned by the selected owner. That means it controls who can publish or modify those packages using Trusted Publishing. + +If you choose an organization, make sure you're an active member. If you leave the org later, the policy may become inactive until you're added back. + +Choosing the right owner helps ensure your publishing setup stays secure and aligned with your team’s structure. + + +## Policies Pending Full Activation + +Sometimes when you create a Trusted Publishing policy, it starts out as temporarily active for 7 days. This usually happens with private GitHub repos. You’ll see this status in the UI. During that time, it behaves like a regular policy. But if no publish happens within those 7 days, the policy automatically becomes inactive. You can restart the 7-day window at any time—even after it expires. + +Why is this temporary period necessary? Because NuGet needs GitHub repository and owner IDs to lock the policy to the original repo and owner. That helps prevent resurrection attacks. Without those IDs, someone could delete a repo, recreate it with the same name, and try to publish as if nothing changed. + +Once a successful publish provides the IDs (as part of GitHub’s short-lived token), the policy becomes permanently active. + + +## Policy Ownership Warnings + +Trusted Publishing policies are tied to a specific owner—either an individual user or an organization. +If something changes with that ownership, the policy might become inactive. When that happens, you'll see a warning in the UI. + +### Common cases + +- **User removed from organization** + If a policy is owned by an organization and the user who created it is later removed from that org, the policy becomes inactive. + If the user is added back to the organization, the policy will be active again automatically. + +- **Organization is no longer active** + If the organization that owns the policy is locked or deleted, the policy becomes inactive. + +These warnings help make sure that only active, secure policies are used when publishing packages. diff --git a/docs/policies/Ecosystem.md b/docs/policies/Ecosystem.md index 542a0eb8f..1431b870f 100644 --- a/docs/policies/Ecosystem.md +++ b/docs/policies/Ecosystem.md @@ -4,7 +4,7 @@ description: Comprehensive resources in the NuGet ecosystem including NuGet sour author: JonDouglas ms.author: jodou ms.date: 01/18/2018 -ms.topic: conceptual +ms.topic: concept-article --- # An overview of the NuGet ecosystem @@ -17,7 +17,7 @@ All of these projects are able to innovate because of developer contributions. J ## .NET Foundation projects -NuGet provides a free, open source package management system for the Microsoft development platform. It consists of a few client tools as well as the set of services that comprise the [official NuGet Gallery](http://www.nuget.org). Combined, these form the NuGet project which is governed by the [.NET Foundation](http://www.dotnetfoundation.org/). +NuGet provides a free, open source package management system for the Microsoft development platform. It consists of a few client tools as well as the set of services that comprise the [official NuGet Gallery](https://www.nuget.org). Combined, these form the NuGet project which is governed by the [.NET Foundation](https://www.dotnetfoundation.org/). The NuGet Organization contains various repositories on GitHub. [https://github.com/Nuget/Home](https://github.com/Nuget/Home) gives an overview of all the repositories and where to find the various NuGet components. @@ -33,14 +33,16 @@ Many other individuals and companies have made significant contributions to the - [Artifactory](https://www.jfrog.com/artifactory/) - [BoxStarter](http://boxstarter.org/) - [Chocolatey](https://chocolatey.org/) -- [CoApp](http://coapp.org/) +- [CoApp](https://github.com/coapp/coapp.org) - [JetBrains ReSharper](https://resharper-plugins.jetbrains.com/) +- [JetBrains Space](https://www.jetbrains.com/space/) - [JetBrains TeamCity](https://www.jetbrains.com/teamcity/) - [Klondike](https://github.com/themotleyfool/Klondike) - [MinimalNugetServer](https://github.com/TanukiSharp/MinimalNugetServer) - [MyGet (or NuGet-as-a-service)](http://www.myget.org/) - [NuGet Package Explorer](https://github.com/NuGetPackageExplorer/NuGetPackageExplorer) - [NuGet Server](http://nugetserver.net/) +- [NuGetizer](https://github.com/devlooped/nugetizer) - [OctopusDeploy](https://octopus.com/) - [Paket](https://fsprojects.github.io/Paket/) - [ProGet (Inedo)](http://inedo.com/proget) @@ -54,12 +56,12 @@ Many other individuals and companies have made significant contributions to the These are tools and utilities built on NuGet: -- [Glimpse Extensions](http://getglimpse.com/Packages) (plug-ins are packages) +- [Glimpse Extensions](https://meetglimpse.com/) - [NuGetMustHaves.com](http://nugetmusthaves.com/) - [Orchard](http://www.orchardproject.net/) (CMS modules are fetched from a v1 NuGet feed hosted in the Orchard Gallery) - [Java implementation of NuGet Server](http://jonnyzzz.com/blog/2012/03/07/nuget-server-in-pure-java/) - [NuGetLatest](https://twitter.com/NuGetLatest) (Twitter bot tweeting new package publications) -- [DefinitelyTyped](http://definitelytyped.org/) ([Automatic](https://github.com/DefinitelyTyped/NugetAutomation/) TypeScript Type [Definitions published to NuGet](http://www.nuget.org/packages?q=DefinitelyTyped)) +- [DefinitelyTyped](http://definitelytyped.org/) ([Automatic](https://github.com/DefinitelyTyped/NugetAutomation/) TypeScript Type [Definitions published to NuGet](https://www.nuget.org/packages?q=DefinitelyTyped)) ## Training materials and references @@ -67,11 +69,11 @@ Using a new tool or technology usually comes with a learning curve. Luckily for That said, authoring packages–and especially good packages–along with embracing NuGet in automated build and deployment processes, requires spending a little more time with the following resources: -- [NuGet Blog](http://blog.nuget.org/) -- [NuGet team on Twitter, @nuget](http://twitter.com/nuget) +- [NuGet Blog](https://devblogs.microsoft.com/nuget/) +- [NuGet team on Twitter, @nuget](https://twitter.com/nuget) - Books: - [Apress Pro NuGet](http://bit.ly/ProNuGet) - - [NuGet 2 Essentials](http://www.amazon.com/NuGet-2-Essentials-Damir-Arh-ebook/dp/B00GTQD5M4) + - [NuGet 2 Essentials](https://www.amazon.com/NuGet-2-Essentials-Damir-Arh/dp/178216586X) ## Documentation for individual packages @@ -81,4 +83,4 @@ NuDoq regularly polls the nuget.org gallery server for the latest package update ## Adding your project -If you have a NuGet ecosystem project that would be a valuable addition to this page, please submit a pull request with an edit to this page. \ No newline at end of file +If you have a NuGet ecosystem project that would be a valuable addition to this page, please submit a pull request with an edit to this page. diff --git a/docs/policies/Governance.md b/docs/policies/Governance.md index fce9b9a5e..d1e4e1dc8 100644 --- a/docs/policies/Governance.md +++ b/docs/policies/Governance.md @@ -4,7 +4,7 @@ description: The governance model for NuGet, including roles and responsibilitie author: JonDouglas ms.author: jodou ms.date: 01/18/2018 -ms.topic: conceptual +ms.topic: article --- # NuGet governance diff --git a/docs/quickstart/create-and-publish-a-package-using-the-dotnet-cli.md b/docs/quickstart/create-and-publish-a-package-using-the-dotnet-cli.md index 70092f47a..1c662c94d 100644 --- a/docs/quickstart/create-and-publish-a-package-using-the-dotnet-cli.md +++ b/docs/quickstart/create-and-publish-a-package-using-the-dotnet-cli.md @@ -3,7 +3,7 @@ title: Create and publish a NuGet package with the dotnet CLI description: Walk through quickly creating and publishing a NuGet package by using the dotnet CLI. author: JonDouglas ms.author: jodou -ms.date: 08/29/2022 +ms.date: 03/03/2025 ms.topic: quickstart --- @@ -31,7 +31,7 @@ For more information, see [dotnet new](/dotnet/core/tools/dotnet-new). Every NuGet package has a manifest that describes the package's contents and dependencies. In the final package, the manifest is a *.nuspec* file, which uses the NuGet metadata properties you include in the project file. -Open the *.csproj*, *.fproj*, or *.vbproj* project file, and add the following properties inside the existing `` tag. Use your own values for name and company, and replace the package identifier with a unique value. +Open the *.csproj*, *.fsproj*, or *.vbproj* project file, and add the following properties inside the existing `` tag. Use your own values for name and company, and replace the package identifier with a unique value. ```xml Contoso.08.28.22.001.Test @@ -43,7 +43,7 @@ Open the *.csproj*, *.fproj*, or *.vbproj* project file, and add the following p > [!Important] > The package identifier must be unique across nuget.org and other package sources. Publishing makes the package publicly visible, so if you use the example AppLogger library or other test library, use a unique name that includes `Sample` or `Test`. -You can add any optional properties described in [NuGet metadata properties](/dotnet/core/tools/csproj#nuget-metadata-properties). +You can add any optional properties described in [NuGet metadata properties](../reference/msbuild-targets.md#pack-target). > [!Note] > For packages you build for public consumption, pay special attention to the `PackageTags` property. Tags help others find your package and understand what it does. @@ -100,7 +100,7 @@ Congratulations on creating and publishing your first NuGet package! ## Related video -> [!Video https://learn.microsoft.com/shows/NuGet-101/Create-and-Publish-a-NuGet-Package-with-the-NET-CLI-5-of-5/player] +> [!VIDEO https://learn-video.azurefd.net/vod/player?show=dotnet-package-management-with-nuget-for-beginners&ep=creating-and-publishing-a-nuget-package-nuget-for-beginners] Find more NuGet videos on [Channel 9](/shows/NuGet-101/) and [YouTube](https://www.youtube.com/playlist?list=PLdo4fOcmZ0oVLvfkFk8O9h6v2Dcdh2bh_). diff --git a/docs/quickstart/create-and-publish-a-package-using-visual-studio-net-framework.md b/docs/quickstart/create-and-publish-a-package-using-visual-studio-net-framework.md index 79355db0f..694fbab75 100644 --- a/docs/quickstart/create-and-publish-a-package-using-visual-studio-net-framework.md +++ b/docs/quickstart/create-and-publish-a-package-using-visual-studio-net-framework.md @@ -3,7 +3,7 @@ title: "Quickstart: Create and publish a package using Visual Studio (.NET Frame description: A quickstart that shows how to create and publish a .NET Framework NuGet package using Visual Studio on Windows. author: JonDouglas ms.author: jodou -ms.date: 08/29/2022 +ms.date: 03/03/2025 ms.topic: quickstart --- @@ -54,7 +54,7 @@ To create a class library project, follow these steps: } ``` - Within a real-world NuGet package, you'd likely implement many useful features with which others can build applications. You can also set the target frameworks. For examples, see [UWP](../guides/create-uwp-packages.md) and [Xamarin](../guides/create-packages-for-xamarin.md). + Within a real-world NuGet package, you'd likely implement many useful features with which others can build applications. You can also set the target frameworks. For an example, see [UWP](../guides/create-uwp-packages.md). ## Configure project properties for the package @@ -100,6 +100,7 @@ Run `nuget spec` only once to generate the initial manifest. If you update the p Your username Your username MIT + http://PROJECT_URL_HERE_OR_DELETE_THIS_LINE false Package description diff --git a/docs/quickstart/create-and-publish-a-package-using-visual-studio.md b/docs/quickstart/create-and-publish-a-package-using-visual-studio.md index e4c07b65a..dd1169c71 100644 --- a/docs/quickstart/create-and-publish-a-package-using-visual-studio.md +++ b/docs/quickstart/create-and-publish-a-package-using-visual-studio.md @@ -3,7 +3,7 @@ title: "Quickstart: Create and publish a NuGet package using Visual Studio (Wind description: A quickstart that shows how to create and publish a .NET NuGet package using Visual Studio for Windows. author: JonDouglas ms.author: jodou -ms.date: 08/29/2022 +ms.date: 03/03/2025 ms.topic: quickstart --- @@ -11,7 +11,7 @@ ms.topic: quickstart With Microsoft Visual Studio, you can create a NuGet package from a .NET class library, and then publish it to nuget.org using a CLI tool. -The quickstart is for Windows users only. If you're using Visual Studio for Mac, see [Create a NuGet package from existing library projects](/xamarin/cross-platform/app-fundamentals/nuget-multiplatform-libraries/existing-library) or use the [.NET CLI](create-and-publish-a-package-using-the-dotnet-cli.md). +The quickstart is for Windows users only. If you're using a Mac, use the [.NET CLI](create-and-publish-a-package-using-the-dotnet-cli.md). ## Prerequisites @@ -96,7 +96,7 @@ To create a NuGet package from your project, follow these steps: 1. Select **Build** > **Configuration Manager**, and then set the **Active solution configuration** to **Release**. -1. Select the AppLogger project in **Solution Explorer**, and then select **Build** > **Pack**. +1. Select the AppLogger project in **Solution Explorer**, then select **Pack**. Visual Studio builds the project and creates the *.nupkg* file. @@ -214,17 +214,17 @@ In this example, the property specifies a file named *readme.txt* in the project 3 ---------------------------------------------------- 4 5 ----Silverlight 4 and Windows Phone 7.1+ projects----- -6 To use XPATH features: System.Xml.Xpath.dll from the 3 Silverlight 4 SDK must be referenced. -7 This is normally found at -8 %ProgramFiles(x86)%\Microsoft SDKs\Microsoft SDKs\Silverlight\v4.0\Libraries\Client -9 or +6 To use XPATH features: System.Xml.Xpath.dll from the 3 Silverlight 4 SDK must be referenced. +7 This is normally found at +8 %ProgramFiles(x86)%\Microsoft SDKs\Microsoft SDKs\Silverlight\v4.0\Libraries\Client +9 or 10 %ProgramFiles%\Microsoft SDKs\Microsoft SDKs\Silverlight\v4.0\Libraries\Client 11 12 ----Silverlight 5 projects----- -13 To use XPATH features: System.Xml.Xpath.dll from the Silverlight 5 SDK must be referenced. -14 This is normally found at -15 %ProgramFiles(x86)%\Microsoft SDKs\Microsoft SDKs\Silverlight\v5.0\Libraries\Client -16 or +13 To use XPATH features: System.Xml.Xpath.dll from the Silverlight 5 SDK must be referenced. +14 This is normally found at +15 %ProgramFiles(x86)%\Microsoft SDKs\Microsoft SDKs\Silverlight\v5.0\Libraries\Client +16 or 17 %ProgramFiles%\Microsoft SDKs\Microsoft SDKs\Silverlight\v5.0\Libraries\Client ``` @@ -233,9 +233,7 @@ In this example, the property specifies a file named *readme.txt* in the project ## Related video -> [!VIDEO https://learn.microsoft.com/shows/NuGet-101/Create-and-Publish-a-NuGet-Package-with-Visual-Studio-4-of-5/player] - -Find more NuGet videos on [Channel 9](/shows/NuGet-101/) and [YouTube](https://www.youtube.com/playlist?list=PLdo4fOcmZ0oVLvfkFk8O9h6v2Dcdh2bh_). +Find NuGet videos on [Channel 9](/shows/NuGet-101/) and [YouTube](https://www.youtube.com/playlist?list=PLdo4fOcmZ0oVLvfkFk8O9h6v2Dcdh2bh_). Congratulations on creating a NuGet package by using a Visual Studio .NET class library. Advance to the next article to learn how to create a NuGet package with the Visual Studio .NET Framework. diff --git a/docs/quickstart/install-and-use-a-package-in-visual-studio-mac.md b/docs/quickstart/install-and-use-a-package-in-visual-studio-mac.md index 8151b05ee..4dd4766b6 100644 --- a/docs/quickstart/install-and-use-a-package-in-visual-studio-mac.md +++ b/docs/quickstart/install-and-use-a-package-in-visual-studio-mac.md @@ -9,7 +9,7 @@ ms.topic: quickstart # Quickstart: Install and use a package in Visual Studio for Mac -NuGet packages contain reusable code that other developers make available to you for use in your projects. See [What is NuGet?](../What-is-NuGet.md) for background. Packages are installed into a Visual Studio for Mac project using the NuGet Package Manager. This article demonstrates the process using the popular [Newtonsoft.Json](https://www.nuget.org/packages/Newtonsoft.Json/) package and a .NET Core console project. The same process applies to any other Xamarin or .NET Core project. +NuGet packages contain reusable code that other developers make available to you for use in your projects. See [What is NuGet?](../What-is-NuGet.md) for background. Packages are installed into a Visual Studio for Mac project using the NuGet Package Manager. This article demonstrates the process using the popular [Newtonsoft.Json](https://www.nuget.org/packages/Newtonsoft.Json/) package and a .NET Core console project. The same process applies to any other .NET Core project. Once installed, refer to the package in code with `using ` where \ is specific to the package you're using. Once the reference is made, you can call the package through its API. @@ -66,7 +66,7 @@ With the Newtonsoft.Json package in the project, you can call its `JsonConvert.S public string Email { get; set; } public DateTime DOB { get; set; } } - + class Program { static void Main(string[] args) diff --git a/docs/quickstart/install-and-use-a-package-in-visual-studio.md b/docs/quickstart/install-and-use-a-package-in-visual-studio.md index 60a6bbf52..5a73bf2cc 100644 --- a/docs/quickstart/install-and-use-a-package-in-visual-studio.md +++ b/docs/quickstart/install-and-use-a-package-in-visual-studio.md @@ -3,7 +3,7 @@ title: "Quickstart: Install and use a NuGet package in Visual Studio (Windows on description: In this quickstart, you learn how to install and use a NuGet package in a Visual Studio project for Windows. author: JonDouglas ms.author: jodou -ms.date: 08/22/2022 +ms.date: 03/03/2025 ms.topic: quickstart --- @@ -105,7 +105,7 @@ With the `Newtonsoft.Json` package in the project, call its `JsonConvert.Seriali Email = "john@microsoft.com", DOB = new DateTime(1980, 2, 20, 0, 0, 0, DateTimeKind.Utc), }; - string json = JsonConvert.SerializeObject(account, Formatting.Indented); + string json = JsonConvert.SerializeObject(account, Newtonsoft.Json.Formatting.Indented); TextBlock.Text = json; } ``` @@ -128,8 +128,7 @@ With the `Newtonsoft.Json` package in the project, call its `JsonConvert.Seriali ## Related video -- [Install and Use a NuGet Package with Visual Studio](/shows/nuget-101/install-and-use-a-nuget-package-with-visual-studio-2-of-5/player) -- Find more NuGet videos on [Channel 9](/shows/nuget-101/) and [YouTube](https://www.youtube.com/playlist?list=PLdo4fOcmZ0oVLvfkFk8O9h6v2Dcdh2bh_). +- Find NuGet videos on [Channel 9](/shows/nuget-101/) and [YouTube](https://www.youtube.com/playlist?list=PLdo4fOcmZ0oVLvfkFk8O9h6v2Dcdh2bh_). ## See also diff --git a/docs/quickstart/install-and-use-a-package-using-the-dotnet-cli.md b/docs/quickstart/install-and-use-a-package-using-the-dotnet-cli.md index 33a9f36d3..b4ccfb956 100644 --- a/docs/quickstart/install-and-use-a-package-using-the-dotnet-cli.md +++ b/docs/quickstart/install-and-use-a-package-using-the-dotnet-cli.md @@ -3,7 +3,7 @@ title: Install and use a NuGet package with the dotnet CLI description: Get a quick tutorial on how to use the dotnet CLI to install and use a NuGet package in a .NET project. author: JonDouglas ms.author: jodou -ms.date: 08/29/2022 +ms.date: 03/03/2025 ms.topic: quickstart --- @@ -67,8 +67,8 @@ You can install NuGet packages into a .NET project. For this walkthrough, create { public class Account { - public string Name { get; set; } - public string Email { get; set; } + public string? Name { get; set; } + public string? Email { get; set; } public DateTime DOB { get; set; } } internal class Program @@ -103,7 +103,7 @@ Congratulations on installing and using your first NuGet package! ## Related video -> [!VIDEO https://learn.microsoft.com/shows/NuGet-101/Install-and-Use-a-NuGet-Package-with-the-NET-CLI-3-of-5/player] +> [!VIDEO https://learn-video.azurefd.net/vod/player?show=dotnet-package-management-with-nuget-for-beginners&ep=installing-a-nuget-package-using-the-dotnet-cli-nuget-for-beginners] Find more NuGet videos on [Channel 9](/shows/NuGet-101/) and [YouTube](https://www.youtube.com/playlist?list=PLdo4fOcmZ0oVLvfkFk8O9h6v2Dcdh2bh_). diff --git a/docs/reference/Errors-and-Warnings.md b/docs/reference/Errors-and-Warnings.md index a537a9d7f..3abf97dd5 100644 --- a/docs/reference/Errors-and-Warnings.md +++ b/docs/reference/Errors-and-Warnings.md @@ -19,7 +19,7 @@ NuGet supports the following configuration properties. | Property | Scope | Description | |----------|-------|-------------| | TreatWarningsAsErrors | Project | Treats all NuGet warnings as errors | -| NoWarn | Project, PackageReference | Suppress the warning for the project or package | +| NoWarn | Project, PackageReference, ProjectReference | Suppress the warning for the current project, package or project reference | | WarningsAsErrors | Project | Treat certain warnings as errors | | WarningsNotAsErrors | Project | Treat certain warnings not as errors. Used in combination with `TreatWarningsAsErrors` set to true. | @@ -27,27 +27,29 @@ NuGet supports the following configuration properties. | Group | Error Numbers | | --- | --- | -| Invalid input errors | [NU1001](./errors-and-warnings/NU1001.md), [NU1002](./errors-and-warnings/NU1002.md), [NU1003](./errors-and-warnings/NU1003.md), [NU1004](./errors-and-warnings/NU1004.md), [NU1005](./errors-and-warnings/NU1005.md), [NU1006](./errors-and-warnings/NU1006.md), [NU1007](./errors-and-warnings/NU1007.md), [NU1008](./errors-and-warnings/NU1008.md), [NU1009](./errors-and-warnings/NU1009.md), [NU1010](./errors-and-warnings/NU1010.md), [NU1011](./errors-and-warnings/NU1011.md), [NU1012](./errors-and-warnings/NU1012.md), | +| Invalid input errors | [NU1001](./errors-and-warnings/NU1001.md), [NU1002](./errors-and-warnings/NU1002.md), [NU1003](./errors-and-warnings/NU1003.md), [NU1004](./errors-and-warnings/NU1004.md), [NU1005](./errors-and-warnings/NU1005.md), [NU1006](./errors-and-warnings/NU1006.md), [NU1007](./errors-and-warnings/NU1007.md), [NU1008](./errors-and-warnings/NU1008.md), [NU1009](./errors-and-warnings/NU1009.md), [NU1010](./errors-and-warnings/NU1010.md), [NU1011](./errors-and-warnings/NU1011.md), [NU1012](./errors-and-warnings/NU1012.md), [NU1013](./errors-and-warnings/NU1013.md), [NU1014](./errors-and-warnings/NU1014.md), [NU1015](./errors-and-warnings/NU1015.md), [NU1016](./errors-and-warnings/NU1016.md), [NU1017](./errors-and-warnings/NU1017.md) | | Missing package and project errors | [NU1100](./errors-and-warnings/NU1100.md), [NU1101](./errors-and-warnings/NU1101.md), [NU1102](./errors-and-warnings/NU1102.md), [NU1103](./errors-and-warnings/NU1103.md), [NU1104](./errors-and-warnings/NU1104.md), [NU1105](./errors-and-warnings/NU1105.md), [NU1106](./errors-and-warnings/NU1106.md), [NU1107](./errors-and-warnings/NU1107.md), [NU1108](./errors-and-warnings/NU1108.md), [NU1109](./errors-and-warnings/NU1109.md) | +| Package source mapping errors | [NU1110](./errors-and-warnings/NU1110.md) | | Compatibility errors | [NU1201](./errors-and-warnings/NU1201.md), [NU1202](./errors-and-warnings/NU1202.md), [NU1203](./errors-and-warnings/NU1203.md), [NU1204](./errors-and-warnings/NU1204.md), [NU1401](./errors-and-warnings/NU1401.md), [NU1402](./errors-and-warnings/NU1402.md), [NU1403](./errors-and-warnings/NU1403.md) | | Dotnet Tool restore errors | [NU1211](./errors-and-warnings/NU1211.md), [NU1212](./errors-and-warnings/NU1212.md), [NU1213](./errors-and-warnings/NU1213.md) | -| NuGet source errors | [NU1301](./errors-and-warnings/NU1301.md) | +| NuGet source errors | [NU1301](./errors-and-warnings/NU1301.md), [NU1302](./errors-and-warnings/NU1302.md) | | NuGet internal errors | [NU1000](./errors-and-warnings/NU1000.md) | | Signed packages errors (creation and verification) | [NU3001](./errors-and-warnings/NU3001.md), [NU3004](./errors-and-warnings/NU3004.md), [NU3005](./errors-and-warnings/NU3005.md), [NU3008](./errors-and-warnings/NU3008.md), [NU3034](./errors-and-warnings/NU3034.md)| -| Pack Errors | [NU5000](./errors-and-warnings/NU5000.md), [NU5001](./errors-and-warnings/NU5001.md), [NU5002](./errors-and-warnings/NU5002.md), [NU5003](./errors-and-warnings/NU5003.md), [NU5004](./errors-and-warnings/NU5004.md), [NU5005](./errors-and-warnings/NU5005.md), [NU5007](./errors-and-warnings/NU5007.md), [NU5008](./errors-and-warnings/NU5008.md), [NU5009](./errors-and-warnings/NU5009.md), [NU5010](./errors-and-warnings/NU5010.md), [NU5011](./errors-and-warnings/NU5011.md), [NU5012](./errors-and-warnings/NU5012.md), [NU5013](./errors-and-warnings/NU5013.md), [NU5014](./errors-and-warnings/NU5014.md), [NU5015](./errors-and-warnings/NU5015.md), [NU5016](./errors-and-warnings/NU5016.md), [NU5017](./errors-and-warnings/NU5017.md), [NU5018](./errors-and-warnings/NU5018.md), [NU5019](./errors-and-warnings/NU5019.md), [NU5020](./errors-and-warnings/NU5020.md), [NU5021](./errors-and-warnings/NU5021.md), [NU5022](./errors-and-warnings/NU5022.md), [NU5023](./errors-and-warnings/NU5023.md), [NU5024](./errors-and-warnings/NU5024.md), [NU5025](./errors-and-warnings/NU5025.md), [NU5026](./errors-and-warnings/NU5026.md), [NU5027](./errors-and-warnings/NU5027.md), [NU5028](./errors-and-warnings/NU5028.md), [NU5029](./errors-and-warnings/NU5029.md), [NU5036](./errors-and-warnings/NU5036.md), [NU5042](./errors-and-warnings/NU5042.md), [NU5049](./errors-and-warnings/NU5049.md) -| License specific Pack Errors | [NU5030](./errors-and-warnings/NU5030.md), [NU5031](./errors-and-warnings/NU5031.md), [NU5032](./errors-and-warnings/NU5032.md), [NU5033](./errors-and-warnings/NU5033.md), [NU5034](./errors-and-warnings/NU5034.md), [NU5035](./errors-and-warnings/NU5035.md) +| Pack Errors | [NU5000](./errors-and-warnings/NU5000.md), [NU5001](./errors-and-warnings/NU5001.md), [NU5002](./errors-and-warnings/NU5002.md), [NU5003](./errors-and-warnings/NU5003.md), [NU5004](./errors-and-warnings/NU5004.md), [NU5005](./errors-and-warnings/NU5005.md), [NU5007](./errors-and-warnings/NU5007.md), [NU5008](./errors-and-warnings/NU5008.md), [NU5009](./errors-and-warnings/NU5009.md), [NU5010](./errors-and-warnings/NU5010.md), [NU5011](./errors-and-warnings/NU5011.md), [NU5012](./errors-and-warnings/NU5012.md), [NU5013](./errors-and-warnings/NU5013.md), [NU5014](./errors-and-warnings/NU5014.md), [NU5015](./errors-and-warnings/NU5015.md), [NU5016](./errors-and-warnings/NU5016.md), [NU5017](./errors-and-warnings/NU5017.md), [NU5018](./errors-and-warnings/NU5018.md), [NU5019](./errors-and-warnings/NU5019.md), [NU5020](./errors-and-warnings/NU5020.md), [NU5021](./errors-and-warnings/NU5021.md), [NU5022](./errors-and-warnings/NU5022.md), [NU5023](./errors-and-warnings/NU5023.md), [NU5024](./errors-and-warnings/NU5024.md), [NU5025](./errors-and-warnings/NU5025.md), [NU5026](./errors-and-warnings/NU5026.md), [NU5027](./errors-and-warnings/NU5027.md), [NU5028](./errors-and-warnings/NU5028.md), [NU5029](./errors-and-warnings/NU5029.md), [NU5036](./errors-and-warnings/NU5036.md), [NU5042](./errors-and-warnings/NU5042.md), [NU5049](./errors-and-warnings/NU5049.md) | +| License specific Pack Errors | [NU5030](./errors-and-warnings/NU5030.md), [NU5031](./errors-and-warnings/NU5031.md), [NU5032](./errors-and-warnings/NU5032.md), [NU5033](./errors-and-warnings/NU5033.md), [NU5034](./errors-and-warnings/NU5034.md), [NU5035](./errors-and-warnings/NU5035.md) | +| NuGetAudit specific warnings | [NU1014](./errors-and-warnings/NU1014.md), [NU1900](./errors-and-warnings/NU1900.md), [NU1901, NU1902, NU1903, NU1904](./errors-and-warnings/NU1901-NU1904.md), [NU1905](./errors-and-warnings/NU1905.md) | ## Warnings | Group | Warning numbers | | --- | --- | -| Invalid input warnings | [NU1501](./errors-and-warnings/NU1501.md), [NU1502](./errors-and-warnings/NU1502.md), [NU1503](./errors-and-warnings/NU1503.md), [NU1504](./errors-and-warnings/NU1504.md), [NU1505](./errors-and-warnings/NU1505.md), [NU1506](./errors-and-warnings/NU1506.md), [NU1507](./errors-and-warnings/NU1507.md) | +| Invalid input warnings | [NU1501](./errors-and-warnings/NU1501.md), [NU1502](./errors-and-warnings/NU1502.md), [NU1503](./errors-and-warnings/NU1503.md), [NU1504](./errors-and-warnings/NU1504.md), [NU1505](./errors-and-warnings/NU1505.md), [NU1506](./errors-and-warnings/NU1506.md), [NU1507](./errors-and-warnings/NU1507.md), [NU1508](./errors-and-warnings/NU1508.md), [NU1509](./errors-and-warnings/NU1509.md), [NU1510](./errors-and-warnings/NU1510.md), [NU1511](./errors-and-warnings/NU1511.md) | | Unexpected package version warnings | [NU1601](./errors-and-warnings/NU1601.md), [NU1602](./errors-and-warnings/NU1602.md), [NU1603](./errors-and-warnings/NU1603.md), [NU1604](./errors-and-warnings/NU1604.md), [NU1605](./errors-and-warnings/NU1605.md), [NU1606](./errors-and-warnings/NU1108.md), [NU1607](./errors-and-warnings/NU1107.md) | | Resolver conflict warnings | [NU1608](./errors-and-warnings/NU1608.md) | -| Package fallback warnings | [NU1701](./errors-and-warnings/NU1701.md) | +| Package fallback warnings | [NU1701](./errors-and-warnings/NU1701.md), [NU1702](./errors-and-warnings/NU1702.md), [NU1703](./errors-and-warnings/NU1703.md)| | Feed warnings | [NU1801](./errors-and-warnings/NU1801.md), [NU1802](./errors-and-warnings/NU1802.md), [NU1803](./errors-and-warnings/NU1803.md) | | NuGet internal warnings | [NU1500](./errors-and-warnings/NU1500.md) | -| Signed packages warnings (creation and verification) | [NU3000](./errors-and-warnings/NU3000.md), [NU3002](./errors-and-warnings/NU3002.md), [NU3003](./errors-and-warnings/NU3003.md), [NU3006](./errors-and-warnings/NU3006.md), [NU3007](./errors-and-warnings/NU3007.md), [NU3009](./errors-and-warnings/NU3009.md), [NU3010](./errors-and-warnings/NU3010.md), [NU3011](./errors-and-warnings/NU3011.md), [NU3012](./errors-and-warnings/NU3012.md), [NU3013](./errors-and-warnings/NU3013.md), [NU3014](./errors-and-warnings/NU3014.md), [NU3015](./errors-and-warnings/NU3015.md), [NU3016](./errors-and-warnings/NU3016.md), [NU3017](./errors-and-warnings/NU3017.md), [NU3018](./errors-and-warnings/NU3018.md), [NU3019](./errors-and-warnings/NU3019.md), [NU3020](./errors-and-warnings/NU3020.md), [NU3021](./errors-and-warnings/NU3021.md), [NU3022](./errors-and-warnings/NU3022.md), [NU3023](./errors-and-warnings/NU3023.md), [NU3024](./errors-and-warnings/NU3024.md), [NU3025](./errors-and-warnings/NU3025.md), [NU3026](./errors-and-warnings/NU3026.md), [NU3027](./errors-and-warnings/NU3027.md), [NU3028](./errors-and-warnings/NU3028.md), [NU3029](./errors-and-warnings/NU3029.md), [NU3030](./errors-and-warnings/NU3030.md), [NU3031](./errors-and-warnings/NU3031.md), [NU3032](./errors-and-warnings/NU3032.md), [NU3033](./errors-and-warnings/NU3033.md), [NU3035](./errors-and-warnings/NU3035.md), [NU3036](./errors-and-warnings/NU3036.md), [NU3037](./errors-and-warnings/NU3037.md), [NU3038](./errors-and-warnings/NU3038.md), [NU3040](./errors-and-warnings/NU3040.md) | -| Pack Warnings | [NU5100](./errors-and-warnings/NU5100.md), [NU5101](./errors-and-warnings/NU5101.md), [NU5102](./errors-and-warnings/NU5102.md), [NU5103](./errors-and-warnings/NU5103.md), [NU5104](./errors-and-warnings/NU5104.md), [NU5105](./errors-and-warnings/NU5105.md), [NU5106](./errors-and-warnings/NU5106.md), [NU5107](./errors-and-warnings/NU5107.md), [NU5108](./errors-and-warnings/NU5108.md), [NU5109](./errors-and-warnings/NU5109.md), [NU5110](./errors-and-warnings/NU5110.md), [NU5111](./errors-and-warnings/NU5111.md), [NU5112](./errors-and-warnings/NU5112.md), [NU5114](./errors-and-warnings/NU5114.md), [NU5115](./errors-and-warnings/NU5115.md), [NU5116](./errors-and-warnings/NU5116.md), [NU5117](./errors-and-warnings/NU5117.md), [NU5118](./errors-and-warnings/NU5118.md), [NU5119](./errors-and-warnings/NU5119.md), [NU5120](./errors-and-warnings/NU5120.md), [NU5121](./errors-and-warnings/NU5121.md), [NU5122](./errors-and-warnings/NU5122.md), [NU5123](./errors-and-warnings/NU5123.md), [NU5127](./errors-and-warnings/NU5127.md), [NU5128](./errors-and-warnings/NU5128.md), [NU5129](./errors-and-warnings/NU5129.md), [NU5130](./errors-and-warnings/NU5130.md), [NU5131](./errors-and-warnings/NU5131.md), [NU5133](./errors-and-warnings/NU5133.md), [NU5500](./errors-and-warnings/NU5500.md), [NU5501](./errors-and-warnings/NU5501.md) -| License specific Pack Warnings | [NU5124](./errors-and-warnings/NU5124.md), [NU5125](./errors-and-warnings/NU5125.md) +| Signed packages warnings (creation and verification) | [NU3000](./errors-and-warnings/NU3000.md), [NU3002](./errors-and-warnings/NU3002.md), [NU3003](./errors-and-warnings/NU3003.md), [NU3006](./errors-and-warnings/NU3006.md), [NU3007](./errors-and-warnings/NU3007.md), [NU3009](./errors-and-warnings/NU3009.md), [NU3010](./errors-and-warnings/NU3010.md), [NU3011](./errors-and-warnings/NU3011.md), [NU3012](./errors-and-warnings/NU3012.md), [NU3013](./errors-and-warnings/NU3013.md), [NU3014](./errors-and-warnings/NU3014.md), [NU3015](./errors-and-warnings/NU3015.md), [NU3016](./errors-and-warnings/NU3016.md), [NU3017](./errors-and-warnings/NU3017.md), [NU3018](./errors-and-warnings/NU3018.md), [NU3019](./errors-and-warnings/NU3019.md), [NU3020](./errors-and-warnings/NU3020.md), [NU3021](./errors-and-warnings/NU3021.md), [NU3022](./errors-and-warnings/NU3022.md), [NU3023](./errors-and-warnings/NU3023.md), [NU3024](./errors-and-warnings/NU3024.md), [NU3025](./errors-and-warnings/NU3025.md), [NU3026](./errors-and-warnings/NU3026.md), [NU3027](./errors-and-warnings/NU3027.md), [NU3028](./errors-and-warnings/NU3028.md), [NU3029](./errors-and-warnings/NU3029.md), [NU3030](./errors-and-warnings/NU3030.md), [NU3031](./errors-and-warnings/NU3031.md), [NU3032](./errors-and-warnings/NU3032.md), [NU3033](./errors-and-warnings/NU3033.md), [NU3035](./errors-and-warnings/NU3035.md), [NU3036](./errors-and-warnings/NU3036.md), [NU3037](./errors-and-warnings/NU3037.md), [NU3038](./errors-and-warnings/NU3038.md), [NU3040](./errors-and-warnings/NU3040.md), [NU3042](./errors-and-warnings/NU3042.md), [NU3043](./errors-and-warnings/NU3043.md) | +| Pack Warnings | [NU5100](./errors-and-warnings/NU5100.md), [NU5101](./errors-and-warnings/NU5101.md), [NU5102](./errors-and-warnings/NU5102.md), [NU5103](./errors-and-warnings/NU5103.md), [NU5104](./errors-and-warnings/NU5104.md), [NU5105](./errors-and-warnings/NU5105.md), [NU5106](./errors-and-warnings/NU5106.md), [NU5107](./errors-and-warnings/NU5107.md), [NU5108](./errors-and-warnings/NU5108.md), [NU5109](./errors-and-warnings/NU5109.md), [NU5110](./errors-and-warnings/NU5110.md), [NU5111](./errors-and-warnings/NU5111.md), [NU5112](./errors-and-warnings/NU5112.md), [NU5114](./errors-and-warnings/NU5114.md), [NU5115](./errors-and-warnings/NU5115.md), [NU5116](./errors-and-warnings/NU5116.md), [NU5117](./errors-and-warnings/NU5117.md), [NU5118](./errors-and-warnings/NU5118.md), [NU5119](./errors-and-warnings/NU5119.md), [NU5120](./errors-and-warnings/NU5120.md), [NU5121](./errors-and-warnings/NU5121.md), [NU5122](./errors-and-warnings/NU5122.md), [NU5123](./errors-and-warnings/NU5123.md), [NU5127](./errors-and-warnings/NU5127.md), [NU5128](./errors-and-warnings/NU5128.md), [NU5129](./errors-and-warnings/NU5129.md), [NU5130](./errors-and-warnings/NU5130.md), [NU5131](./errors-and-warnings/NU5131.md), [NU5133](./errors-and-warnings/NU5133.md), [NU5500](./errors-and-warnings/NU5500.md), [NU5501](./errors-and-warnings/NU5501.md) | +| License specific Pack Warnings | [NU5124](./errors-and-warnings/NU5124.md), [NU5125](./errors-and-warnings/NU5125.md) | | Icon specific Pack Warnings | [NU5046](./errors-and-warnings/NU5046.md), [NU5047](./errors-and-warnings/NU5047.md), [NU5048](./errors-and-warnings/NU5048.md) | diff --git a/docs/reference/NuGet-Client-SDK.md b/docs/reference/NuGet-Client-SDK.md index 5078be0b0..e58bee9bf 100644 --- a/docs/reference/NuGet-Client-SDK.md +++ b/docs/reference/NuGet-Client-SDK.md @@ -4,22 +4,56 @@ description: The API is evolving and not yet documented, but examples are availa author: JonDouglas ms.author: jodou ms.date: 01/09/2018 -ms.topic: conceptual +ms.topic: article --- # NuGet Client SDK The *NuGet Client SDK* refers to a group of NuGet packages: -* [`NuGet.Protocol`](https://www.nuget.org/packages/NuGet.Protocol) - Used to interact with HTTP and file-based NuGet feeds -* [`NuGet.Packaging`](https://www.nuget.org/packages/NuGet.Packaging) - Used to interact with NuGet packages. `NuGet.Protocol` depends on this package +* [`NuGet.Indexing`](https://www.nuget.org/packages/NuGet.Indexing) - NuGet's indexing library for the Visual Studio client search functionality. +* [`NuGet.Commands`](https://www.nuget.org/packages/NuGet.Commands) - Complete commands common to command-line and GUI NuGet clients. +* [`NuGet.Common`](https://www.nuget.org/packages/NuGet.Common) - Common utilities and interfaces for all NuGet libraries. +* [`NuGet.Configuration`](https://www.nuget.org/packages/NuGet.Configuration) - NuGet's configuration settings implementation. +* [`NuGet.Credentials`](https://www.nuget.org/packages/NuGet.Credentials) - NuGet client's authentication models. +* [`NuGet.DependencyResolver.Core`](https://www.nuget.org/packages/NuGet.DependencyResolver.Core) - NuGet's PackageReference dependency resolver implementation. +* [`NuGet.Frameworks`](https://www.nuget.org/packages/NuGet.Frameworks) - NuGet's understanding of target frameworks. +* [`NuGet.LibraryModel`](https://www.nuget.org/packages/NuGet.LibraryModel) - NuGet's types and interfaces for understanding dependencies. +* [`NuGet.Localization`](https://www.nuget.org/packages/NuGet.Localization) - NuGet localization package. +* [`NuGet.PackageManagement`](https://www.nuget.org/packages/NuGet.PackageManagement) - NuGet Package Management functionality for Visual Studio installation flow. +* [`NuGet.Packaging`](https://www.nuget.org/packages/NuGet.Packaging) - Provides a set of APIs to interact with `.nupkg` and `.nuspec` files from a stream. `NuGet.Protocol` depends on this package. +* [`NuGet.ProjectModel`](https://www.nuget.org/packages/NuGet.ProjectModel) - NuGet's core types and interfaces for PackageReference-based restore, such as lock files, assets file and internal restore models. +* [`NuGet.Protocol`](https://www.nuget.org/packages/NuGet.Protocol) - Provides a set of APIs interact with HTTP and file-based NuGet feeds. +* [`NuGet.Resolver`](https://www.nuget.org/packages/NuGet.Resolver) - NuGet's dependency resolver for packages.config based projects. +* [`NuGet.Versioning`](https://www.nuget.org/packages/NuGet.Versioning) - NuGet's implementation of Semantic Versioning. You can find the source code for these packages in the [NuGet/NuGet.Client](https://github.com/NuGet/NuGet.Client) GitHub repository. -You can find the source code for these examples on the [NuGet.Protocol.Samples](https://github.com/NuGet/Samples/tree/main/NuGetProtocolSamples) project on GitHub. > [!Note] > For documentation on the NuGet server protocol, please refer to the [NuGet Server API](~/api/overview.md). +## Support policy + +The most recent version of NuGet Client SDK is fully supported and can be relied on for bug fixes, updates, and enhancements. + +The recommendation is to use the latest versions of NuGet Client SDK packages, and to examine your project for dependencies on deprecated NuGet Client SDK packages. + +### Patch Releases + +Patched versions of NuGet Client SDK will be released exclusively when critical bugs or security fixes are required for a long-term support (LTS) version of Visual Studio or .NET SDK. + +All security bugs should be reported to the Microsoft Security Response Center (MSRC) at [MSRC's report page](https://aka.ms/opensource/security/create-report). +Also, see the [security policy in the NuGet.Client repo](https://github.com/NuGet/NuGet.Client/blob/dev/SECURITY.md). + +We do not guarantee API stability, as our team's responsibility is tooling, not libraries. +See the [NuGet SDK documentation in the NuGet.Client repo](https://github.com/NuGet/NuGet.Client/blob/dev/docs/nuget-sdk.md) for more information. + +### Package Deprecation + +Out-of-support NuGet Client SDK packages that are not tied to an LTS version of either Visual Studio or .NET will be [deprecated on nuget.org](../nuget-org/Deprecate-packages.md#client-experience-for-deprecated-packages). + +NuGet's package maintenance approach will align with the [.NET Package Maintenance (deprecation)](https://github.com/dotnet/announcements/issues/217) guidance. + ## NuGet.Protocol Install the `NuGet.Protocol` package to interact with HTTP and folder-based NuGet package feeds: @@ -28,6 +62,8 @@ Install the `NuGet.Protocol` package to interact with HTTP and folder-based NuGe dotnet add package NuGet.Protocol ``` +You can find the source code for these examples on the [NuGet.Protocol.Samples](https://github.com/NuGet/Samples/tree/main/NuGetProtocolSamples) project on GitHub. + > [!Tip] > `Repository.Factory` is defined in the `NuGet.Protocol.Core.Types` namespace, and the `GetCoreV3` method is an extension method defined in the `NuGet.Protocol` namespace. Therefore, you will need to add `using` statements for both namespaces. @@ -94,7 +130,7 @@ Create a package, set metadata, and add dependencies using [`NuGet.Packaging`](h > It is strongly recommended that NuGet packages are created using the official NuGet tooling and **not** using this > low-level API. There are a variety of characteristics important for a well-formed package and the latest version of > tooling helps incorporate these best practices. -> +> > For more information about creating NuGet packages, see the overview of the > [package creation workflow](../create-packages/overview-and-workflow.md) and the documentation for official pack > tooling (for example, [using the dotnet CLI](../create-packages/creating-a-package-dotnet-cli.md)). @@ -111,9 +147,9 @@ Read a package from a file stream using [`NuGet.Packaging`](https://www.nuget.or You can find examples and documentation for some of the API in the following blog series by Dave Glick, published 2016: -- [Exploring the NuGet v3 Libraries, Part 1: Introduction and concepts](http://daveaglick.com/posts/exploring-the-nuget-v3-libraries-part-1) -- [Exploring the NuGet v3 Libraries, Part 2: Searching for packages](http://daveaglick.com/posts/exploring-the-nuget-v3-libraries-part-2) -- [Exploring the NuGet v3 Libraries, Part 3: Installing packages](http://daveaglick.com/posts/exploring-the-nuget-v3-libraries-part-3) +* [Exploring the NuGet v3 Libraries, Part 1: Introduction and concepts](http://daveaglick.com/posts/exploring-the-nuget-v3-libraries-part-1) +* [Exploring the NuGet v3 Libraries, Part 2: Searching for packages](http://daveaglick.com/posts/exploring-the-nuget-v3-libraries-part-2) +* [Exploring the NuGet v3 Libraries, Part 3: Installing packages](http://daveaglick.com/posts/exploring-the-nuget-v3-libraries-part-3) > [!Note] > These blog posts were written shortly after the **3.4.3** version of the NuGet client SDK packages were released. @@ -121,4 +157,4 @@ You can find examples and documentation for some of the API in the following blo Martin Björkström did a follow-up blog post to Dave Glick's blog series where he introduces a different approach on using the NuGet Client SDK to install NuGet packages: -- [Revisiting the NuGet v3 Libraries](https://martinbjorkstrom.com/posts/2018-09-19-revisiting-nuget-client-libraries) +* [Revisiting the NuGet v3 Libraries](https://martinbjorkstrom.com/posts/2018-09-19-revisiting-nuget-client-libraries) diff --git a/docs/reference/Signed-Package-Verification-Options.md b/docs/reference/Signed-Package-Verification-Options.md new file mode 100644 index 000000000..e7359b62e --- /dev/null +++ b/docs/reference/Signed-Package-Verification-Options.md @@ -0,0 +1,37 @@ +--- +title: NuGet Signed-Package Verification Options +description: Options for NuGet signed-package verification +author: dtivel +ms.author: dtivel +ms.date: 09/01/2023 +ms.topic: reference +--- + +# NuGet signed-package verification options + +## Retry untrusted root failures + +> [!Note] +> This issue only applies to Windows for root certificates in the [Microsoft Trusted Root Program](https://aka.ms/RootCert). + +During certificate chain building, Windows fetches relevant 3rd party root certificates on first use and adds them as locally trusted root certificates. Internally, Windows initiates this network fetch with an RPC call, and if the system is sufficiently busy, this RPC call may fail. This failure results in the root certificate not being locally trusted. This issue may occur the first time a root certificate is observed, but once the root certificate has been locally trusted, the issue will not recur for that certificate. Typically, chain building will succeed with retries. + +For NuGet users, symptoms of this issue are that the NuGet operation will typically succeed on retry and either of the following: + +* [NU3028](errors-and-warnings/NU3028.md) with a message like "A certification chain processed correctly but terminated in a root certificate that is not trusted by the trust provider." +* [NU3037](errors-and-warnings/NU3037.md) with a message like "The repository primary signature validity period has expired." + +> [!Note] +> This option is available starting from NuGet 6.0.0 and only applies to the Windows-specific failure described above. The option does not apply to any other scenario and has no effect on Linux or macOS. +> +> Before NuGet 6.8.0 and .NET 8 SDK, this option is disabled by default. +> +> Starting with NuGet 6.8.0 and .NET 8 SDK, this option is enabled by default on Windows. The environment variable does not need to be set explicitly unless you want to override the default value of `3,1000` or to opt out. To opt out, set the environment variable with a value of `0`. + +You can enable an experimental, automatic retry for untrusted root failures on Windows by setting an environment variable named `NUGET_EXPERIMENTAL_CHAIN_BUILD_RETRY_POLICY` with a value consisting of 2 comma-delimited positive integers representing retry count and sleep interval in milliseconds, respectively. You should pick values that are sensible for you. + +For example, setting the environment variable to a value of `3,1000` like so: + +
    set NUGET_EXPERIMENTAL_CHAIN_BUILD_RETRY_POLICY=3,1000
    + +...would try up to 4 times (initial try plus 3 retries) with 1 second (1,000 ms) between each try. \ No newline at end of file diff --git a/docs/reference/cli-reference/cli-ref-environment-variables.md b/docs/reference/cli-reference/cli-ref-environment-variables.md index 517901fb9..e0c993671 100644 --- a/docs/reference/cli-reference/cli-ref-environment-variables.md +++ b/docs/reference/cli-reference/cli-ref-environment-variables.md @@ -23,18 +23,19 @@ The list of properties documented in [NuGet pack and restore as MSBuild targets] | EnableNuGetPackageRestore | Flag for if NuGet should implicitly grant consent if that's required by package on restore. | Specified flag is treated as *true* or *1*, any other value treated as flag not set. | | NUGET_CLI_LANGUAGE | Changes nuget.exe output language | Available in 6.5 and higher versions. Supported values are [supported Visual Studio languages](/visualstudio/install/use-command-line-parameters-to-install-visual-studio?view=vs-2022&preserve-view=true#list-of-language-locales) locale names: `zh-cn`, `zh-tw`, `cs-cz`, `en-us`, `es-es`, `fr-fr`, `de-de`, `it-it`, `ja-jp`, `ko-kr`, `pl-pl`, `pt-br`, `ru-ru`, and `tr-tr`. | | NUGET_EXE_NO_PROMPT | Prevents the exe for prompting for credentials. | Any value except null or empty string will be treated as this flag set/true. | +| NUGET_MAX_RETRY_AFTER_DELAY_SECONDS | Maximum duration between retries when HTTP response contains Retry-After header | When NUGET_OBSERVE_RETRY_AFTER is enabled (as it is by default) and an HTTP response contains a Retry-After header, this environment variable sets the maximum duration that will be waited. Note that Retry-After can provide either a duration (delta) or a time stamp (date). If the server returns a time stamp and your machine's clock is out of sync with the server, the calculated duration might be very long (or negative). | | FORCE_NUGET_EXE_INTERACTIVE | Global environment variable to force interactive mode. | Any value except null or empty string will be treated as this flag set/true. | | NUGET_PACKAGES | Path to use for the *global-packages* folder as described on [Managing the global packages and cache folders](../../consume-packages/managing-the-global-packages-and-cache-folders.md). | Specified as absolute path. | | NUGET_FALLBACK_PACKAGES | Global fallback packages folders. | Absolute folder paths separated by semicolon (;). | | NUGET_HTTP_CACHE_PATH | Path to use for the *http-cache* folder as described on [Managing the global packages and cache folders](../../consume-packages/managing-the-global-packages-and-cache-folders.md). | Specified as absolute path. | -| NUGET_PERSIST_DG | Flag indicating if dg files (data collected from MSBuild) should be persisted. | Specified as *true* or *false* (default), if NUGET_PERSIST_DG_PATH not set will be stored to temporary directory (NuGetScratch folder in current environment temp directory). | -| NUGET_PERSIST_DG_PATH | Path to persist dg files. | Specified as absolute path, this option is only used when *NUGET_PERSIST_DG* is set to true. | +| NUGET_OBSERVE_RETRY_AFTER | Opt-out of using HTTP response message Retry-After delay durations | Prior to NuGet 6.5, NuGet would retry all failed requests with the same back-off strategy. Starting with NuGet 6.5, NuGet will by default use the Retry-After delay period provided by the server. Set this environment variable to `false` to ignore the Retry-After response header. Also see NUGET_MAX_RETRY_AFTER_DELAY_SECONDS | | NUGET_RESTORE_MSBUILD_ARGS | Sets additional MSBuild arguments. | Pass arguments identical to how you would pass them to msbuild.exe. An example of setting a project property Foo from the command line to value Bar would be /p:Foo=Bar | +| NUGET_RETRY_HTTP_429 | Change retry behavior on HTTP 429 responses | Prior to NuGet 6.5, NuGet would not retry requests that result in HTTP 429 on 408. The default value is `true`, and this environment variable can be set to `false` to opt-in to older NuGet behaviour (don't retry the request) | | NUGET_RESTORE_MSBUILD_VERBOSITY | Sets the MSBuild log verbosity. | Default is *quiet* ("/v:q"). Possible values *q[uiet]*, *m[inimal]*, *n[ormal]*, *d[etailed]*, and *diag[nostic]*. | | NUGET_SHOW_STACK | Determines whether the full exception (including stack trace) should be displayed to the user. | Specified as *true* or *false* (default). | -| NUGET_UPDATEFILETIME_MAXRETRIES | Sets the number of times NuGet will attempt to set the file timestamp when extracting packages. | On Windows anti-virus software might temporarily open files, preventing NuGet from changing the timestamp. NuGet uses an exponential back-off where the wait duration between attempts is `Math.Pow(2, retryNumber)`. The default max retries is 9, meaning the default total wait duration before failure will be approximately one second. | +| NUGET_UPDATEFILETIME_MAXRETRIES | Sets the number of times NuGet will attempt to retry seting the file timestamp when extracting packages when the first attempt failed. | On Windows anti-virus software might temporarily open files, preventing NuGet from changing the timestamp. NuGet uses an exponential back-off where the wait duration between attempts is `Math.Pow(2, retryNumber)`. The default max retries is 9, meaning the default total wait duration before failure will be approximately one second. | | NUGET_XMLDOC_MODE | Determines how assemblies XML documentation file extraction should be handled. | Supported modes are *skip* (do not extract XML documentation files), *compress* (store XML doc files as a zip archive) or *none* (default, treat XML doc files as regular files). | | NUGET_CERT_REVOCATION_MODE | Determines how the revocation status check of the certificate used to sign a package, is performed when a signed package is installed or restored. When not set, defaults to `online`.| Possible values *online* (default), *offline*. Related to [NU3028](../errors-and-warnings/NU3028.md) | -| NUGET_ENABLE_ENHANCED_HTTP_RETRY | Enables or disables enhanced HTTP retry in NuGet. | Possible values are `true` (default) or `false`. | | NUGET_ENHANCED_MAX_NETWORK_TRY_COUNT | Configures the maximum number of times an HTTP connection should be retried when enhanced retries are enabled. | A number representing how many retries to perform, the default value is `6`. | | NUGET_ENHANCED_NETWORK_RETRY_DELAY_MILLISECONDS | Configures the amount of time to wait in milliseconds before retrying an HTTP connection when enhanced retries are enabled. | Number of millseconds to wait, the default value is `1000`. | + diff --git a/docs/reference/cli-reference/cli-ref-install.md b/docs/reference/cli-reference/cli-ref-install.md index e0b88655b..aa96d43bf 100644 --- a/docs/reference/cli-reference/cli-ref-install.md +++ b/docs/reference/cli-reference/cli-ref-install.md @@ -70,9 +70,9 @@ where `` names the package to install (using the latest version), or Displays help information for the command. -- **`-NoCache`** +- **`-NoHttpCache`** - Prevents NuGet from using cached packages. See [Managing the global packages and cache folders](../../consume-packages/managing-the-global-packages-and-cache-folders.md). + Prevents NuGet from using http cached packages. See [Managing the global packages and cache folders](../../consume-packages/managing-the-global-packages-and-cache-folders.md). - **`-NonInteractive`** diff --git a/docs/reference/cli-reference/cli-ref-mirror.md b/docs/reference/cli-reference/cli-ref-mirror.md index 6ee95cdc0..c1a186192 100644 --- a/docs/reference/cli-reference/cli-ref-mirror.md +++ b/docs/reference/cli-reference/cli-ref-mirror.md @@ -38,9 +38,9 @@ If your target repository is on `https://machine/repo` that's running [NuGet.Ser Displays help information for the command. -- **`-NoCache`** +- **`-NoHttpCache`** - Prevents NuGet from using cached packages. See [Managing the global packages and cache folders](../../consume-packages/managing-the-global-packages-and-cache-folders.md). + Prevents NuGet from using http cached packages. See [Managing the global packages and cache folders](../../consume-packages/managing-the-global-packages-and-cache-folders.md). - **`-Noop`** @@ -67,7 +67,7 @@ Also see [Environment variables](cli-ref-environment-variables.md) ## Examples ```cli -nuget mirror packages.config https://MyRepo/nuget https://MyRepo/api/v2/package -source https://nuget.org/api/v2 -apikey myApiKey -nocache +nuget mirror packages.config https://MyRepo/nuget https://MyRepo/api/v2/package -source https://nuget.org/api/v2 -apikey myApiKey -nohttpcache nuget mirror Microsoft.AspNet.Mvc https://MyRepo/nuget https://MyRepo/api/v2/package -version 4.0.20505.0 diff --git a/docs/reference/cli-reference/cli-ref-pack.md b/docs/reference/cli-reference/cli-ref-pack.md index 6cc246432..c449c491d 100644 --- a/docs/reference/cli-reference/cli-ref-pack.md +++ b/docs/reference/cli-reference/cli-ref-pack.md @@ -14,7 +14,7 @@ ms.topic: reference Creates a NuGet package based on the specified [.nuspec](../nuspec.md) or project file. The `dotnet pack` command (see [dotnet Commands](../dotnet-Commands.md)) and `msbuild -t:pack` (see [MSBuild targets](../msbuild-targets.md)) may be used as alternates. > [!Important] -> Use [`dotnet pack`](../dotnet-Commands.md) or [`msbuild -t:pack`](../msbuild-targets.md) for [PackageReference](../../consume-packages/package-references-in-project-files.md) based projects. +> Use [`dotnet pack`](../dotnet-Commands.md) or [`msbuild -t:pack`](../msbuild-targets.md) for [PackageReference](../../consume-packages/package-references-in-project-files.md) based projects. Starting with NuGet version 6.5+, the pack command will [error](../errors-and-warnings/NU5049.md) when attempting to pack these project types. Earlier versions would attempt to pack, but the generated package may not be correct. > Under Mono, creating a package from a project file is not supported. You also need to adjust non-local paths in the `.nuspec` file to Unix-style paths, as nuget.exe doesn't convert Windows pathnames itself. ## Usage @@ -120,7 +120,7 @@ where `` and `` specify the `.nuspec` or project file, - **`-Tool`** - Specifies that the output files of the project should be placed in the `tool` folder. + Specifies that the output files of the project should be placed in the `tools` folder within the package. - **`-Verbosity [normal|quiet|detailed]`** diff --git a/docs/reference/cli-reference/cli-ref-push.md b/docs/reference/cli-reference/cli-ref-push.md index b51fd897d..cdb3fef24 100644 --- a/docs/reference/cli-reference/cli-ref-push.md +++ b/docs/reference/cli-reference/cli-ref-push.md @@ -28,6 +28,9 @@ where `` identifies the package to push to the server. ## Options +- **`-AllowInsecureConnections`** + Allows pushing to HTTP sources (insecure). For more information, refer to https://aka.ms/nuget-https-everywhere. + - **`-ApiKey`** The API key for the target repository. If not present, the one specified in the config file is used. @@ -66,7 +69,7 @@ where `` identifies the package to push to the server. - **`-SkipDuplicate`** - *(5.1+)* If a package and version already exists, skip it and continue with the next package in the push, if any. + *(5.1+)* If a package and version already exists, skip it and continue with the next package in the push, if any. This option is ignored if the package is being pushed to a UNC or local folder source. - **`-SymbolSource`** diff --git a/docs/reference/cli-reference/cli-ref-restore.md b/docs/reference/cli-reference/cli-ref-restore.md index bf62e4da3..b8c4d556e 100644 --- a/docs/reference/cli-reference/cli-ref-restore.md +++ b/docs/reference/cli-reference/cli-ref-restore.md @@ -73,9 +73,9 @@ where `` specifies the location of a solution or a `packages.config *(3.2+)* Specifies the version of MSBuild to be used with this command. Supported values are 4, 12, 14, 15.1, 15.3, 15.4, 15.5, 15.6, 15.7, 15.8, 15.9. By default the MSBuild in your path is picked, otherwise it defaults to the highest installed version of MSBuild. -- **`-NoCache`** +- **`-NoHttpCache`** - Prevents NuGet from using cached packages. See [Managing the global packages and cache folders](../../consume-packages/managing-the-global-packages-and-cache-folders.md). + Prevents NuGet from using http cached packages. See [Managing the global packages and cache folders](../../consume-packages/managing-the-global-packages-and-cache-folders.md). - **`-NonInteractive`** diff --git a/docs/reference/cli-reference/cli-ref-setapikey.md b/docs/reference/cli-reference/cli-ref-setapikey.md index 93d1c3734..a594048e8 100644 --- a/docs/reference/cli-reference/cli-ref-setapikey.md +++ b/docs/reference/cli-reference/cli-ref-setapikey.md @@ -9,9 +9,9 @@ ms.topic: reference # setapikey command (NuGet CLI) -**Applies to:** package consumption, publishing • **Supported versions:** all +**Applies to:** publishing • **Supported versions:** all -Saves an API key for a given server URL into `NuGet.Config` so that it doesn't need to be entered for subsequent commands. +Saves an API key for a given server URL into `NuGet.Config` so that it doesn't need to be entered for subsequent push commands. ## Usage @@ -22,8 +22,10 @@ nuget setapikey -Source [options] where `` identifies the server and `` is the key to save. If `` is omitted, nuget.org is assumed. > [!NOTE] -> API key is not used for authenticating with the private feed. Refer to [`nuget sources` command](../cli-reference/cli-ref-sources.md) to manage credentials for authenticating with the source. -> API keys can be obtained from the individual NuGet servers. To create and manage APIKeys for nuget.org refer to [acquire-an-api-key](../../nuget-org/scoped-api-keys.md#acquire-an-api-key) +> API key is not used for authenticating with the private feed. +> Refer to [`nuget sources` command](../cli-reference/cli-ref-sources.md) to manage credentials for authenticating with the source. +> API keys can be obtained from the individual NuGet servers. +> To create and manage APIKeys for nuget.org refer to [acquire-an-api-key](../../nuget-org/scoped-api-keys.md#acquire-an-api-key). ## Options diff --git a/docs/reference/cli-reference/cli-ref-sign.md b/docs/reference/cli-reference/cli-ref-sign.md index 732a71b47..e2fda227a 100644 --- a/docs/reference/cli-reference/cli-ref-sign.md +++ b/docs/reference/cli-reference/cli-ref-sign.md @@ -29,7 +29,14 @@ where `` is one or more `.nupkg` files. - **`-CertificateFingerprint`** - Specifies the SHA-1 fingerprint of the certificate used to search a local certificate store for the certificate. + Specifies the fingerprint to be used to search for the certificate in a local certificate store. + + Starting with NuGet.exe 6.12, this option can be used to specify the SHA-1, SHA-256, SHA-384, or SHA-512 fingerprint of the certificate. + However, a `NU3043` warning is raised when a SHA-1 certificate fingerprint is used because it is no longer considered secure. + In NuGet.exe 7.0 and later versions, the warning is elevated to an error. + Only SHA-2 family fingerprints (SHA-256, SHA-384, and SHA-512) are supported. + + All the previous versions of the NuGet.exe continue to accept only SHA-1 certificate fingerprint. - **`-CertificatePassword`** diff --git a/docs/reference/cli-reference/cli-ref-sources.md b/docs/reference/cli-reference/cli-ref-sources.md index 2e88e0e5b..56935e51b 100644 --- a/docs/reference/cli-reference/cli-ref-sources.md +++ b/docs/reference/cli-reference/cli-ref-sources.md @@ -13,6 +13,9 @@ ms.topic: reference Manages the list of sources located in the user scope configuration file or a specified configuration file. The user scope configuration file is located at `%appdata%\NuGet\NuGet.Config` (Windows) and `~/.nuget/NuGet/NuGet.Config` (Mac/Linux). +> [!NOTE] +> Use package sources that you trust. + Note that the source URL for nuget.org is `https://api.nuget.org/v3/index.json`. ## Usage @@ -53,6 +56,10 @@ where `` is one of *List, Add, Remove, Enable, Disable,* or *Update*, Specifies the password for authenticating with the source. + > [!NOTE] + > Be aware that encrypted passwords are only supported on Windows. + > Moreover, they can only be decrypted on the same machine and by the same user who originally encrypted them. + - **`-src|-Source`** Path to the package(s) source. @@ -61,6 +68,10 @@ where `` is one of *List, Add, Remove, Enable, Disable,* or *Update*, Indicates to store the password in unencrypted text instead of the default behavior of storing an encrypted form. + > [!WARNING] + > Storing passwords in clear text is strongly discouraged. + > For more information on managing credentials securely, refer to the [security best practices for consuming packages from private feeds](../../consume-packages/consuming-packages-authenticated-feeds.md#security-best-practices-for-managing-credentials). + - **`-UserName`** Specifies the user name for authenticating with the source. @@ -69,12 +80,19 @@ where `` is one of *List, Add, Remove, Enable, Disable,* or *Update*, Comma-separated list of valid authentication types for this source. By default, all authentication types are valid. Example: `basic,negotiate`. +- **`-ProtocolVersion`** + + The NuGet server protocol version to be used. + See [NuGet.Config's packageSources documentation](../nuget-config-file.md#packagesources) for more information. + + Available in NuGet command line from version 6.8. + - **`-Verbosity [normal|quiet|detailed]`** Specifies the amount of detail displayed in the output: `normal` (the default), `quiet`, or `detailed`. - -> [!Note] -> Make sure to add the sources' password under the same user context as the nuget.exe is later used to access the package source. The password will be stored encrypted in the config file and can only be decrypted in the same user context as it was encrypted. So for example when you use a build server to restore NuGet packages the password must be encrypted with the same Windows user under which the build server task will run. + +- **`-AllowInsecureConnections`** + Allows HTTP connections for adding or updating packages. Note: This method is not secure. Available starting version 6.12. Also see [Environment variables](cli-ref-environment-variables.md) @@ -88,4 +106,8 @@ nuget sources Disable -Name "MyServer" nuget sources Enable -Name "nuget.org" nuget sources add -name foo.bar -source C:\NuGet\local -username foo -password bar -StorePasswordInClearText -configfile %AppData%\NuGet\my.config + +nuget sources add -name MyAzureDevOpsSource -source "https://pkgs.dev.azure.com/yourorgname/yourprojectname/_packaging/yourfeedname/nuget/v3/index.json" -username ignored -password + +nuget sources Update -Name "nuget.org" -ProtocolVersion 3 ``` diff --git a/docs/reference/cli-reference/cli-ref-spec.md b/docs/reference/cli-reference/cli-ref-spec.md index 04e206701..e519b278b 100644 --- a/docs/reference/cli-reference/cli-ref-spec.md +++ b/docs/reference/cli-reference/cli-ref-spec.md @@ -11,7 +11,7 @@ ms.topic: reference **Applies to:** package creation • **Supported versions:** all -Generates a `.nuspec` file for a new package. If run in the same folder as a project file (`.csproj`, `.vbproj`, `.fsproj`), `spec` creates a tokenized `.nuspec` file. For additional information, see [Creating a Package](../../create-packages/creating-a-package.md). +Generates a `.nuspec` file for a new package. If run in the same folder as a project file (`.csproj`, `.vbproj`, `.fsproj`), `spec` creates a tokenized `.nuspec` file, that defaults to the MIT License. For additional information, see [Creating a Package](../../create-packages/creating-a-package.md). ## Usage diff --git a/docs/reference/cli-reference/cli-ref-trusted-signers.md b/docs/reference/cli-reference/cli-ref-trusted-signers.md index 6b22c814a..20ebfc7f4 100644 --- a/docs/reference/cli-reference/cli-ref-trusted-signers.md +++ b/docs/reference/cli-reference/cli-ref-trusted-signers.md @@ -1,8 +1,8 @@ --- title: NuGet CLI trusted-signers command description: Reference for the nuget.exe trusted-signers command -author: patbel -ms.author: patbel +author: JonDouglas +ms.author: jodou ms.date: 11/12/2018 ms.topic: reference ms.reviewer: rmpablos @@ -38,11 +38,13 @@ Registered trusted signers: Certificate fingerprint(s): SHA256 - 0E5F38F57DC1BCC806D8494F4F90FBCEDD988B46760709CBEEC6F4219AA6157D SHA256 - 5A2901D6ADA3D18260B9C6DFE2133C95D74B9EEF6AE0E5DC334C8454D1477DF4 + SHA256 - 1F4B311D9ACC115C8DC8018B5A49E00FCE6DA8E2855F9F014CA6F34570BC482D 2. microsoft [author] Certificate fingerprint(s): SHA256 - 3F9001EA83C560D712C24CF213C3D312CB3BFF51EE89435D3430BD06B5D0EECE SHA256 - AA12DA22A49BCE7D5C1AE64CC1F3D892F150DA76140F210ABD2CBFFCA2C18A27 + SHA256 - 566A31882BE208BE4422F7CFD66ED09F5D4524A5994F50CCC8B05EC0528C1353 3. myUntrustedAuthorSignature [author] Certificate fingerprint(s): diff --git a/docs/reference/cli-reference/cli-ref-verify.md b/docs/reference/cli-reference/cli-ref-verify.md index ab6dda990..def7a7c90 100644 --- a/docs/reference/cli-reference/cli-ref-verify.md +++ b/docs/reference/cli-reference/cli-ref-verify.md @@ -13,6 +13,7 @@ ms.reviewer: rmpablos **Applies to:** package consumption • **Supported versions:** 4.6+ Verifies a package. +Starting with [NuGet 7.0](../../release-notes/NuGet-7.0.md), the package's content hash will also be displayed. Verification of signed packages is not yet supported under Mono. diff --git a/docs/reference/dotnet-Commands.md b/docs/reference/dotnet-Commands.md index 5b7f59b9f..945538842 100644 --- a/docs/reference/dotnet-Commands.md +++ b/docs/reference/dotnet-Commands.md @@ -4,7 +4,7 @@ description: A short reference for NuGet-related commands using the dotnet comma author: JonDouglas ms.author: jodou ms.date: 06/24/2019 -ms.topic: conceptual +ms.topic: article --- # dotnet CLI commands diff --git a/docs/reference/errors-and-warnings/NU1001.md b/docs/reference/errors-and-warnings/NU1001.md index 4b83c50c4..6d93d8643 100644 --- a/docs/reference/errors-and-warnings/NU1001.md +++ b/docs/reference/errors-and-warnings/NU1001.md @@ -12,7 +12,7 @@ f1_keywords: # NuGet Error NU1001 -
    The project 'Project' does not specify any target frameworks in 'ProjectFile'
    +> The project 'Project' does not specify any target frameworks in 'ProjectFile' ### Issue The project doesn't contain one or more frameworks. diff --git a/docs/reference/errors-and-warnings/NU1002.md b/docs/reference/errors-and-warnings/NU1002.md index 2b9e538cb..52f618153 100644 --- a/docs/reference/errors-and-warnings/NU1002.md +++ b/docs/reference/errors-and-warnings/NU1002.md @@ -12,7 +12,7 @@ f1_keywords: # NuGet Error NU1002 -
    'CLEAR' cannot be used in conjunction with other values
    +> 'CLEAR' cannot be used in conjunction with other values ### Issue Invalid combination of inputs along with a CLEAR keyword. diff --git a/docs/reference/errors-and-warnings/NU1003.md b/docs/reference/errors-and-warnings/NU1003.md index e23fe71e6..1f3802a3b 100644 --- a/docs/reference/errors-and-warnings/NU1003.md +++ b/docs/reference/errors-and-warnings/NU1003.md @@ -12,7 +12,7 @@ f1_keywords: # NuGet Error NU1003 -
    PackageTargetFallback and AssetTargetFallback cannot be used together. Remove PackageTargetFallback(deprecated) references from the project environment.
    +> PackageTargetFallback and AssetTargetFallback cannot be used together. Remove PackageTargetFallback(deprecated) references from the project environment. ### Issue `PackageTargetFallback` and `AssetTargetFallback` provide different behavior for selecting assets and cannot be used together. diff --git a/docs/reference/errors-and-warnings/NU1004.md b/docs/reference/errors-and-warnings/NU1004.md index c4350eb5e..bf015e828 100644 --- a/docs/reference/errors-and-warnings/NU1004.md +++ b/docs/reference/errors-and-warnings/NU1004.md @@ -13,8 +13,8 @@ f1_keywords: ## Scenario 1 -
    The project target frameworks are different than the lock file's target frameworks. Lock file target frameworks: net6.0,net5.0. Project target frameworks net6.0.
-The packages lock file is inconsistent with the project dependencies so restore can't be run in locked mode. Disable the RestoreLockedMode MSBuild property or pass an explicit --force-evaluate option to run restore to update the lock file.
    +> The project target frameworks are different than the lock file's target frameworks. Lock file target frameworks: net6.0,net5.0. Project target frameworks net6.0. +The packages lock file is inconsistent with the project dependencies so restore can't be run in locked mode. Disable the RestoreLockedMode MSBuild property or pass an explicit --force-evaluate option to run restore to update the lock file. ### Issue @@ -30,8 +30,8 @@ Consult the recommendations in the error message and do one of the following: ## Scenario 2 -
    The package reference Contoso.Library version has changed from [2.0.0, ) to [1.2.3, ).The packages lock file is inconsistent with the project dependencies so restore can't be run
- in locked mode. Disable the RestoreLockedMode MSBuild property or pass an explicit --force-evaluate option to run restore to update the lock file.
    +> The package reference Contoso.Library version has changed from [2.0.0, ) to [1.2.3, ).The packages lock file is inconsistent with the project dependencies so restore can't be run + in locked mode. Disable the RestoreLockedMode MSBuild property or pass an explicit --force-evaluate option to run restore to update the lock file. ### Issue diff --git a/docs/reference/errors-and-warnings/NU1005.md b/docs/reference/errors-and-warnings/NU1005.md index ac6b4e79d..456d2226d 100644 --- a/docs/reference/errors-and-warnings/NU1005.md +++ b/docs/reference/errors-and-warnings/NU1005.md @@ -13,7 +13,7 @@ f1_keywords: ## Scenario 1 -
    Invalid restore input where RestorePackagesWithLockFile property is set to false but a packages lock file exists at C:\SourceCode\ContosoProject\Contoso.Library\packages.lock.json
    +> Invalid restore input where RestorePackagesWithLockFile property is set to false but a packages lock file exists at C:\SourceCode\ContosoProject\Contoso.Library\packages.lock.json ### Issue @@ -27,7 +27,7 @@ There are 2 opt-in methods the lock file functionality, by setting the RestorePa ## Scenario 2 -
    RestoreForceEvaluate should not be used with RestoreLockedMode in the same command.
    +> RestoreForceEvaluate should not be used with RestoreLockedMode in the same command. ### Issue diff --git a/docs/reference/errors-and-warnings/NU1006.md b/docs/reference/errors-and-warnings/NU1006.md index 5f6094f6c..747177f2a 100644 --- a/docs/reference/errors-and-warnings/NU1006.md +++ b/docs/reference/errors-and-warnings/NU1006.md @@ -11,7 +11,7 @@ f1_keywords: # NuGet Error NU1006 -
    NuGet.Config has an invalid package source value 'C:\PackageSource>\'. Reason: Illegal characters in path.
    +> NuGet.Config has an invalid package source value 'C:\PackageSource>\'. Reason: Illegal characters in path. ### Issue diff --git a/docs/reference/errors-and-warnings/NU1007.md b/docs/reference/errors-and-warnings/NU1007.md index 987d8df27..907ce6836 100644 --- a/docs/reference/errors-and-warnings/NU1007.md +++ b/docs/reference/errors-and-warnings/NU1007.md @@ -11,8 +11,8 @@ f1_keywords: # NuGet Error NU1007 -
    The runtime.json specified in the project 'C:\Program Files\dotnet\sdk\X.Y.Z00\RuntimeIdentifierGraph.json
-' could not be parsed.
    +> The runtime.json specified in the project 'C:\Program Files\dotnet\sdk\X.Y.Z00\RuntimeIdentifierGraph.json +' could not be parsed. ### Issue diff --git a/docs/reference/errors-and-warnings/NU1008.md b/docs/reference/errors-and-warnings/NU1008.md index b8051432e..3be37802d 100644 --- a/docs/reference/errors-and-warnings/NU1008.md +++ b/docs/reference/errors-and-warnings/NU1008.md @@ -11,35 +11,49 @@ f1_keywords: # NuGet Error NU1008 -
    Projects that use central package version management should not define the version on the PackageReference items but on the PackageVersion items: PackageId.
    +> The following PackageReference items cannot define a value for Version: PackageName. Projects using Central Package Management must define a Version value on a PackageVersion item. -### Issue +## Issue -When using central package management, versions must be defined on the PackageVersion item. +A project is configured to use NuGet [Central Package Management](../../consume-packages/Central-Package-Management.md) and a `` item is defined which specifies a value for the `Version` attribute: -In your project file, you may see: +```xml + + + +``` +Alternatively, a `` item is defined with a child `` element that has a value specified: ```xml - - + + + 5.1.0 + + ``` -### Solution +Projects configured to use [Central Package Management](../../consume-packages/Central-Package-Management.md) should not define a version on `` items. +The version should be defined in on a corresponding `` item with the same identifier in [Directory.Packages.props](../../consume-packages/Central-Package-Management.md#enabling-central-package-management) file instead. -- Remove the version from the PackageId PackageReference. -- You may need to add or update the PackageVersion item for PackageId in Directory.Packages.props +## Solution -Example: +- Remove the `Version` attribute or child `` element from the `` item: -```xml - - -``` + ```xml + + + + ``` -```xml - - -``` +- Define a `` item that specifies the version in the [Directory.Packages.props](../../consume-packages/Central-Package-Management.md#enabling-central-package-management) file with the same identifier as the `` item: + + ```xml + + + + ``` + +Alternatively, Central Package Management allows overriding centrally defined package versions. See [Overriding Package Versions](../../consume-packages/Central-Package-Management.md#overriding-package-versions) for more information. > [!NOTE] > Note that metadata such as [IncludeAssets, PrivateAssets etc.](../../consume-packages/Package-References-in-Project-Files.md#controlling-dependency-assets) should remain on the PackageReference item. diff --git a/docs/reference/errors-and-warnings/NU1009.md b/docs/reference/errors-and-warnings/NU1009.md index c7e5e3d81..5c99ac709 100644 --- a/docs/reference/errors-and-warnings/NU1009.md +++ b/docs/reference/errors-and-warnings/NU1009.md @@ -11,13 +11,29 @@ f1_keywords: # NuGet Error NU1009 -
    The packages PackageId are implicitly referenced. You do not typically need to reference them from your project or in your central package versions management file. For more inform
-ation, see https://aka.ms/sdkimplicitrefs
    +> The following PackageReference items are implicitly defined and cannot define a PackageVersion item: PackageName. Projects using Central Package Management require that implicit package versions be specified by the PackageReference item. -### Issue +## Issue -Implicitly defined packages should not be managed centrally. +A project is configured to use NuGet [Central Package Management](../../consume-packages/Central-Package-Management.md) and a `` item is defined in the [Directory.Packages.props](../../consume-packages/Central-Package-Management.md#enabling-central-package-management) file for a package that is [implicitly defined](https://aka.ms/sdkimplicitrefs). +Implicitly defined packages are generally declared by an SDK to include packages on your behalf. +For these packages, the owner of the SDK controls the version being used and a user should not define a version with [Central Package Management](../../consume-packages/Central-Package-Management.md). -### Solution +```xml + + + +``` -Remove the PackageVersion for PackageId \ No newline at end of file +## Solution + +- Remove the `PackageVersion` item from the [Directory.Packages.props](../../consume-packages/Central-Package-Management.md#enabling-central-package-management) file that corresponds to the implicitly defined package: + + ```xml + + + + ``` + +> [!NOTE] +> Some SDKs allow you to override the implicitly defined package version by setting a specific MSBuild property for that package and the SDK may have documentation on how to do so. diff --git a/docs/reference/errors-and-warnings/NU1010.md b/docs/reference/errors-and-warnings/NU1010.md index c6a9e912d..046d4bdfb 100644 --- a/docs/reference/errors-and-warnings/NU1010.md +++ b/docs/reference/errors-and-warnings/NU1010.md @@ -11,12 +11,27 @@ f1_keywords: # NuGet Error NU1010 -
    The PackageReference items PackageId do not have corresponding PackageVersion.
    +> The following PackageReference items do not define a corresponding PackageVersion item: PackageName. Projects using Central Package Management must declare PackageReference and PackageVersion items with matching names -### Issue +## Issue -The PackageReference PackageId is missing a PackageVersion item. +A project is configured to use NuGet [Central Package Management](../../consume-packages/Central-Package-Management.md) and a `` item is defined but a corresponding `` item with the same name is not defined in the [Directory.Packages.props](../../consume-packages/Central-Package-Management.md#enabling-central-package-management) file: -### Solution +```xml + + + +``` -Add a PackageVersion item for PackageId in the [Directory.Packages.props](../../consume-packages/Central-Package-Management.md). +## Solution + +- Define a `` item that specifies the version in the [Directory.Packages.props](../../consume-packages/Central-Package-Management.md#enabling-central-package-management) file with the same identifier as the `` item: + + ```xml + + + + ``` +- If a `` item is properly defined and this error occurs in Visual Studio, check the Error List window for errors related to loading the project or failed [design time builds](https://github.com/dotnet/project-system/blob/main/docs/design-time-builds.md). +If Visual Studio is not able to successfully load the project or a design time build fails, NuGet may log this error because it does not have the required information to restore. +Resolving these underlying issues should fix this error. diff --git a/docs/reference/errors-and-warnings/NU1011.md b/docs/reference/errors-and-warnings/NU1011.md index d9175e129..c093a2ef8 100644 --- a/docs/reference/errors-and-warnings/NU1011.md +++ b/docs/reference/errors-and-warnings/NU1011.md @@ -11,12 +11,41 @@ f1_keywords: # NuGet Error NU1011 -
    Centrally defined floating package versions are not allowed.
    +> The following PackageVersion items cannot specify a floating version: PackageName. -### Issue +## Issue -PackageVersion items cannot contain floating versions. +A project is configured to use NuGet [Central Package Management](../../consume-packages/Central-Package-Management.md) and a `` item is defined which specifies a [floating version](../../concepts/Package-Versioning.md#version-ranges) value for the `Version` attribute: -### Solution +```xml + + + +``` +By default, `` items cannot specify floating versions. +NuGet's [Central Package Management](../../consume-packages/Central-Package-Management.md) provides users the ability to manage package versions in a single location as well as deterministic and secure restores. +The use of floating versions introduces the possibility for a bad package to be introduced into your build after it has been pushed to a feed. +This can lead to a situation where you made no changes in your repository but suddenly something is broken due to a problem in a new package and there is no way for you to get back into a good state without removing the floating version or pushing a newer version of the package which is fixed. +Using non-floating versions means that every upgrade to a package is backed by a commit in your repository, making it easy to determine what change caused the break and allows you to revert a commit to get back into a good state. -Change the floating version to a [non floating version range](../../concepts/Package-Versioning.md#version-ranges). +Also, when using the [transitive pinning](../../consume-packages/Central-Package-Management.md#transitive-pinning) feature of [Central Package Management](../../consume-packages/Central-Package-Management.md), using a floating version as an override could make restores of different projects end up with different versions for the package that what is supposed to be pinned, thus going against the promise of using the centrally defined version. + +NuGet recommends you use automation like [Dependabot](https://docs.github.com/code-security/dependabot/working-with-dependabot) to keep package versions up-to-date which provides +a streamlined way of updating package versions while integrating into your existing developer workflow of a pull request, automated build validation, and testing all backed by a commit in your repository. + +## Solution + +- It is recommended to change the floating version to a [non floating version range](../../concepts/Package-Versioning.md#version-ranges): +```xml + + + +``` + +- If that is not possible, or you wish to use floating versions with Central Package Management, you can do so by setting an MSBuild property: + +```xml + + true + +``` diff --git a/docs/reference/errors-and-warnings/NU1012.md b/docs/reference/errors-and-warnings/NU1012.md index 111fc520f..4d935401d 100644 --- a/docs/reference/errors-and-warnings/NU1012.md +++ b/docs/reference/errors-and-warnings/NU1012.md @@ -13,7 +13,7 @@ f1_keywords: ## Scenario 1 -Platform version is not present for one or more target frameworks, even though they have specified a platform: net6.0-android. +> Platform version is not present for one or more target frameworks, even though they have specified a platform: net6.0-android. ### Issue @@ -26,7 +26,7 @@ You have specified a target framework with a platform in your project file but t ## Scenario 2 -
    Some dependency group TFMs are missing a platform version: net6.0-android
    +> Some dependency group TFMs are missing a platform version: net6.0-android ### Issue @@ -35,4 +35,21 @@ When creating a package for a framework with a platform such as `android`, you n ### Solution Specify the platform version in your nuspec. -If you are using the pack targets, the platform version will be automatically inferred. \ No newline at end of file + +Example: `` + +If you are using the pack targets, the platform version will be automatically inferred. + +## Scenario 3 + +Some included files are included under TFMs which are missing a platform version: lib/net6.0-android/Foo.dll, build/net9.0-windows/Foo.props + +### Issue + +Some of the files being packaged according to the NuGet packaging conventions have framework parts that are missing a platform version. + +### Solution + +Specify the platform version in your nuspec or in the pack extensibility targets in your project file. + +Example: `lib/net6.0-android32.0/Foo.dll`, `build/net9.0-windows10.0.19041/Foo.props` diff --git a/docs/reference/errors-and-warnings/NU1013.md b/docs/reference/errors-and-warnings/NU1013.md new file mode 100644 index 000000000..d86b15dd9 --- /dev/null +++ b/docs/reference/errors-and-warnings/NU1013.md @@ -0,0 +1,38 @@ +--- +title: NuGet Error NU1013 +description: NU1013 error code +author: jeffkl +ms.author: jeffkl +ms.date: 03/24/2025 +ms.topic: reference +f1_keywords: + - "NU1013" +--- + +# NuGet Error NU1013 + +> The following PackageReference items cannot specify a value for VersionOverride: PackageName. Projects using Central Package Management are currently configured to disable this functionality. + +### Issue + +A project is configured to use NuGet [Central Package Management](../../consume-packages/Central-Package-Management.md) and a `` item is defined which specifies a value for the `VersionOverride` attribute but this functionality has been disabled: + +```xml + + false + + + + +``` + +### Solution +- Remove the `VersionOverride` attribute from the `` item: + +```xml + + + +``` + +- You can configure [Central Package Management](../../consume-packages/Central-Package-Management.md) to allow or disallow `VersionOverride` with the MSBuild property `CentralPackageVersionOverrideEnabled`. See [Overriding Package Versions](../../consume-packages/Central-Package-Management.md#overriding-package-versions) for more information. diff --git a/docs/reference/errors-and-warnings/NU1014.md b/docs/reference/errors-and-warnings/NU1014.md new file mode 100644 index 000000000..f4f601b8d --- /dev/null +++ b/docs/reference/errors-and-warnings/NU1014.md @@ -0,0 +1,33 @@ +--- +title: NuGet Error NU1014 +description: NU1014 error code +author: zivkan +ms.author: zivkan +ms.date: 11/01/2023 +ms.topic: reference +f1_keywords: + - "NU1014" +--- + +# NuGet Error NU1014 + +## Scenario + +> Invalid NuGetAudit value 'sample'. Valid values: true, false. + +> Invalid NuGetAuditLevel value 'sample';. Valid values: low, moderate, high, critical. + +> Invalid NuGetAuditMode value 'sample'. Valid values: direct, all. + +### Issue + +Your project file, or a file it imports (for example `Directory.Build.props`) has defined the MSBuild property shown in the error message (either `NuGetAudit`, `NuGetAuditLevel`, or `NuGetAuditMode`) to an invalid value. + +### Solution + +- Remove the definition of the MSBuild property to use NuGet's default. +- Change the value of the MSBuild property to a value that the error lists as valid. + +For example, if one of your MSBuild files currently has `sample`, either delete the line, or change it to `low`. + +To find where the property is being defined, you can use [MSBuild's `-preprocess` command line argument](/visualstudio/msbuild/msbuild-command-line-reference). Also see [MSBuild's example on the page for customizing the build](/visualstudio/msbuild/customize-by-directory#example). diff --git a/docs/reference/errors-and-warnings/NU1015.md b/docs/reference/errors-and-warnings/NU1015.md new file mode 100644 index 000000000..e109d8636 --- /dev/null +++ b/docs/reference/errors-and-warnings/NU1015.md @@ -0,0 +1,34 @@ +--- +title: NuGet Error NU1015 +description: NU1015 error code +author: zivkan +ms.author: zivkan +ms.date: 06/04/2025 +ms.topic: reference +f1_keywords: + - "NU1015" +--- + +# NuGet Error NU1015 + +## Scenario + +> The following PackageReference item(s) do not have a version specified: Contoso.Utilities + +### Issue + +Your project file, or a file it imports (for example `Directory.Build.props`) has defined a `PackageReference` without a version. + +Projects using [Central Package Management (CPM)](../../consume-packages/Central-Package-Management.md) do not define a version on the PackageReference item, so this error could happen if a project has CPM disabled by accident, or if a project or `PackageReference` using CPM is copied into another solution that is not using CPM. + +### Solution + +- Add a version to the package reference + +If you edit your project, a package reference will generally look similar to ``, although [MSBuild allows multiple syntaxes to define item metadata](/visualstudio/msbuild/msbuild-items). +Add the `Version="1.2.3"` item metadata as defined. + +- Check Central Package Management configuration + +This NU1015 error only happens when CPM is disabled. +If Central Package Management (CPM) is intended to be enabled, check your configuration files to investigate why it is disabled. diff --git a/docs/reference/errors-and-warnings/NU1016.md b/docs/reference/errors-and-warnings/NU1016.md new file mode 100644 index 000000000..f8f297de7 --- /dev/null +++ b/docs/reference/errors-and-warnings/NU1016.md @@ -0,0 +1,38 @@ +--- +title: NuGet Error NU1016 +description: NU1016 error code +author: donnie-msft +ms.author: eagoodso +ms.date: 01/28/2025 +ms.topic: reference +f1_keywords: + - "NU1016" +--- + +# NuGet Error NU1016 + +> Managing packages with project.json is deprecated. Migrate to PackageReference. + +### Issue + +Managing packages with project.json is deprecated. Migrate to PackageReference. + +### Solution + +[Migrate your project from project.json to PackageReference](../../archive/project-json.md#migrate-projectjson-to-packagereference). + +**Visual Studio 2026 or later:** + +Your project.json project will be automatically migrated to PackageReference when you open the solution. Visual Studio will create a backup of the original files in a `Backup` folder in the project directory. + +**Visual Studio 2022:** + +You need to use the built-in migrator: + +1. Open your project.json project in Visual Studio +1. In Solution Explorer, find the project's Dependencies node +1. Right-click and select **Migrate project.json to PackageReference...** + +For detailed migration guidance, see the [project.json reference documentation](../../archive/project-json.md). + +For more information about package management formats, see [Package references in project files](../../consume-packages/Package-References-in-Project-Files.md). diff --git a/docs/reference/errors-and-warnings/NU1017.md b/docs/reference/errors-and-warnings/NU1017.md new file mode 100644 index 000000000..2e68f8e0b --- /dev/null +++ b/docs/reference/errors-and-warnings/NU1017.md @@ -0,0 +1,51 @@ +--- +title: NuGet Error NU1017 +description: NU1017 error code +author: Nigusu-Allehu +ms.author: Nigusu-Allehu +ms.date: 09/23/2025 +ms.topic: reference +f1_keywords: + - "NU1017" +--- + +# NuGet Error NU1017 + +## Scenario + +> Invalid package id : `contoso../id`. + +### Issue + +The package ID is invalid because it does not match the required format. +NuGet validates package IDs using this regex: + +```regex +^\w+([.-]\w+)*$ +``` + +* The ID must **start with a letter or number**. +* It can only contain **letters, numbers, dots (`.`), and dashes (`-`)**. +* Dots or dashes must be followed by more letters or numbers. +* You can have multiple parts separated by `.` or `-`, like `Contoso.App.Service`. + +### Solution + +To fix this error: + +* Replace or remove any invalid characters from the package ID. Only letters, numbers, dots (`.`), and dashes (`-`) are allowed. +* Ensure the package ID starts with a letter or number. +* Dots (`.`) or dashes (`-`) must always be followed by another letter or number (no consecutive dots/dashes, and none at the end). +* For example, change `contoso../id` to `Contoso.Id`. + +Valid: + +```xml + +``` + +Invalid: + +```xml + +``` diff --git a/docs/reference/errors-and-warnings/NU1100.md b/docs/reference/errors-and-warnings/NU1100.md index 6e883c627..b24fb6bd4 100644 --- a/docs/reference/errors-and-warnings/NU1100.md +++ b/docs/reference/errors-and-warnings/NU1100.md @@ -14,7 +14,7 @@ f1_keywords: ## Scenario 1 -
    Unable to resolve 'Dependency (>= 1.0.0)' for 'TargetFramework'
    +> Unable to resolve 'Dependency (>= 1.0.0)' for 'TargetFramework' ### Issue @@ -36,7 +36,7 @@ Alternatively, you can create a configuration file using [`dotnet new nugetconfi ## Scenario 2 -
     Unable to resolve 'Dependency (>= 1.0.0)' for 'TargetFramework'.  PackageSourceMapping is enabled, the following source(s) were not considered: nuget.
    +> Unable to resolve 'Dependency (>= 1.0.0)' for 'TargetFramework'. PackageSourceMapping is enabled, the following source(s) were not considered: nuget. ### Issue diff --git a/docs/reference/errors-and-warnings/NU1101.md b/docs/reference/errors-and-warnings/NU1101.md index 30e68ea8b..d94f69103 100644 --- a/docs/reference/errors-and-warnings/NU1101.md +++ b/docs/reference/errors-and-warnings/NU1101.md @@ -14,7 +14,7 @@ f1_keywords: ## Scenario 1 -
    Unable to find package 'PackageId'. No packages exist with this id in source(s): sourceA, sourceB, sourceC
    +> Unable to find package 'PackageId'. No packages exist with this id in source(s): sourceA, sourceB, sourceC ### Issue The package cannot be found on any sources. @@ -24,8 +24,8 @@ Examine the project's dependencies in Visual Studio to be sure you're using the ## Scenario 2 -
    Unable to find package 'PackageId'. No packages exist with this id in source(s): sourceA PackageSourceMapping is enabled, the following source(s) were not considered: sourceB, sourceC.
-
    +> Unable to find package 'PackageId'. No packages exist with this id in source(s): sourceA PackageSourceMapping is enabled, the following source(s) were not considered: sourceB, sourceC. + ### Issue The package cannot be found on any of the PackageSourceMapping configured sources. diff --git a/docs/reference/errors-and-warnings/NU1102.md b/docs/reference/errors-and-warnings/NU1102.md index ef3561d9c..670b3bc97 100644 --- a/docs/reference/errors-and-warnings/NU1102.md +++ b/docs/reference/errors-and-warnings/NU1102.md @@ -14,7 +14,7 @@ f1_keywords: ## Scenario 1 -
    Unable to find package 'PackageId' with version (>= 9.0.1)
      - Found 30 version(s) in 'sourceA' [ Nearest version: '4.0.0' ]
      - Found 10 version(s) in 'sourceB' [ Nearest version: '4.0.0-rc-2129' ]
      - Found 9 version(s) in 'sourceC' [ Nearest version: '3.0.0-beta-00032' ]
      - Found 0 version(s) in 'sourceD'
      - Found 0 version(s) in 'sourceE'
    +> Unable to find package 'PackageId' with version (>= 9.0.1)
    - Found 30 version(s) in 'sourceA' [ Nearest version: '4.0.0' ]
    - Found 10 version(s) in 'sourceB' [ Nearest version: '4.0.0-rc-2129' ]
    - Found 9 version(s) in 'sourceC' [ Nearest version: '3.0.0-beta-00032' ]
    - Found 0 version(s) in 'sourceD'
    - Found 0 version(s) in 'sourceE' ### Issue The package identifier is found but a version within the specified dependency range cannot be found on any of the sources. The range might be specified by a package and not the user. @@ -24,8 +24,8 @@ Edit the project file to correct the package version. Also check that the [NuGet ## Scenario 2 -
    Unable to find package 'PackageId' with version (>= 9.0.1)
      - Found 30 version(s) in 'sourceA' [ Nearest version: '4.0.0' ]
      - Versions from sourceB were not considered
-
    +> Unable to find package 'PackageId' with version (>= 9.0.1)
    - Found 30 version(s) in 'sourceA' [ Nearest version: '4.0.0' ]
    - Versions from sourceB were not considered + ### Issue The package identifier is found but a version within the specified dependency range cannot be found on any of the sources. The range might be specified by a package and not the user. diff --git a/docs/reference/errors-and-warnings/NU1103.md b/docs/reference/errors-and-warnings/NU1103.md index 838d11f45..c34bc4864 100644 --- a/docs/reference/errors-and-warnings/NU1103.md +++ b/docs/reference/errors-and-warnings/NU1103.md @@ -14,7 +14,7 @@ f1_keywords: ## Scenario 1 -
    Unable to find a stable package 'PackageId' with version (>= 3.0.0)
      - Found 10 version(s) in 'sourceA' [ Nearest version: '4.0.0-rc-2129' ]
      - Found 9 version(s) in 'sourceB' [ Nearest version: '3.0.0-beta-00032' ]
      - Found 0 version(s) in 'sourceC'
      - Found 0 version(s) in 'sourceD'
    +> Unable to find a stable package 'PackageId' with version (>= 3.0.0)
    - Found 10 version(s) in 'sourceA' [ Nearest version: '4.0.0-rc-2129' ]
    - Found 9 version(s) in 'sourceB' [ Nearest version: '3.0.0-beta-00032' ]
    - Found 0 version(s) in 'sourceC'
    - Found 0 version(s) in 'sourceD' ### Issue The project specified a stable version for the dependency range, but no stable versions were found in that range. Pre-release versions were found but are not allowed. @@ -24,7 +24,7 @@ Edit the version range in the project file to include pre-release versions. See ## Scenario 2 -
    Unable to find a stable package 'PackageId' with version (>= 3.0.0)
      - Found 10 version(s) in 'sourceA' [ Nearest version: '4.0.0-rc-2129' ]
      - Versions from sourceB were not considered
    +> Unable to find a stable package 'PackageId' with version (>= 3.0.0)
    - Found 10 version(s) in 'sourceA' [ Nearest version: '4.0.0-rc-2129' ]
    - Versions from sourceB were not considered ### Issue The project specified a stable version for the dependency range, but no stable versions were found in that range. Pre-release versions were found but are not allowed. diff --git a/docs/reference/errors-and-warnings/NU1104.md b/docs/reference/errors-and-warnings/NU1104.md index 6d5da8854..1ad9f91bf 100644 --- a/docs/reference/errors-and-warnings/NU1104.md +++ b/docs/reference/errors-and-warnings/NU1104.md @@ -12,7 +12,7 @@ f1_keywords: # NuGet Error NU1104 -
    Project reference does not exist 'ProjectFile'. Check that the project reference is valid and that the project file exists.
    +> Project reference does not exist 'ProjectFile'. Check that the project reference is valid and that the project file exists. ### Issue A ProjectReference points to a file that doesn't exist. diff --git a/docs/reference/errors-and-warnings/NU1105.md b/docs/reference/errors-and-warnings/NU1105.md index 10828c853..3d6d26856 100644 --- a/docs/reference/errors-and-warnings/NU1105.md +++ b/docs/reference/errors-and-warnings/NU1105.md @@ -12,7 +12,9 @@ f1_keywords: # NuGet Error NU1105 -
    Unable to read project information for 'ProjectFile'. The project file may be invalid or missing targets required for restore.
    +## Scenario 1 + +> Unable to read project information for 'ProjectFile'. The project file may be invalid or missing targets required for restore. ### Issue The project file exists but no restore information was provided for it. Ensure you are [opening a project with the new project system or the legacy project system](https://github.com/dotnet/project-system/blob/main/docs/opening-with-new-project-system.md#opening-with-the-new-project-system). @@ -23,7 +25,7 @@ The project file exists but no restore information was provided for it. Ensure y From the command line this could mean that the file is corrupt or that the `NuGet.targets` are not imported. To import the `NuGet.targets`, usually it's recommended to import the `Microsoft.Common.targets`. -To restore projects in solution using [.NET Core CLI](../../consume-packages/install-use-packages-dotnet-cli.md) use: +To restore projects in solution using [.NET CLI](../../consume-packages/install-use-packages-dotnet-cli.md) use: ```dotnetcli dotnet restore MySolution.sln ``` @@ -36,3 +38,16 @@ The error could also mean that the project is unloaded. * If you are using Visual Studio 2019 or later, NuGet has the ability to re-use artifacts from the previous restore for unloaded projects. In order for this scenario to work, you need to ensure that all projects currently in the solution have been restored from the command line prior to loading them in Visual Studio. * Alternatively, reload the project. + +## Scenario 2 + +> Invalid target framework 'net.6.0' + +### Issue +The project file exists but specifies an invalid target framework: `'net.6.0'`. +This can occur due to a typo or use of an unsupported format. + +### Solution + +Update the project file to use a valid target framework. In this case, replace `'net.6.0'` with `'net6.0'` (without the extra dot). +For a full list of supported frameworks and their correct formats, refer to the [.NET Target Frameworks](/dotnet/standard/frameworks) documentation. diff --git a/docs/reference/errors-and-warnings/NU1106.md b/docs/reference/errors-and-warnings/NU1106.md index 081219020..892b43262 100644 --- a/docs/reference/errors-and-warnings/NU1106.md +++ b/docs/reference/errors-and-warnings/NU1106.md @@ -12,7 +12,7 @@ f1_keywords: # NuGet Error NU1106 -
    Unable to satisfy conflicting requests for 'PackageId': 'Conflict path' Framework: 'Target graph'
    +> Unable to satisfy conflicting requests for 'PackageId': 'Conflict path' Framework: 'Target graph' ### Issue Dependency constraints cannot be resolved. diff --git a/docs/reference/errors-and-warnings/NU1107.md b/docs/reference/errors-and-warnings/NU1107.md index 9888cbd4c..b9f3dbaef 100644 --- a/docs/reference/errors-and-warnings/NU1107.md +++ b/docs/reference/errors-and-warnings/NU1107.md @@ -13,7 +13,7 @@ f1_keywords: # NuGet Error NU1107 -
    Version conflict detected for 'PackageA'. Install/reference 'PackageA' v4.0.0 directly to resolve this issue.
      'PackageB' 3.5.0 -> 'PackageA' (= 3.5.0)
      'PackageC' 4.0.0 -> 'PackageA' (= 4.0.0)
    +> Version conflict detected for 'PackageA'. Install/reference 'PackageA' v4.0.0 directly to resolve this issue.
    'PackageB' 3.5.0 -> 'PackageA' (= 3.5.0)
    'PackageC' 4.0.0 -> 'PackageA' (= 4.0.0) ### Issue Unable to resolve dependency constraints between packages. Two different packages are asking for two different versions of 'PackageA'. The project needs to choose which version of 'PackageA' to use. @@ -29,5 +29,7 @@ To install a specific version, see the information for the tool that you're usin - [nuget.exe CLI](../../consume-packages/install-use-packages-nuget-cli.md#install-a-specific-version-of-a-package) - [Package Manager Console](../ps-reference/ps-ref-install-package.md) +[!INCLUDE [nugetsolver-tool](../../includes/nugetsolver-tool.md)] + ### Note Early versions of Visual Studio 2017 may have reported this as a warning (NU1607). diff --git a/docs/reference/errors-and-warnings/NU1108.md b/docs/reference/errors-and-warnings/NU1108.md index b5eb9c862..965b6dd63 100644 --- a/docs/reference/errors-and-warnings/NU1108.md +++ b/docs/reference/errors-and-warnings/NU1108.md @@ -13,7 +13,7 @@ f1_keywords: # NuGet Error NU1108 -
    Cycle detected: A -> B -> A
    +> Cycle detected: A -> B -> A ### Issue A circular dependency was detected. diff --git a/docs/reference/errors-and-warnings/NU1109.md b/docs/reference/errors-and-warnings/NU1109.md index 1249e90d2..c9efb8464 100644 --- a/docs/reference/errors-and-warnings/NU1109.md +++ b/docs/reference/errors-and-warnings/NU1109.md @@ -11,15 +11,37 @@ f1_keywords: # NuGet Error NU1109 -
    NU1109: Detected package downgrade: B from 2.0.0 to centrally defined 1.0.0. Update the centrally managed package version to a higher version.
    -'Project' -> 'A' 1.0.0 -> 'B' (>= 2.0.0)
    -'Project' -> 'B' (>= 1.0.0) +> NU1109: Detected package downgrade: PackageB from 2.0.0 to centrally defined 1.0.0. Update the centrally managed package version to a higher version.
    +>   'Project' -> 'PackageA' 1.0.0 -> 'PackageB' (>= 2.0.0)
    +>   'Project' -> 'PackageB' (>= 1.0.0) -### Issue +## Issue -A dependency package specified a version constraint on a higher version of a package than restore ultimately resolved. That is because of the [direct-dependency-wins](../../concepts/dependency-resolution.md#direct-dependency-wins) rule - when resolving packages, the direct package version in the subgraph will override that of the distant packages with the same ID. +A project is configured to use NuGet [Central Package Management](../../consume-packages/Central-Package-Management.md) and a transitive package dependency is pinned to a version lower than is specified by the dependency package. +When resolving packages, NuGet respects the [direct-dependency-wins](../../concepts/dependency-resolution.md#direct-dependency-wins) rule and the pinned package version overrides the version specified by the dependency package which results in a lower version of the package being resolved which could result in issues at runtime. -### Solution +```xml + + true + + + + + +``` -Update the PackageVersion of B to to the higher version of the package. -In the example above, you would change the package reference to `B` 2.0.0. +## Solution +- Update the `PackageVersion` of `PackageB` to the higher version of the package. + +```xml + + + +``` + +- Disable Central Package Management transitive pinning to allow the package version specified by the dependency package to be used. +```xml + + false + +``` diff --git a/docs/reference/errors-and-warnings/NU1110.md b/docs/reference/errors-and-warnings/NU1110.md new file mode 100644 index 000000000..1a7c6aa58 --- /dev/null +++ b/docs/reference/errors-and-warnings/NU1110.md @@ -0,0 +1,35 @@ +--- +title: NuGet Error NU1110 +description: NU1110 error code +author: donnie-msft +ms.author: eagoodso +ms.date: 10/27/2023 +ms.topic: reference +f1_keywords: + - "NU1110" +--- + +# NuGet Error NU1110 + +> NU1110: The package `B` is available in the Global packages folder, but the source it came from `https://api.nuget.org/v3/index.json` is not one of the configured sources. + +### Issue + +A previous restore retrieved package `B` from a package source which your current solution does not have configured. + +While performing a package installation of package `A`, a dependent package `B` was needed transitively to complete the action. Restore found `B` in your [Global packages folder](../../consume-packages/managing-the-global-packages-and-cache-folders.md)), and the accompanying `nupkg.metadata` indicates a `Source` value which it cannot find in your solution. + +When [package source mapping](../../consume-packages/Package-Source-Mapping.md) is enabled, NuGet attempts to map transitive dependencies automatically by analyzing the source in the Global packages folder. + +### Solution + +#### Option 1. +Create a package source mapping for package `B`. + +#### Option 2. +Clear package `B` from your Global packages folder so that restore can download from one of your configured packages sources. For more information, see [Managing the global packages, cache, and temp folders](../../consume-packages/managing-the-global-packages-and-cache-folders.md). + +If your other solutions have different package sources and package source mapping configurations, this option may not be feasible. + +#### Option 3. +Consider enabling a package source which you know has package `B` available. \ No newline at end of file diff --git a/docs/reference/errors-and-warnings/NU1201.md b/docs/reference/errors-and-warnings/NU1201.md index 6fd890c0b..0a2ad3ddd 100644 --- a/docs/reference/errors-and-warnings/NU1201.md +++ b/docs/reference/errors-and-warnings/NU1201.md @@ -13,7 +13,7 @@ f1_keywords: # NuGet Error NU1201 ### Example 1 -
    Project 'ProjectA' is not compatible with 'TargetFramework'. Project 'ProjectA' supports:
      - 'TargetFrameworkA'
      - 'TargetFrameworkB'
    +> Project 'ProjectA' is not compatible with 'TargetFramework'. Project 'ProjectA' supports:
    - 'TargetFrameworkA'
    - 'TargetFrameworkB' ### Issue A dependency project doesn't contain a framework compatible with the current project. Typically, the project's target framework is a higher version than the consuming project. @@ -22,7 +22,7 @@ A dependency project doesn't contain a framework compatible with the current pro Change the project's target framework to an equal or lower version than the consuming project. ### Example 2 - NetStandard targetted projects cannot reference NetCoreApp targetted projects -
    Project 'ProjectB' is not compatible with netstandard2.0 (.NETStandard,Version=v2.0). Project 'ProjectB' supports: netcoreapp2.0 (.NETCoreApp,Version=v2.0)
    +> Project 'ProjectB' is not compatible with netstandard2.0 (.NETStandard,Version=v2.0). Project 'ProjectB' supports: netcoreapp2.0 (.NETCoreApp,Version=v2.0) ### Issue In this case: diff --git a/docs/reference/errors-and-warnings/NU1202.md b/docs/reference/errors-and-warnings/NU1202.md index 512cc5b50..86e50f8fb 100644 --- a/docs/reference/errors-and-warnings/NU1202.md +++ b/docs/reference/errors-and-warnings/NU1202.md @@ -12,10 +12,12 @@ f1_keywords: # NuGet Error NU1202 -
    Package 'PackageId' 4.0.11 is not compatible with 'TargetFramework'. Package 'PackageId' 4.0.11 supports:
      - 'TargetFrameworkA'
      - 'TargetFrameworkB'
      - 'TargetFrameworkC'
    +> Package 'PackageId' 4.0.11 is not compatible with 'TargetFramework'. Package 'PackageId' 4.0.11 supports:
    - 'TargetFrameworkA'
    - 'TargetFrameworkB'
    - 'TargetFrameworkC' ### Issue A dependency package doesn't contain any assets compatible with the project. ### Solution -Change the project's target framework to one that the package supports. \ No newline at end of file +Change the project's target framework to one that the package supports. + +[!INCLUDE [nugetsolver-tool](../../includes/nugetsolver-tool.md)] \ No newline at end of file diff --git a/docs/reference/errors-and-warnings/NU1203.md b/docs/reference/errors-and-warnings/NU1203.md index cf387a274..3d0e33e26 100644 --- a/docs/reference/errors-and-warnings/NU1203.md +++ b/docs/reference/errors-and-warnings/NU1203.md @@ -12,7 +12,7 @@ f1_keywords: # NuGet Error NU1203 -
    'PackageId' 1.0.0 provides a compile-time reference assembly for 'Foo.dll' on 'TargetFramework', but there is no compatible run-time assembly.
    +> 'PackageId' 1.0.0 provides a compile-time reference assembly for 'Foo.dll' on 'TargetFramework', but there is no compatible run-time assembly. ### Issue The package doesn't support the project's `RuntimeIdentifier`. diff --git a/docs/reference/errors-and-warnings/NU1204.md b/docs/reference/errors-and-warnings/NU1204.md index bcfc268dd..ef386ec01 100644 --- a/docs/reference/errors-and-warnings/NU1204.md +++ b/docs/reference/errors-and-warnings/NU1204.md @@ -10,7 +10,7 @@ f1_keywords: # NuGet Warning NU1204 -
    Invalid tools package Contoso.Tool 1.0.0. Tools packages cannot contain more than one PackageType.
    +> Invalid tools package Contoso.Tool 1.0.0. Tools packages cannot contain more than one PackageType. ### Issue diff --git a/docs/reference/errors-and-warnings/NU1211.md b/docs/reference/errors-and-warnings/NU1211.md index 186124a36..c0cf3e3ea 100644 --- a/docs/reference/errors-and-warnings/NU1211.md +++ b/docs/reference/errors-and-warnings/NU1211.md @@ -10,7 +10,7 @@ f1_keywords: # NuGet Warning NU1211 -
    Project `DotnelToolReferenceProject.csproj` must have a single package reference(s).
    +> Project `DotnelToolReferenceProject.csproj` must have a single package reference(s). ### Issue diff --git a/docs/reference/errors-and-warnings/NU1212.md b/docs/reference/errors-and-warnings/NU1212.md index d383effdf..5a2d7b395 100644 --- a/docs/reference/errors-and-warnings/NU1212.md +++ b/docs/reference/errors-and-warnings/NU1212.md @@ -12,7 +12,7 @@ f1_keywords: ## Scenario 1 -
    Invalid project-package combination for Contoso.Library 1.0.0. DotnetToolReference project style can only contain references of the DotnetTool type
    +> Invalid project-package combination for Contoso.Library 1.0.0. DotnetToolReference project style can only contain references of the DotnetTool type ### Issue @@ -26,7 +26,7 @@ Use a different package that's of the `DotnetTool` type. ## Scenario 2 -
    Invalid project-package combination for Contoso.Library 1.0.0. DotnetToolReference project style can only contain references of the DotnetTool type
    +> Invalid project-package combination for Contoso.Library 1.0.0. DotnetToolReference project style can only contain references of the DotnetTool type ### Issue diff --git a/docs/reference/errors-and-warnings/NU1213.md b/docs/reference/errors-and-warnings/NU1213.md index 51881485a..2b2eb288c 100644 --- a/docs/reference/errors-and-warnings/NU1213.md +++ b/docs/reference/errors-and-warnings/NU1213.md @@ -10,7 +10,7 @@ f1_keywords: # NuGet Warning NU1213 -
    The package Contoso.Platform 1.0.0 has a package type DotnetPlatform that is incompatible with this project.
    +> The package Contoso.Platform 1.0.0 has a package type DotnetPlatform that is incompatible with this project. ### Issue diff --git a/docs/reference/errors-and-warnings/NU1301.md b/docs/reference/errors-and-warnings/NU1301.md index 910c0c794..60aa3e8c5 100644 --- a/docs/reference/errors-and-warnings/NU1301.md +++ b/docs/reference/errors-and-warnings/NU1301.md @@ -10,7 +10,7 @@ f1_keywords: # NuGet Error NU1301 -
    The local source 'C:\Code\Contoso\contosoLocalSource' doesn't exist.
    +> The local source 'C:\Code\Contoso\contosoLocalSource' doesn't exist. ### Issue diff --git a/docs/reference/errors-and-warnings/NU1302.md b/docs/reference/errors-and-warnings/NU1302.md new file mode 100644 index 000000000..2dd3803d8 --- /dev/null +++ b/docs/reference/errors-and-warnings/NU1302.md @@ -0,0 +1,88 @@ +--- +title: NuGet Error NU1302 +description: NU2302 Error code +author: Nigusu-Allehu +ms.date: 07/25/2024 +ms.topic: reference +f1_keywords: + - "NU1302" +--- + +# NuGet Error NU1302 + +## Scenario 1 + +> You are running the 'restore' operation with an 'HTTP' source: myHttpSource. NuGet requires HTTPS sources. To use an HTTP source, you must explicitly set 'allowInsecureConnections' to true in your NuGet.Config file. Please refer to https://aka.ms/nuget-https-everywhere for more information. + +### Issue + +`myHttpSource` is an insecure HTTP source. We recommend using an HTTPS source instead. + +### Solution + +#### Option 1: Update the Source to Use HTTPS + +If possible, update the package source to use `https://` instead of `http://`: + +```xml + + + + + +``` + +#### Option 2: Allow Insecure Connections (If Necessary) + +If the source must remain HTTP, explicitly allow insecure connections by adding the `AllowInsecureConnections` flag in the `NuGet.Config`: + +```xml + + + + + +``` + +#### Option 3: Consult SDK Analysis Level + +The [`SdkAnalysisLevel`](/dotnet/core/project-sdk/msbuild-props#sdkanalysislevel) property in your project can serve as a temporary workaround for managing HTTP sources. +If additional time is needed to resolve the HTTP error, you can lower the `SdkAnalysisLevel` to suppress errors temporarily. +Here's how it functions: + +- For SDK Analysis Level value **below 9.0.100**, using HTTP sources triggers a warning ([NU1803](NU1803.md)). +- Starting with SDK Analysis Level **9.0.100 or higher**, HTTP sources result in an error (NU1302) unless `AllowInsecureConnections` is explicitly enabled. + +> [!WARNING] +> Changing SdkAnalysisLevel has other side-effects. Refer to the [`SdkAnalysisLevel`](/dotnet/core/project-sdk/msbuild-props#sdkanalysislevel) for a summary of the full scope of .NET SDK features affected. + +## Scenario 2 + +> You are using a NuGet source 'https://contoso/v3/index.json' that contains an 'HTTP' service index resource endpoint: 'http://contoso/v3-flatcontainer/contoso/index.json'. This is insecure and not recommended. To allow HTTP resources, you must explicitly set 'allowInsecureConnections' to true in your NuGet.Config file. For more information, visit https://aka.ms/nuget-https-everywhere. + +### Issue + +A configured package source uses **HTTPS**, but one of its resources (indicated in the error message) uses **HTTP**. + +NuGet requires that all sources and their resources use HTTPS. +If you want to continue using this source despite its HTTP resource, you must set the `allowInsecureConnections` flag to true in your NuGet.config file. + +To learn more about package sources and resource endpoints, take a look at the [NuGet Server API](../../api/overview). + +#### Option 1: Update the Source to Use HTTPS + +Whenever possible, switch to a package source that provides only HTTPS resources. This is the recommended and most secure option. + +#### Option 2: Allow Insecure Connections (If Necessary) + +If you must use the source, explicitly allow insecure connections by adding the `allowInsecureConnections` flag in the `NuGet.Config`: + +For information about managing the setting in Visual Studio, see [NuGet Options in Visual Studio](../../consume-packages/nuget-visual-studio-options.md#allow-insecure-connections) + +```xml + + + + + +``` diff --git a/docs/reference/errors-and-warnings/NU1401.md b/docs/reference/errors-and-warnings/NU1401.md index f365872ae..a902b408a 100644 --- a/docs/reference/errors-and-warnings/NU1401.md +++ b/docs/reference/errors-and-warnings/NU1401.md @@ -12,7 +12,7 @@ f1_keywords: # NuGet Error NU1401 -
    The 'PackageId' package requires NuGet client version '5.0.0' or above, but the current NuGet version is '4.3.0'.
    +> The 'PackageId' package requires NuGet client version '5.0.0' or above, but the current NuGet version is '4.3.0'. ### Issue The package requires features or frameworks not currently supported by the installed version of NuGet. diff --git a/docs/reference/errors-and-warnings/NU1402.md b/docs/reference/errors-and-warnings/NU1402.md index de7afdcaf..b503b03b6 100644 --- a/docs/reference/errors-and-warnings/NU1402.md +++ b/docs/reference/errors-and-warnings/NU1402.md @@ -11,7 +11,7 @@ f1_keywords: # NuGet Error NU1402 -
    NU1402: The package 'PackageId.1.0.0' contains an entry '../../foo.dll' which is unsafe for extraction.
    +> NU1402: The package 'PackageId.1.0.0' contains an entry '../../foo.dll' which is unsafe for extraction. ### Issue diff --git a/docs/reference/errors-and-warnings/NU1403.md b/docs/reference/errors-and-warnings/NU1403.md index f15bc56c9..44c5e8e50 100644 --- a/docs/reference/errors-and-warnings/NU1403.md +++ b/docs/reference/errors-and-warnings/NU1403.md @@ -11,7 +11,7 @@ f1_keywords: # NuGet Error NU1403 -
     Package content hash validation failed for PackageId.13.0.1. The package is different than the last restore.
    +> Package content hash validation failed for PackageId.13.0.1. The package is different than the last restore. ### Issue The content of the package in the global packages folder is different from the value in the lock file. diff --git a/docs/reference/errors-and-warnings/NU1501.md b/docs/reference/errors-and-warnings/NU1501.md index e315acc9d..8c87d199e 100644 --- a/docs/reference/errors-and-warnings/NU1501.md +++ b/docs/reference/errors-and-warnings/NU1501.md @@ -12,7 +12,7 @@ f1_keywords: # NuGet Warning NU1501 -
    The folder 'FolderPath' does not contain a project to restore.
    +> The folder 'FolderPath' does not contain a project to restore. ### Issue diff --git a/docs/reference/errors-and-warnings/NU1502.md b/docs/reference/errors-and-warnings/NU1502.md index ef225d101..a03595763 100644 --- a/docs/reference/errors-and-warnings/NU1502.md +++ b/docs/reference/errors-and-warnings/NU1502.md @@ -12,7 +12,7 @@ f1_keywords: # NuGet Warning NU1502 -
    Unknown Compatibility Profile: 'aaa'
    +> Unknown Compatibility Profile: 'aaa' ### Issue `RuntimeSupports` contains an invalid profile. Typically, the supports profile was not found in a `runtime.json` file from the current dependency packages. diff --git a/docs/reference/errors-and-warnings/NU1503.md b/docs/reference/errors-and-warnings/NU1503.md index 3e472cd1e..55a969055 100644 --- a/docs/reference/errors-and-warnings/NU1503.md +++ b/docs/reference/errors-and-warnings/NU1503.md @@ -12,7 +12,7 @@ f1_keywords: # NuGet Warning NU1503 -
    Skipping restore for project 'c:\a.csproj'. The project file may be invalid or missing targets required for restore.
    +> Skipping restore for project 'c:\a.csproj'. The project file may be invalid or missing targets required for restore. ### Issue A dependency project doesn't import NuGet's restore targets. This is similar to NU1105 but here the project is skipped and ignored instead of causing all of restore to fail. In complex solutions there are often other types of projects that may not support restore. diff --git a/docs/reference/errors-and-warnings/NU1504.md b/docs/reference/errors-and-warnings/NU1504.md index 368a1e6f6..0b1cb88ae 100644 --- a/docs/reference/errors-and-warnings/NU1504.md +++ b/docs/reference/errors-and-warnings/NU1504.md @@ -13,7 +13,7 @@ f1_keywords: ## Scenario 1 -
    Duplicate 'PackageReference' items found. Remove the duplicate items or use the Update functionality to ensure a consistent restore behavior. The duplicate 'PackageReference' items are: X 1.0.0, X 2.0.0.
    +> Duplicate 'PackageReference' items found. Remove the duplicate items or use the Update functionality to ensure a consistent restore behavior. The duplicate 'PackageReference' items are: X 1.0.0, X 2.0.0. ### Issue diff --git a/docs/reference/errors-and-warnings/NU1505.md b/docs/reference/errors-and-warnings/NU1505.md index 3fe1efb99..d767e2de0 100644 --- a/docs/reference/errors-and-warnings/NU1505.md +++ b/docs/reference/errors-and-warnings/NU1505.md @@ -13,7 +13,7 @@ f1_keywords: ## Scenario 1 -
    Duplicate 'PackageDownload' items found. Remove the duplicate items or use the Update functionality to ensure a consistent restore behavior. The duplicate 'PackageDownload' items are: X [1.0.0], X [2.0.0].
    +> Duplicate 'PackageDownload' items found. Remove the duplicate items or use the Update functionality to ensure a consistent restore behavior. The duplicate 'PackageDownload' items are: X [1.0.0], X [2.0.0]. ### Issue diff --git a/docs/reference/errors-and-warnings/NU1506.md b/docs/reference/errors-and-warnings/NU1506.md index 25588baab..e6fdc0f46 100644 --- a/docs/reference/errors-and-warnings/NU1506.md +++ b/docs/reference/errors-and-warnings/NU1506.md @@ -13,7 +13,7 @@ f1_keywords: ## Scenario 1 -
    Duplicate 'PackageVersion' items found. Remove the duplicate items or use the Update functionality to ensure a consistent restore behavior. The duplicate 'PackageVersion' items are: X [1.0.0], X [2.0.0].
    +> Duplicate 'PackageVersion' items found. Remove the duplicate items or use the Update functionality to ensure a consistent restore behavior. The duplicate 'PackageVersion' items are: X [1.0.0], X [2.0.0]. ### Issue diff --git a/docs/reference/errors-and-warnings/NU1507.md b/docs/reference/errors-and-warnings/NU1507.md index ca093e17b..ba2ff2de0 100644 --- a/docs/reference/errors-and-warnings/NU1507.md +++ b/docs/reference/errors-and-warnings/NU1507.md @@ -11,22 +11,21 @@ f1_keywords: # NuGet Warning NU1507 -## Scenario 1 +> There are 2 package sources defined in your configuration. When using central package management, please map your package sources with package source mapping or specify a single package source. The following sources are defined: https://api.nuget.org/v3/index.json, https://contoso.myget.org/F/development/. -
    There are 2 package sources defined in your configuration. When using central package management, please map your package sources with package source mapping (https://aka.ms/nuget-package-source-mapping) or specify a single package source. The following sources are defined: https://api.nuget.org/v3/index.json,  https://contoso.myget.org/F/development/.
    +## Issue -### Issue +A project is configured to use NuGet [Central Package Management](../../consume-packages/Central-Package-Management.md) and is not configured to use [Package Source Mapping](../../consume-packages/Package-Source-Mapping.md). +It is highly recommended to enable [Package Source Mapping](../../consume-packages/Package-Source-Mapping.md) because it safeguards your software supply chain when your project is consuming packages from multiple package sources by allowing you specify the source for each package. -When using NuGet's central package management (CPM), it is highly recommended that you also use Package Source Mapping. This can help safeguard your software supply chain is crucial if you use a mix of public and private package sources. Visit https://aka.ms/nuget-package-source-mapping to learn more about how package source mapping works. +## Solution -### Solution - -Onboard to Package Source Mapping if you have more than one NuGet feed configured when using central package management. You can visit https://aka.ms/nuget-package-source-mapping for more details. - -If you are unable to onboard to Package Source Mapping but want to use central package management, can suppress the warning: +- Onboard to [Package Source Mapping](../../consume-packages/Package-Source-Mapping.md) if you have more than one HTTP-based NuGet package source configured when using Central Package Management. +- If you are unable to onboard to [Package Source Mapping](../../consume-packages/Package-Source-Mapping.md) but want to use Central Package Management, you can suppress the warning: ```xml + $(NoWarn);NU1507 ``` diff --git a/docs/reference/errors-and-warnings/NU1508.md b/docs/reference/errors-and-warnings/NU1508.md new file mode 100644 index 000000000..eb9f758aa --- /dev/null +++ b/docs/reference/errors-and-warnings/NU1508.md @@ -0,0 +1,26 @@ +--- +title: NuGet Warning NU1508 +description: NU1508 warning code +author: zivkan +ms.author: zivkan +ms.date: 08/10/2024 +ms.topic: reference +f1_keywords: + - "NU1508" +--- + +# NuGet Warning NU1508 + +## Scenario 1 + +> Duplicate 'NuGetAuditSuppress' items found. Remove the duplicate items or use the Update functionality to ensure a consistent restore behavior. The duplicate 'NuGetAuditSuppress' items are: https://contoso.test/cve/1 , https://contoso.test/cve/1 . + +### Issue + +Sometimes when adding `NuGetAuditSuppress` items, you may end up adding an item for a particular package multiple times. + +MSBuild projects commonly import multiple `.props` and `.targets` files, so the duplicates might not be in the same file, but may be in imported files, such as `Directory.Build.props`, `Directory.Packages.props`, or `Directory.Build.targets`. + +### Solution + +Remove the duplicate item, so that it's included exactly once. diff --git a/docs/reference/errors-and-warnings/NU1509.md b/docs/reference/errors-and-warnings/NU1509.md new file mode 100644 index 000000000..cae01fdd4 --- /dev/null +++ b/docs/reference/errors-and-warnings/NU1509.md @@ -0,0 +1,28 @@ +--- +title: NuGet Warning NU1509 +description: NU1509 warning code +author: nkolev92 +ms.author: nikolev +ms.date: 02/04/2025 +ms.topic: reference +f1_keywords: + - "NU1509" +--- + +# NuGet Warning NU1509 + +## Scenario 1 + +> Duplicate 'PrunePackageReference' items found. Remove the duplicate items or use the Update functionality to ensure a consistent restore behavior. The duplicate 'PrunePackageReference' items are: X 1.0.0, X 2.0.0. + +### Issue + +Sometimes when adding `PrunePackageReference` items, you may end up adding an item for a particular package multiple times. + +MSBuild projects commonly import multiple `.props` and `.targets` files, so the duplicates might not be in the same file, but may be in imported files, such as `Directory.Build.props`, `Directory.Packages.props`, or `Directory.Build.targets`. + +The `.NET SDK` provides a of list `PrunePackageReference`, so the conflict may be happening because you have specified a `PrunePackageReference` or due to a bug with the `.NET SDK`. + +### Solution + +Remove the duplicate item, so that it's included exactly once. diff --git a/docs/reference/errors-and-warnings/NU1510.md b/docs/reference/errors-and-warnings/NU1510.md new file mode 100644 index 000000000..2b4dbf758 --- /dev/null +++ b/docs/reference/errors-and-warnings/NU1510.md @@ -0,0 +1,84 @@ +--- +title: NuGet Warning NU1510 +description: NU1510 warning code +author: nkolev92 +ms.author: nikolev +ms.date: 02/04/2025 +ms.topic: reference +f1_keywords: + - "NU1510" +--- + +# NuGet Warning NU1510 + +## Scenario + +> PackageReference System.Text.Json will not be pruned. Consider removing this package from your dependencies, as it is likely unnecessary. + +### Issue + +The package `System.Text.Json` has been specified for pruning through the [PrunePackageReference](../../consume-packages/Package-References-in-Project-Files.md#prunepackagereference) feature. +The `.NET SDK` generally specifies the list of packages to be pruned. The package is not needed as a direct PackageReference since the .NET runtime itself carries either the same or higher version of the assembly. + +This warning is *only* raised when the PackageReference in question *can be completely removed from the project*. + +#### Example 1 + +```xml + + net10.0 + + + + + +``` + +#### Example 2 + +```xml + + net9.0;net10.0 + + + + + + +``` + +Each conditional `PackageReference` for the `System.Text.Json` package can be removed because the package is already included in the respective .NET runtime versions for the frameworks it is declared for. + +#### Example 3 + +```xml + + net9.0;net10.0 + + + + + +``` + +The `System.Text.Json` package is within the pruning range of the only framework it's declared for. + +### Solution + +Remove the PackageReference as it's unnecessary. + +> [!NOTE] +> In order to allow for easier adoption of the PrunePackageReference feature, this warning is raised by default when a project targets the .NET 10 framework or newer. + +> [!NOTE] +> The warning will not be raised in scenarios in which at least one of the frameworks still needs the package, such as `net48` in the below example. +> +> ```xml +> +> net10.0;net48 +> +> +> +> +> +> ``` diff --git a/docs/reference/errors-and-warnings/NU1511.md b/docs/reference/errors-and-warnings/NU1511.md new file mode 100644 index 000000000..310a69a07 --- /dev/null +++ b/docs/reference/errors-and-warnings/NU1511.md @@ -0,0 +1,30 @@ +--- +title: NuGet Warning NU1511 +description: NU1511 warning code +author: nkolev92 +ms.author: nikolev +ms.date: 02/04/2025 +ms.topic: reference +f1_keywords: + - "NU1511" +--- + +# NuGet Warning NU1511 + +## Scenario 1 + +> A ProjectReference cannot be pruned, X. + +### Issue + +The project id `X` has been specified for pruning through the [PrunePackageReference](../../consume-packages/Package-References-in-Project-Files.md#prunepackagereference) feature. +Pruning of projects is not supported. + +### Solution + +- The `.NET SDK` generally specifies the list of packages to be pruned. It may mean that you have a project matching the id of a platform assembly. +In this scenario, change the name of the project. +- If the `PrunePackageReference` has been specified within your project, you may need to remove the `PrunePackageReference` + +> [!NOTE] +> In order to allow for easier adoption of the PrunePackageReference feature, this warning is raised by default when a project targets the .NET 10 framework or newer. diff --git a/docs/reference/errors-and-warnings/NU1601.md b/docs/reference/errors-and-warnings/NU1601.md index 174de7403..76d0d5704 100644 --- a/docs/reference/errors-and-warnings/NU1601.md +++ b/docs/reference/errors-and-warnings/NU1601.md @@ -12,7 +12,7 @@ f1_keywords: # NuGet Warning NU1601 -
    Dependency specified was 'PackageId' (>= 3.5.0) but ended up with 'PackageId' 4.0.0.
    +> Dependency specified was 'PackageId' (>= 3.5.0) but ended up with 'PackageId' 4.0.0. ### Issue A direct project dependency was bumped to a higher version than the project specified. diff --git a/docs/reference/errors-and-warnings/NU1602.md b/docs/reference/errors-and-warnings/NU1602.md index afcfaa095..e461722ef 100644 --- a/docs/reference/errors-and-warnings/NU1602.md +++ b/docs/reference/errors-and-warnings/NU1602.md @@ -12,7 +12,7 @@ f1_keywords: # NuGet Warning NU1602 -
    'PackageA' 4.0.0 does not provide an inclusive lower bound for dependency 'PackageB' (> 3.5.0). An approximate best match of 3.6.0 was resolved.
    +> 'PackageA' 4.0.0 does not provide an inclusive lower bound for dependency 'PackageB' (> 3.5.0). An approximate best match of 3.6.0 was resolved. ### Issue A package dependency is missing a lower bound. This doesn't allow restore to find the *best match*. Each restore will float downwards trying to find a lower version that can be used. This means that restore goes online to check all sources each time instead of using the packages that already exist in the user package folder. diff --git a/docs/reference/errors-and-warnings/NU1603.md b/docs/reference/errors-and-warnings/NU1603.md index 2b4e2ba4c..edb6d032f 100644 --- a/docs/reference/errors-and-warnings/NU1603.md +++ b/docs/reference/errors-and-warnings/NU1603.md @@ -12,7 +12,7 @@ f1_keywords: # NuGet Warning NU1603 -
    'PackageA' 4.0.0 depends on 'PackageB' (>= 4.0.0) but 4.0.0 was not found. An approximate best match of 5.0.0 was resolved.
    +> 'PackageA' 4.0.0 depends on 'PackageB' (>= 4.0.0) but 4.0.0 was not found. An approximate best match of 5.0.0 was resolved. ### Issue diff --git a/docs/reference/errors-and-warnings/NU1604.md b/docs/reference/errors-and-warnings/NU1604.md index 99eb4d2d1..2c132af48 100644 --- a/docs/reference/errors-and-warnings/NU1604.md +++ b/docs/reference/errors-and-warnings/NU1604.md @@ -12,10 +12,51 @@ f1_keywords: # NuGet Warning NU1604 -
    Project dependency 'PackageA' (<= 9.0.0) does not contain an inclusive lower bound. Include a lower bound in the dependency version to ensure consistent restore results.
    +## Missing Package Version + +> Project dependency 'PackageA' does not contain an inclusive lower bound. Include a lower bound in the dependency version to ensure consistent restore results. ### Issue -A project dependency doesn't define a lower bound.

    This means that restore did not find the *best match*. Each restore will float downwards trying to find a lower version that can be used. This means that restore goes online to check all sources each time instead of using the packages that already exist in the user package folder. + +A project dependency doesn't define a version. + +This means that restore used the lowest available version. +Each restore will float downwards trying to find a lower version that can be used. +This means that restore goes online to check all sources each time instead of using the packages that already exist in the user package folder. + +### Solution + +Find the `PackageReference` item that does not define the `Version` attribute and add it: + +For example change from: + +> `` + +to: + +> `` + +If the project is using [NuGet's Central Package Management (CPM)](../../consume-packages/Central-Package-Management.md), you need to update the `` item in `Directory.Packages.props` and change from: + +> `` + +to: +> `` + +If a version is specified in a `` item and you still receive this warning, verify you've correctly [onboarded to central package management](../../consume-packages/Central-Package-Management.md#enabling-central-package-management). + +> [!Note] +> When using CPM and the file `Directory.Packages.props` is invalid, NU1604 is raised. + +## Missing Inclusive Lower Bound + +> Project dependency 'PackageA' (<= 9.0.0) does not contain an inclusive lower bound. Include a lower bound in the dependency version to ensure consistent restore results. + +### Issue +A project dependency doesn't define a lower bound. + +This means that restore did not find the *best match*. Each restore will float downwards trying to find a lower version that can be used. +This means that restore goes online to check all sources each time instead of using the packages that already exist in the user package folder. ### Solution Update the project's `PackageReference` `Version` attribute to include a lower bound. @@ -32,3 +73,10 @@ or > `` which implies a lower bound. + +If the project is using [NuGet's Central Package Management (CPM)](../../consume-packages/Central-Package-Management.md), you need to update the `` item in `Directory.Packages.props` and change from: + +> `` + +to: +> `` diff --git a/docs/reference/errors-and-warnings/NU1605.md b/docs/reference/errors-and-warnings/NU1605.md index ddb00097b..d8197d284 100644 --- a/docs/reference/errors-and-warnings/NU1605.md +++ b/docs/reference/errors-and-warnings/NU1605.md @@ -14,9 +14,9 @@ f1_keywords: ## Example 1 -
    Detected package downgrade: 'PackageB' from 4.0.0 to 3.5.0. Reference the package directly from the project to select a different version.
      
-'Project' -> 'PackageA' 4.0.0 -> 'PackageB' (>= 4.0.0)
      
-'Project' -> 'PackageB' (>= 3.5.0)
    +> Detected package downgrade: 'PackageB' from 4.0.0 to 3.5.0. Reference the package directly from the project to select a different version.
    +>     'Project' -> 'PackageA' 4.0.0 -> 'PackageB' (>= 4.0.0)
    +>     'Project' -> 'PackageB' (>= 3.5.0) ### Issue @@ -28,16 +28,14 @@ To the project exhibiting the restore warning, add a package reference to the hi In the example above, you would change the package reference to `PackageB` 4.0.0: -
    -  'PackageA' 4.0.0 -> 'PackageB' 4.0.0
    
-  'PackageB' 4.0.0
-
    +> 'PackageA' 4.0.0 -> 'PackageB' 4.0.0
    +> 'PackageB' 4.0.0 ## Example 2 -
    Detected package downgrade: 'PackageC' from 2.0.0 to 1.1.0. Reference the package directly from the project to select a different version.
      
-'Project' -> 'PackageA' 1.0.0 -> 'PackageB' 2.0.0 ->'PackageC' (>= 2.0.0)
      
-'Project' -> 'PackageA' 1.0.0 -> 'PackageC' (>= 1.1.0)
    +> Detected package downgrade: 'PackageC' from 2.0.0 to 1.1.0. Reference the package directly from the project to select a different version.
    +>     'Project' -> 'PackageA' 1.0.0 -> 'PackageB' 2.0.0 ->'PackageC' (>= 2.0.0)
    +>     'Project' -> 'PackageA' 1.0.0 -> 'PackageC' (>= 1.1.0) ### Issue @@ -50,18 +48,14 @@ To the project exhibiting the restore warning, add a package reference to the hi In the example above, you would change the package reference to `PackageC` 2.0.0: -
    -  'PackageA' 4.0.0 -> 'PackageB' 4.0.0
    
-  'PackageB' 4.0.0
-
    +> 'PackageA' 4.0.0 -> 'PackageB' 4.0.0
    +> 'PackageB' 4.0.0 ## Example 3 -
    -Detected package downgrade: System.IO.FileSystem.Primitives from 4.3.0 to 4.0.1. Reference the package directly from the project to select a different version.
    
- Project -> System.IO.FileSystem 4.0.1 -> runtime.win.System.IO.FileSystem 4.3.0 -> System.IO.FileSystem.Primitives (>= 4.3.0)
    
- Project -> System.IO.FileSystem 4.0.1 -> System.IO.FileSystem.Primitives (>= 4.0.1)
    
-
    +> Detected package downgrade: System.IO.FileSystem.Primitives from 4.3.0 to 4.0.1. Reference the package directly from the project to select a different version.
    +>     Project -> System.IO.FileSystem 4.0.1 -> runtime.win.System.IO.FileSystem 4.3.0 -> System.IO.FileSystem.Primitives (>= 4.3.0)
    +>     Project -> System.IO.FileSystem 4.0.1 -> System.IO.FileSystem.Primitives (>= 4.0.1)
    ### Issue @@ -79,10 +73,9 @@ You may choose to use the `version` matching the the major version of your SDK. ## Example 4 -
    Detected package downgrade: Microsoft.NETCore.App from 2.1.8 to 2.1.0. Reference the package directly from the project to select a different version.
    
-  test -> mvc -> Microsoft.NETCore.App (>= 2.1.8)
    
-  test -> Microsoft.NETCore.App (>= 2.1.0)
    
-
    +> Detected package downgrade: Microsoft.NETCore.App from 2.1.8 to 2.1.0. Reference the package directly from the project to select a different version.
    +>     test -> mvc -> Microsoft.NETCore.App (>= 2.1.8)
    +>     test -> Microsoft.NETCore.App (>= 2.1.0) ### Issue @@ -96,3 +89,5 @@ This specific error (with Microsoft.NETCore.App package) is improved by moving y > While NU1605 is considered a warning by the NuGet tooling, the [.NET SDK](/dotnet/core/sdk) opts into treating this warning as an error through `WarningsAsErrors`. > Your project may be upgrading this warning to an error by setting `TreatWarningsAsErrors` to `true`. > While not recommended, as you are more likely to encounter runtime issues, you may choose to [suppress](../../consume-packages/Package-References-in-Project-Files.md#suppressing-nuget-warnings) this warning. + +[!INCLUDE [nugetsolver-tool](../../includes/nugetsolver-tool.md)] diff --git a/docs/reference/errors-and-warnings/NU1608.md b/docs/reference/errors-and-warnings/NU1608.md index 888d06a00..4a5590843 100644 --- a/docs/reference/errors-and-warnings/NU1608.md +++ b/docs/reference/errors-and-warnings/NU1608.md @@ -12,7 +12,7 @@ f1_keywords: # NuGet Warning NU1608 -
    Detected package version outside of dependency constraint: 'PackageA' 1.0.0 requires 'PackageB' (= 1.0.0) but version 'PackageB' 2.0.0 was resolved.
    +> Detected package version outside of dependency constraint: 'PackageA' 1.0.0 requires 'PackageB' (= 1.0.0) but version 'PackageB' 2.0.0 was resolved. ### Issue A resolved package is higher than a dependency constraint allows. This means that a package referenced directly by a project overrides dependency constraints from other packages. diff --git a/docs/reference/errors-and-warnings/NU1701.md b/docs/reference/errors-and-warnings/NU1701.md index e3f3ea11a..0fd319446 100644 --- a/docs/reference/errors-and-warnings/NU1701.md +++ b/docs/reference/errors-and-warnings/NU1701.md @@ -12,10 +12,12 @@ f1_keywords: # NuGet Warning NU1701 -
    Package 'packageId' was restored using 'TargetFrameworkA' instead the project target framework 'TargetFrameworkB'. This package may not be fully compatible with your project.
    +> Package 'packageId' was restored using 'TargetFrameworkA' instead the project target framework 'TargetFrameworkB'. This package may not be fully compatible with your project. ### Issue -`PackageTargetFallback` / `AssetTargetFallback` was used to select assets from a package. The warning let users know that the assets may not be 100% compatible. +`AssetTargetFallback` was used to select assets from a package. The warning let users know that the assets may not be 100% compatible. ### Solution Change the project's target framework to one that the package supports. + +[!INCLUDE [nugetsolver-tool](../../includes/nugetsolver-tool.md)] diff --git a/docs/reference/errors-and-warnings/NU1702.md b/docs/reference/errors-and-warnings/NU1702.md new file mode 100644 index 000000000..584570102 --- /dev/null +++ b/docs/reference/errors-and-warnings/NU1702.md @@ -0,0 +1,23 @@ +--- +title: NuGet Warning NU1702 +description: NU1702 warning code +author: nkolev92 +ms.date: 07/25/2024 +ms.topic: reference +f1_keywords: + - "NU1702" +--- + +# NuGet Warning NU1702 + +> ProjectReference 'C:\Code\Project2.csproj' was resolved using '.NETFramework,Version=v4.7.2' instead of the project target framework '.NETCoreApp,Version=v5.0'. +> This project may not be fully compatible with your project. + +### Issue + +`AssetTargetFallback` was used to select assets from a package. The warning lets users know that the assets may not be 100% compatible. + +### Solution + +Change the target framework of the projects to make them fully compatible. +Example: Change the target framework of Project2 to `.NET 5`, or change Project2 to target both `.NET 5` and `.NET Framework 4.7.2`. diff --git a/docs/reference/errors-and-warnings/NU1703.md b/docs/reference/errors-and-warnings/NU1703.md index 911170c4d..b1f40d7f0 100644 --- a/docs/reference/errors-and-warnings/NU1703.md +++ b/docs/reference/errors-and-warnings/NU1703.md @@ -12,7 +12,7 @@ f1_keywords: # NuGet Warning NU1703 -
    'packageId' was resolved as a dependency of 'project', but the dependency is using 'Xamarin.iOS' while 'project' is using 'net6.0-maccatalyst14.5' as its TargetFramework
    +> 'packageId' was resolved as a dependency of 'project', but the dependency is using 'Xamarin.iOS' while 'project' is using 'net6.0-maccatalyst14.5' as its TargetFramework ### Issue diff --git a/docs/reference/errors-and-warnings/NU1802.md b/docs/reference/errors-and-warnings/NU1802.md index da9738ae8..7e194460e 100644 --- a/docs/reference/errors-and-warnings/NU1802.md +++ b/docs/reference/errors-and-warnings/NU1802.md @@ -17,6 +17,7 @@ Updating last access time on file "C:\packages\contoso.library\1.0.0\.nupkg.meta ### Solution -You have enabled an experimental feature that updates the last access of the .nupkg.metadata file in the NuGet global packages folder. +You have enabled a feature that updates the last access of the .nupkg.metadata file in the NuGet global packages folder. Failures are likely to be issues with permissions. -The details of the failure reason will be contained in the error message. Consult that information for the exact action. \ No newline at end of file +The details of the failure reason will be contained in the error message. +Consult that information for the exact action. diff --git a/docs/reference/errors-and-warnings/NU1803.md b/docs/reference/errors-and-warnings/NU1803.md index 946f589bf..a6c68ef29 100644 --- a/docs/reference/errors-and-warnings/NU1803.md +++ b/docs/reference/errors-and-warnings/NU1803.md @@ -21,5 +21,16 @@ You may need to do one of the following: - Correct the specified url. You may have mistyped the source url. Change the url to explicitly request the `HTTPS` version of the source. - Work with the owner of the source and ask them to migrate to `HTTPS`. +- If you are absolutely certain the 'HTTP' server you are connecting to is trustworthy, you may opt out of this warning by setting `allowInsecureConnections` to `true` for this package source, in [Package source sections](..\nuget-config-file.md#package-source-sections) of your NuGet.Config file. (Supported in NuGet 6.8+) + +**Example**: + +```xml + + + + + +``` To learn more, refer to the [HTTPS everywhere](https://devblogs.microsoft.com/nuget/https-everywhere) blog. diff --git a/docs/reference/errors-and-warnings/NU1900.md b/docs/reference/errors-and-warnings/NU1900.md new file mode 100644 index 000000000..046ba62ce --- /dev/null +++ b/docs/reference/errors-and-warnings/NU1900.md @@ -0,0 +1,47 @@ +--- +title: NuGet Warning NU1900 +description: NU1900 Warning codes +author: zivkan +ms.author: zivkan +ms.date: 6/27/2023 +ms.topic: reference +f1_keywords: + - NU1900 +--- + +# NuGet Warning NU1900 + +## Example 1 + +```text +warning NU1900: Error occurred while getting package vulnerability data: (more information) +``` + +### Issue + +Vulnerability data could not be downloaded from one of the package sources. + +### Solution + +This warning generally means that there is a problem with the package source. + +If the error is related to networking, such as unable to connect to server, a timeout, a DNS error, and so on, then retrying after waiting a few minutes might resolve the issue. +If you use a hosted package source, try checking their server status page to see if there is a known outage. + +If the error is a JSON deserialization error, this suggests the package source returned invalid data to NuGet. +You can try clearing NuGet's HTTP cache (`dotnet nuget locals http-cache --clear` from the command line) and try again. +If issues persist, then contact the package source administrators. + +For more information, see [the documentation on auditing packages](../../concepts/Auditing-Packages.md). + +## Example 2 + +```text +warning NU1900: Package 'Contoso.Utilities' 1.0.0 has a known unknown severity vulnerability, https://cve.contoso.com/advisories/1 +``` + +### Issue + +The server provided vulnerability data for the package, but provided an invalid severity value. +If you know which package source provided the invalid data, you can contact the server administrators to inform them that their vulnerability data does not comply with [NuGet's server API](../../api/vulnerability-info.md). +Once packages have been restored into your global packages folder, you can comment out all but one package source in your `nuget.config` file, and re-run restore until you find which package source is providing the invalid data. diff --git a/docs/reference/errors-and-warnings/NU1901-NU1904.md b/docs/reference/errors-and-warnings/NU1901-NU1904.md new file mode 100644 index 000000000..4fb538434 --- /dev/null +++ b/docs/reference/errors-and-warnings/NU1901-NU1904.md @@ -0,0 +1,57 @@ +--- +title: NuGet Warnings NU1901, NU1902, NU1903, NU1904 +description: NU1901, NU1902, NU1903, NU1904 Warning codes +author: zivkan +ms.author: zivkan +ms.date: 7/19/2024 +ms.topic: reference +f1_keywords: + - NU1901 + - NU1902 + - NU1903 + - NU1904 +--- + +# NuGet Warnings NU1901, NU1902, NU1903, NU1904 + +> warning NU1902: Package 'NuGet.Protocol' 5.11.2 has a known moderate severity vulnerability, https://github.com/advisories/GHSA-g3q9-xf95-8hp5 + +The warning code changes depending on the known vulnerability severity level: + +|Warning Code|Severity| +|--|--| +|NU1901|low| +|NU1902|moderate| +|NU1903|high| +|NU1904|critical| + +### Issue + +A package restored for your project has a known vulnerability. + +For more information, see [the documentation on auditing packages](../../concepts/Auditing-Packages.md). + +### Solution + +We have [documentation on upgrading vulnerable packages](../../concepts/Auditing-Packages.md#actions-when-packages-with-known-vulnerabilities-are-reported) that goes in more detail about our recommended actions when your project uses a package with a known vulnerability, and tools that can help. + +Upgrading to a newer version of the package is likely to resolve the warning. +If your project does not reference the package directly (it's a transitive package), [`dotnet nuget why`](/dotnet/core/tools/dotnet-nuget-why) can be used to understand which package caused it to be included in your project. +You can check the URL provided by the vulnerability advisory to see what versions of the package have been fixed, or check your configured package source(s) to see what versions of the package are available. +Visual Studio's package manager UI can show which package versions are affected and which do not have known vulnerabilities. + +If these warnings are causing restore to fail because you are using `TreatWarningsAsErrors`, you can add `NU1901;NU1902;NU1903;NU1904` to allow these codes to remain as warnings. + +If you do not wish to be notified of vulnerabilities that are less severe than a level you are comfortable with, you can edit the project file and add an MSBuild property `NuGetAuditLevel`, with value set to `low`, `moderate`, `high`, or `critical`. +For example, `high`. + +If you would like to suppress a specific advisory, add an MSBuild [NuGetAuditSuppress](../../concepts/Auditing-Packages.md#excluding-advisories) item. +For example ``. +`NuGetAuditSuppress` is available from [VS 17.11 and .NET 8.0.400 SDK](../../release-notes/NuGet-6.11.md) for projects using `PackageReference`, and from [VS 17.12](../../release-notes/NuGet-6.12.md) for projects using `packages.config`. + +If you do not want NuGet to check for packages with known vulnerabilities during restore, add `false` inside a `` in your project file, or a [`Directory.Build.props` file](/visualstudio/msbuild/customize-by-directory). +If you would like to run NuGet Audit on developer machines, but disable it on CI pipelines, you can take advantage of MSBuild importing environment variables, and create a NuGetAudit environment variable set to `false` in your pipeline definition. + +For projects targeting the .NET 10 framework, the default setting for `NuGetAuditMode` is `all`. +This means that NuGet will report on transitive packages with known vulnerabilities for all frameworks in the project. +The value can be explicitly set to `direct` to revert back to .NET 9's default. diff --git a/docs/reference/errors-and-warnings/NU1905.md b/docs/reference/errors-and-warnings/NU1905.md new file mode 100644 index 000000000..9cc76f41d --- /dev/null +++ b/docs/reference/errors-and-warnings/NU1905.md @@ -0,0 +1,31 @@ +--- +title: NuGet Warning NU1905 +description: NU1905 Warning codes +author: zivkan +ms.author: zivkan +ms.date: 07/19/2024 +ms.topic: reference +f1_keywords: + - NU1905 +--- + +# NuGet Warning NU1905 + +```text +warning NU1905: Audit source 'Contoso' did not provide any vulnerability data. +``` + +### Issue + +A source specified in a [NuGet.Config `` element](../nuget-config-file.md#auditsources) did not provide a vulnerability database. + +### Solution + +Any NuGet source implementing [NuGet's V3 server API can provide vulnerability data via the `VulnerabilityInfo` resource](../../api/vulnerability-info.md), including by mirroring nuget.org's vulnerability data. +Any source defined in a NuGet.Config `` element is expected to provide this resource, and this warning is raised when it is not. +You can check if your package source administrators have a setting to enable vulnerability data. + +If you would like to treat this warning as an error, to cause build failures when vulnerability checks could not be performed, you can add `$(WarningAsError);NU1905` to your project file. +If you are using `TreatWarningsAsErrors` to cause all warnings to be treated as errors, you can add `$(NoWarn);NU1905` to your project file to suppress this warning message, or `NU1905` to prevent this warning from being treated as an error. + +For more information, see [the documentation on auditing packages](../../concepts/Auditing-Packages.md). diff --git a/docs/reference/errors-and-warnings/NU3000.md b/docs/reference/errors-and-warnings/NU3000.md index d71cd9e7e..d4419ce9d 100644 --- a/docs/reference/errors-and-warnings/NU3000.md +++ b/docs/reference/errors-and-warnings/NU3000.md @@ -17,7 +17,7 @@ f1_keywords: ## Scenario 1 -
    Package 'SamplePackage v1.0.0' from source 'https://contoso.com/index.json': The primary signature does not have a timestamp.
    +> Package 'SamplePackage v1.0.0' from source 'https://contoso.com/index.json': The primary signature does not have a timestamp. ### Issue @@ -32,7 +32,7 @@ To enable long-term signature validity after the signature certificate has expir ## Scenario 2 -
    Package 'SamplePackage v1.0.0' from source 'https://contoso.com/index.json': Multiple timestamps are not accepted.
    +> Package 'SamplePackage v1.0.0' from source 'https://contoso.com/index.json': Multiple timestamps are not accepted. ### Issue @@ -47,7 +47,7 @@ Please ensure that each package signature contains no more than 1 timestamp. ## Scenario 3 -
    Package 'SamplePackage v1.0.0' from source 'https://contoso.com/index.json': The repository countersignature does not have a timestamp.
    +> Package 'SamplePackage v1.0.0' from source 'https://contoso.com/index.json': The repository countersignature does not have a timestamp. ### Issue diff --git a/docs/reference/errors-and-warnings/NU3001.md b/docs/reference/errors-and-warnings/NU3001.md index e90bf5b25..69f27b47c 100644 --- a/docs/reference/errors-and-warnings/NU3001.md +++ b/docs/reference/errors-and-warnings/NU3001.md @@ -14,37 +14,31 @@ f1_keywords: ## Scenario 1 -
    Invalid password was provided for the certificate file 'certificate.pfx'. Provide a valid password using the '-CertificatePassword' option.
    +> Invalid password was provided for the certificate file 'certificate.pfx'. Provide a valid password using the '-CertificatePassword' option. ### Issue A password protected certificate file was provided to the NuGet Sign operation. But an invalid or no password was provided. - ### Solution If you are using a password protected certificate file to sign a NuGet package, then please use the `-CertificatePassword` option to pass the correct password. - - ## Scenario 2 -
    Certificate file 'certificate.pfx' not found. For a list of accepted ways to provide a certificate, visit https://docs.nuget.org/docs/reference/command-line-reference.
    +> Certificate file 'certificate.pfx' not found. For a list of accepted ways to provide a certificate, visit https://docs.nuget.org/docs/reference/command-line-reference. ### Issue A certificate file was provided to the NuGet Sign operation. But the file does not exist on disk. - ### Solution Please ensure that any certificate file being used to sign a NuGet package exists on disk. - - ## Scenario 3 -
    Certificate file 'random_file.txt' is invalid. For a list of accepted ways to provide a certificate, visit https://docs.nuget.org/docs/reference/command-line-reference.
    +> Certificate file 'random_file.txt' is invalid. For a list of accepted ways to provide a certificate, visit https://docs.nuget.org/docs/reference/command-line-reference. ### Issue @@ -55,69 +49,56 @@ A certificate file was provided to the NuGet Sign operation, but the file is not Please ensure that any certificate file being used to sign a NuGet package is a valid certificate file. - - ## Scenario 4 -
    Multiple certificates were found that meet all the given criteria. Use the '-CertificateFingerprint' option with the hash of the desired certificate.
    +> Multiple certificates were found that meet all the given criteria. Use the '-CertificateFingerprint' option with the hash of the desired certificate. ### Issue A certificate was suggested to the NuGet Sign command using the `-CertificateSubjectName` option. But multiple certificates were found to match the certificate subject name in the Windows certificate store. - ### Solution Please pass the '-CertificateFingerprint' option with the hash of the desired certificate to the NuGet Sign command to uniquely identify a certificate. - - ## Scenario 5 -
    No certificates were found that meet all the given criteria. For a list of accepted ways to provide a certificate, visit https://docs.nuget.org/docs/reference/command-line-reference.
    +> No certificates were found that meet all the given criteria. For a list of accepted ways to provide a certificate, visit https://docs.nuget.org/docs/reference/command-line-reference. ### Issue A certificate was suggested to the NuGet Sign command using the `-CertificateSubjectName` option. But no certificate was found to match the certificate subject name in the Windows certificate store. - ### Solution Please ensure that you passing the right subject name filter, otherwise pass the '-CertificateFingerprint' option with the hash of the desired certificate to the NuGet Sign command to uniquely identify a certificate. - ## Scenario 6 -
    The following certificate cannot be used for package signing as the private key provider is unsupported:
-  Subject Name: CN=Certificate Subject Name
-  SHA1 hash: HASH
-  SHA256 hash: HASH
-  Issued by: Issuer Subject Name
-  Valid from: 4/9/2016 5:00:00 PM to 4/14/2020 5:00:00 AM
    +> The following certificate cannot be used for package signing as the private key provider is unsupported: + Subject Name: CN=Certificate Subject Name
    + SHA1 hash: HASH
    + SHA256 hash: HASH
    + Issued by: Issuer Subject Name
    + Valid from: 4/9/2016 5:00:00 PM to 4/14/2020 5:00:00 AM ### Issue A certificate was passed to the NuGet Sign command which has an unsupported pribvate key provider. - ### Solution Currently, due to framework limitations, NuGet sign command does not support CNG key private key provider. Please use a certificate with a CAPI private key provider. - - ## Scenario 7 -
    The package already contains a signature. Remove the existing signature before adding a new signature.
    +> The package already contains a signature. Remove the existing signature before adding a new signature. ### Issue NuGet Sign command was used to sign a package which already has a package signature. - ### Solution Please ensure that you are signing an unsigned package. If the package is already signed, then please use `-Overwrite` option to overwrite an existing signature. - - diff --git a/docs/reference/errors-and-warnings/NU3002.md b/docs/reference/errors-and-warnings/NU3002.md index abd57086b..3b379ecd0 100644 --- a/docs/reference/errors-and-warnings/NU3002.md +++ b/docs/reference/errors-and-warnings/NU3002.md @@ -12,7 +12,7 @@ f1_keywords: # NuGet Warning NU3002 -
    Package 'SamplePackage v1.0.0' from source 'https://contoso.com/index.json': The '-Timestamper' option was not provided. The signed package will not be timestamped. To learn more about this option, please visit https://docs.nuget.org/docs/reference/command-line-reference.
    +> Package 'SamplePackage v1.0.0' from source 'https://contoso.com/index.json': The '-Timestamper' option was not provided. The signed package will not be timestamped. To learn more about this option, please visit https://docs.nuget.org/docs/reference/command-line-reference. ### Issue diff --git a/docs/reference/errors-and-warnings/NU3003.md b/docs/reference/errors-and-warnings/NU3003.md index 32d509f14..67505254f 100644 --- a/docs/reference/errors-and-warnings/NU3003.md +++ b/docs/reference/errors-and-warnings/NU3003.md @@ -14,7 +14,7 @@ f1_keywords: ## Scenario 1 -
    Package 'SamplePackage v1.0.0' from source 'https://contoso.com/index.json': The package is not signed. Unable to verify signature from an unsigned package.
    +> Package 'SamplePackage v1.0.0' from source 'https://contoso.com/index.json': The package is not signed. Unable to verify signature from an unsigned package. ### Issue @@ -29,7 +29,7 @@ Please file an issue at [NuGet/Home](https://github.com/NuGet/Home/issues) along ## Scenario 2 -
    Package 'SamplePackage v1.0.0' from source 'https://contoso.com/index.json': The package signature is invalid or cannot be verified on this platform.
    +> Package 'SamplePackage v1.0.0' from source 'https://contoso.com/index.json': The package signature is invalid or cannot be verified on this platform. ### Issue diff --git a/docs/reference/errors-and-warnings/NU3004.md b/docs/reference/errors-and-warnings/NU3004.md index 1e016fcf0..fdf2f1d1a 100644 --- a/docs/reference/errors-and-warnings/NU3004.md +++ b/docs/reference/errors-and-warnings/NU3004.md @@ -14,8 +14,8 @@ f1_keywords: ## Scenario 1 -
    Package 'SamplePackage v1.0.0' from source 'https://contoso.com/index.json': The package is not signed.
    -
    Package 'SamplePackage v1.0.0' from source 'https://contoso.com/index.json': signatureValidationMode is set to require, so packages are allowed only if signed by trusted signers; however, this package is unsigned.
    +> Package 'SamplePackage v1.0.0' from source 'https://contoso.com/index.json': The package is not signed.
    +> Package 'SamplePackage v1.0.0' from source 'https://contoso.com/index.json': signatureValidationMode is set to require, so packages are allowed only if signed by trusted signers; however, this package is unsigned. ### Issue @@ -33,7 +33,7 @@ Please ensure that any package intended to be installed or passed to `nuget veri ## Scenario 2 -
    Package 'SamplePackage v1.0.0' from source 'https://contoso.com/index.json': This repository indicated that all its packages are repository signed; however, this package is unsigned.
    +> Package 'SamplePackage v1.0.0' from source 'https://contoso.com/index.json': This repository indicated that all its packages are repository signed; however, this package is unsigned. ### Issue diff --git a/docs/reference/errors-and-warnings/NU3005.md b/docs/reference/errors-and-warnings/NU3005.md index 4fee4e186..a2c32aff2 100644 --- a/docs/reference/errors-and-warnings/NU3005.md +++ b/docs/reference/errors-and-warnings/NU3005.md @@ -14,7 +14,7 @@ f1_keywords: ## Scenario 1 -
    Package 'SamplePackage v1.0.0' from source 'https://contoso.com/index.json': The package contains an invalid package signature file.
    +> Package 'SamplePackage v1.0.0' from source 'https://contoso.com/index.json': The package contains an invalid package signature file. ### Issue @@ -29,7 +29,7 @@ Please request the package author to re-sign the package using the `nuget sign` ## Scenario 2 -
    Package 'SamplePackage v1.0.0' from source 'https://contoso.com/index.json': The package contains multiple package signature files.
    +> Package 'SamplePackage v1.0.0' from source 'https://contoso.com/index.json': The package contains multiple package signature files. ### Issue @@ -44,7 +44,7 @@ Please request the package author to re-sign the package using the `nuget sign` ## Scenario 3 -
    Package 'SamplePackage v1.0.0' from source 'https://contoso.com/index.json': The package does not contain a valid package signature file.
    +> Package 'SamplePackage v1.0.0' from source 'https://contoso.com/index.json': The package does not contain a valid package signature file. ### Issue diff --git a/docs/reference/errors-and-warnings/NU3006.md b/docs/reference/errors-and-warnings/NU3006.md index 08533cb4b..bb8000c35 100644 --- a/docs/reference/errors-and-warnings/NU3006.md +++ b/docs/reference/errors-and-warnings/NU3006.md @@ -12,7 +12,7 @@ f1_keywords: # NuGet Warning NU3006 -
    Package 'SamplePackage v1.0.0' from source 'https://contoso.com/index.json': Signed Zip64 packages are not supported.
    +> Package 'SamplePackage v1.0.0' from source 'https://contoso.com/index.json': Signed Zip64 packages are not supported. ### Issue diff --git a/docs/reference/errors-and-warnings/NU3007.md b/docs/reference/errors-and-warnings/NU3007.md index b6972611e..19077c226 100644 --- a/docs/reference/errors-and-warnings/NU3007.md +++ b/docs/reference/errors-and-warnings/NU3007.md @@ -12,7 +12,7 @@ f1_keywords: # NuGet Warning NU3007 -
    Package 'SamplePackage v1.0.0' from source 'https://contoso.com/index.json': The package signature format version is not supported. Updating your client may solve this problem.
    +> Package 'SamplePackage v1.0.0' from source 'https://contoso.com/index.json': The package signature format version is not supported. Updating your client may solve this problem. ### Issue diff --git a/docs/reference/errors-and-warnings/NU3008.md b/docs/reference/errors-and-warnings/NU3008.md index 2f723239b..fa8461f8d 100644 --- a/docs/reference/errors-and-warnings/NU3008.md +++ b/docs/reference/errors-and-warnings/NU3008.md @@ -12,7 +12,7 @@ f1_keywords: # NuGet Error NU3008 -
    Package 'SamplePackage v1.0.0' from source 'https://contoso.com/index.json': The package integrity check failed. The package has changed since it was signed. Try clearing the local http-cache and run nuget operation again.
    +> Package 'SamplePackage v1.0.0' from source 'https://contoso.com/index.json': The package integrity check failed. The package has changed since it was signed. Try clearing the local http-cache and run nuget operation again. ### Issue @@ -22,4 +22,4 @@ NuGet package being verified has changed since it was signed. Please ensure that the package has not been tampered with since signing. If this was a temporary problem, then you can fix this by clearing your local http-cache(s) by running `nuget locals http-cache -clear` or `dotnet nuget locals http-cache --clear` command. However, if the problem persists then please inform the package source and the package author. -If this issue happened on a package which came from `nuget.org` then please file an issue at [NuGet/Home](https://github.com/NuGet/Home/issues) along with the package that caused this problem. +If this issue happened on a package which came from `nuget.org` then please file an issue at [NuGet/NuGetGallery](https://github.com/NuGet/NuGetGallery/issues) along with the package that caused this problem. diff --git a/docs/reference/errors-and-warnings/NU3009.md b/docs/reference/errors-and-warnings/NU3009.md index e45e9ee5d..713c2ee4c 100644 --- a/docs/reference/errors-and-warnings/NU3009.md +++ b/docs/reference/errors-and-warnings/NU3009.md @@ -12,7 +12,7 @@ f1_keywords: # NuGet Warning NU3009 -
    Package 'SamplePackage v1.0.0' from source 'https://contoso.com/index.json': The package signature file does not contain exactly one primary signature.
    +> Package 'SamplePackage v1.0.0' from source 'https://contoso.com/index.json': The package signature file does not contain exactly one primary signature. ### Issue diff --git a/docs/reference/errors-and-warnings/NU3010.md b/docs/reference/errors-and-warnings/NU3010.md index 9257129d9..e0616dd06 100644 --- a/docs/reference/errors-and-warnings/NU3010.md +++ b/docs/reference/errors-and-warnings/NU3010.md @@ -12,7 +12,7 @@ f1_keywords: # NuGet Warning NU3010 -
    Package 'SamplePackage v1.0.0' from source 'https://contoso.com/index.json': The primary signature does not have a signing certificate.
    +> Package 'SamplePackage v1.0.0' from source 'https://contoso.com/index.json': The primary signature does not have a signing certificate. ### Issue diff --git a/docs/reference/errors-and-warnings/NU3011.md b/docs/reference/errors-and-warnings/NU3011.md index ce8f9802d..223a4794d 100644 --- a/docs/reference/errors-and-warnings/NU3011.md +++ b/docs/reference/errors-and-warnings/NU3011.md @@ -12,7 +12,7 @@ f1_keywords: # NuGet Warning NU3011 -
    Package 'SamplePackage v1.0.0' from source 'https://contoso.com/index.json': The primary signature is invalid.
    +> Package 'SamplePackage v1.0.0' from source 'https://contoso.com/index.json': The primary signature is invalid. ### Issue diff --git a/docs/reference/errors-and-warnings/NU3012.md b/docs/reference/errors-and-warnings/NU3012.md index fe4853df2..9cecd28ac 100644 --- a/docs/reference/errors-and-warnings/NU3012.md +++ b/docs/reference/errors-and-warnings/NU3012.md @@ -14,7 +14,7 @@ f1_keywords: ## Scenario 1 -
    Package 'SamplePackage v1.0.0' from source 'https://contoso.com/index.json': The primary signature validation failed.
    +> Package 'SamplePackage v1.0.0' from source 'https://contoso.com/index.json': The primary signature validation failed. ### Issue @@ -29,7 +29,7 @@ You can get more details about the problem by looking at the debug logs. If the ## Scenario 2 -
    Package 'SamplePackage v1.0.0' from source 'https://contoso.com/index.json': The primary signature found a chain building issue:  A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.
    +> Package 'SamplePackage v1.0.0' from source 'https://contoso.com/index.json': The primary signature found a chain building issue: A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider. ### Issue diff --git a/docs/reference/errors-and-warnings/NU3013.md b/docs/reference/errors-and-warnings/NU3013.md index e8180bd75..bd2d3a0a5 100644 --- a/docs/reference/errors-and-warnings/NU3013.md +++ b/docs/reference/errors-and-warnings/NU3013.md @@ -14,7 +14,7 @@ f1_keywords: ## Scenario 1 -
    Package 'SamplePackage v1.0.0' from source 'https://contoso.com/index.json': The signing certificate has an unsupported signature algorithm.
    +> Package 'SamplePackage v1.0.0' from source 'https://contoso.com/index.json': The signing certificate has an unsupported signature algorithm. ### Issue @@ -32,7 +32,7 @@ Please ensure that the signing certificate has one of the following signature al ## Scenario 2 -
    Package 'SamplePackage v1.0.0' from source 'https://contoso.com/index.json': The primary signature's certificate has an unsupported signature algorithm.
    +> Package 'SamplePackage v1.0.0' from source 'https://contoso.com/index.json': The primary signature's certificate has an unsupported signature algorithm. ### Issue diff --git a/docs/reference/errors-and-warnings/NU3014.md b/docs/reference/errors-and-warnings/NU3014.md index db7748cc5..e292ef72a 100644 --- a/docs/reference/errors-and-warnings/NU3014.md +++ b/docs/reference/errors-and-warnings/NU3014.md @@ -14,7 +14,7 @@ f1_keywords: ## Scenario 1 -
    Package 'SamplePackage v1.0.0' from source 'https://contoso.com/index.json': The signing certificate does not meet a minimum public key length requirement.
    +> Package 'SamplePackage v1.0.0' from source 'https://contoso.com/index.json': The signing certificate does not meet a minimum public key length requirement. ### Issue @@ -29,7 +29,7 @@ Please ensure that the signing certificate has an RSA public key of length >= 20 ## Scenario 2 -
    Package 'SamplePackage v1.0.0' from source 'https://contoso.com/index.json': The primary signature's certificate does not meet a minimum public key length requirement.
    +> Package 'SamplePackage v1.0.0' from source 'https://contoso.com/index.json': The primary signature's certificate does not meet a minimum public key length requirement. ### Issue diff --git a/docs/reference/errors-and-warnings/NU3015.md b/docs/reference/errors-and-warnings/NU3015.md index 8443439e8..5a04c73ef 100644 --- a/docs/reference/errors-and-warnings/NU3015.md +++ b/docs/reference/errors-and-warnings/NU3015.md @@ -14,7 +14,7 @@ f1_keywords: ## Scenario 1 -
    Package 'SamplePackage v1.0.0' from source 'https://contoso.com/index.json': The lifetime signing EKU in the primary signature's certificate is not supported.
    +> Package 'SamplePackage v1.0.0' from source 'https://contoso.com/index.json': The lifetime signing EKU in the primary signature's certificate is not supported. ### Issue @@ -29,7 +29,7 @@ Please ensure that the signing certificate does not have lifetime signing Extend ## Scenario 2 -
    Package 'SamplePackage v1.0.0' from source 'https://contoso.com/index.json': The lifetime signing EKU in the signing certificate is not supported.
    +> Package 'SamplePackage v1.0.0' from source 'https://contoso.com/index.json': The lifetime signing EKU in the signing certificate is not supported. ### Issue diff --git a/docs/reference/errors-and-warnings/NU3016.md b/docs/reference/errors-and-warnings/NU3016.md index eb43ec64e..ac4c9d36f 100644 --- a/docs/reference/errors-and-warnings/NU3016.md +++ b/docs/reference/errors-and-warnings/NU3016.md @@ -12,7 +12,7 @@ f1_keywords: # NuGet Warning NU3016 -
    Package 'SamplePackage v1.0.0' from source 'https://contoso.com/index.json': The package hash uses an unsupported hash algorithm.
    +> Package 'SamplePackage v1.0.0' from source 'https://contoso.com/index.json': The package hash uses an unsupported hash algorithm. ### Issue diff --git a/docs/reference/errors-and-warnings/NU3017.md b/docs/reference/errors-and-warnings/NU3017.md index 8a7a038f4..c8d255031 100644 --- a/docs/reference/errors-and-warnings/NU3017.md +++ b/docs/reference/errors-and-warnings/NU3017.md @@ -14,7 +14,7 @@ f1_keywords: ## Scenario 1 -
    Package 'SamplePackage v1.0.0' from source 'https://contoso.com/index.json': The signing certificate is not yet valid.
    +> Package 'SamplePackage v1.0.0' from source 'https://contoso.com/index.json': The signing certificate is not yet valid. ### Issue @@ -29,7 +29,7 @@ Please ensure that the signing certificate is currently valid. ## Scenario 2 -
    Package 'SamplePackage v1.0.0' from source 'https://contoso.com/index.json': The primary signature's certificate is not yet valid.
    +> Package 'SamplePackage v1.0.0' from source 'https://contoso.com/index.json': The primary signature's certificate is not yet valid. ### Issue diff --git a/docs/reference/errors-and-warnings/NU3018.md b/docs/reference/errors-and-warnings/NU3018.md index 90cda228c..93baa310a 100644 --- a/docs/reference/errors-and-warnings/NU3018.md +++ b/docs/reference/errors-and-warnings/NU3018.md @@ -12,7 +12,7 @@ f1_keywords: # NuGet Warning NU3018 -
    Package 'SamplePackage v1.0.0' from source 'https://contoso.com/index.json': The primary signature's signing certificate is not trusted by the trust provider.
    +> Package 'SamplePackage v1.0.0' from source 'https://contoso.com/index.json': The primary signature's signing certificate is not trusted by the trust provider. ### Issue @@ -25,3 +25,5 @@ Please ensure that the package signature has a valid certificate chain. You can > [!Note] > When NuGet’s [signature validation mode](../../consume-packages/installing-signed-packages.md#configure-package-signature-requirements) is set to accept (default), NU3018 is raised as a warning. > When NuGet’s signature validation mode is set to require, or when running the `nuget verify -signatures` command, NU3018 is elevated from a warning to an error in most cases. + +For Linux and macOS, see [NuGet signed-package verification](/dotnet/core/tools/nuget-signed-package-verification). Specifically for untrusted root certificate warnings/errors on Linux and macOS, also see [NU3042](NU3042.md). \ No newline at end of file diff --git a/docs/reference/errors-and-warnings/NU3019.md b/docs/reference/errors-and-warnings/NU3019.md index 65fbf57ed..689208f87 100644 --- a/docs/reference/errors-and-warnings/NU3019.md +++ b/docs/reference/errors-and-warnings/NU3019.md @@ -14,7 +14,7 @@ f1_keywords: ## Scenario 1 -
    Package 'SamplePackage v1.0.0' from source 'https://contoso.com/index.json': The timestamp integrity check failed.
    +> Package 'SamplePackage v1.0.0' from source 'https://contoso.com/index.json': The timestamp integrity check failed. ### Issue @@ -29,7 +29,7 @@ Please try to re-sign and timestamp the package. If the problem persists, contac ## Scenario 2 -
    Package 'SamplePackage v1.0.0' from source 'https://contoso.com/index.json': The primary signature's timestamp integrity check failed.
    +> Package 'SamplePackage v1.0.0' from source 'https://contoso.com/index.json': The primary signature's timestamp integrity check failed. ### Issue diff --git a/docs/reference/errors-and-warnings/NU3020.md b/docs/reference/errors-and-warnings/NU3020.md index a4755a354..cfca6be9a 100644 --- a/docs/reference/errors-and-warnings/NU3020.md +++ b/docs/reference/errors-and-warnings/NU3020.md @@ -14,7 +14,7 @@ f1_keywords: ## Scenario 1 -
    Package 'SamplePackage v1.0.0' from source 'https://contoso.com/index.json': The timestamp does not have a signing certificate.
    +> Package 'SamplePackage v1.0.0' from source 'https://contoso.com/index.json': The timestamp does not have a signing certificate. ### Issue @@ -29,7 +29,7 @@ Please try to re-sign and timestamp the package. If the problem persists, contac ## Scenario 2 -
    Package 'SamplePackage v1.0.0' from source 'https://contoso.com/index.json': The primary signature's timestamp does not have a signing certificate.
    +> Package 'SamplePackage v1.0.0' from source 'https://contoso.com/index.json': The primary signature's timestamp does not have a signing certificate. ### Issue diff --git a/docs/reference/errors-and-warnings/NU3021.md b/docs/reference/errors-and-warnings/NU3021.md index f528760a0..c0655ce3d 100644 --- a/docs/reference/errors-and-warnings/NU3021.md +++ b/docs/reference/errors-and-warnings/NU3021.md @@ -14,7 +14,7 @@ f1_keywords: ## Scenario 1 -
    Package 'SamplePackage v1.0.0' from source 'https://contoso.com/index.json': The primary signature's timestamp signature validation failed.
    +> Package 'SamplePackage v1.0.0' from source 'https://contoso.com/index.json': The primary signature's timestamp signature validation failed. ### Issue @@ -29,7 +29,7 @@ Please request the package author to re-sign the package using the `nuget sign` ## Scenario 2 -
    Package 'SamplePackage v1.0.0' from source 'https://contoso.com/index.json': The timestamp signature validation failed.
    +> Package 'SamplePackage v1.0.0' from source 'https://contoso.com/index.json': The timestamp signature validation failed. ### Issue diff --git a/docs/reference/errors-and-warnings/NU3022.md b/docs/reference/errors-and-warnings/NU3022.md index 73a97fa03..bbe3e11f1 100644 --- a/docs/reference/errors-and-warnings/NU3022.md +++ b/docs/reference/errors-and-warnings/NU3022.md @@ -14,7 +14,7 @@ f1_keywords: ## Scenario 1 -
    Package 'SamplePackage v1.0.0' from source 'https://contoso.com/index.json': The primary signature's timestamp certificate has an unsupported signature algorithm.
    +> Package 'SamplePackage v1.0.0' from source 'https://contoso.com/index.json': The primary signature's timestamp certificate has an unsupported signature algorithm. ### Issue @@ -32,7 +32,7 @@ Please ensure that the timestamp authority's signing certificate has one of the ## Scenario 2 -
    Package 'SamplePackage v1.0.0' from source 'https://contoso.com/index.json': The timestamp certificate has an unsupported signature algorithm (SHA1). The following algorithms are supported: SHA256RSA, SHA384RSA, SHA512RSA.
    +> Package 'SamplePackage v1.0.0' from source 'https://contoso.com/index.json': The timestamp certificate has an unsupported signature algorithm (SHA1). The following algorithms are supported: SHA256RSA, SHA384RSA, SHA512RSA. ### Issue diff --git a/docs/reference/errors-and-warnings/NU3023.md b/docs/reference/errors-and-warnings/NU3023.md index 8e815be5f..b984ba930 100644 --- a/docs/reference/errors-and-warnings/NU3023.md +++ b/docs/reference/errors-and-warnings/NU3023.md @@ -14,7 +14,7 @@ f1_keywords: ## Scenario 1 -
    Package 'SamplePackage v1.0.0' from source 'https://contoso.com/index.json': The timestamp certificate does not meet a minimum public key length requirement.
    +> Package 'SamplePackage v1.0.0' from source 'https://contoso.com/index.json': The timestamp certificate does not meet a minimum public key length requirement. ### Issue @@ -29,7 +29,7 @@ Please ensure that the Timestamp Authority's signing certificate has an RSA pub ## Scenario 2 -
    Package 'SamplePackage v1.0.0' from source 'https://contoso.com/index.json': The primary signature's timestamp certificate does not meet a minimum public key length requirement.
    +> Package 'SamplePackage v1.0.0' from source 'https://contoso.com/index.json': The primary signature's timestamp certificate does not meet a minimum public key length requirement. ### Issue diff --git a/docs/reference/errors-and-warnings/NU3024.md b/docs/reference/errors-and-warnings/NU3024.md index 199f65d91..373a01016 100644 --- a/docs/reference/errors-and-warnings/NU3024.md +++ b/docs/reference/errors-and-warnings/NU3024.md @@ -14,7 +14,7 @@ f1_keywords: ## Scenario 1 -
    Package 'SamplePackage v1.0.0' from source 'https://contoso.com/index.json': The timestamp signature has an unsupported digest algorithm. The following algorithms are supported: : SHA-2-256, SHA-2-384, SHA-2-512.
    +> Package 'SamplePackage v1.0.0' from source 'https://contoso.com/index.json': The timestamp signature has an unsupported digest algorithm. The following algorithms are supported: : SHA-2-256, SHA-2-384, SHA-2-512. ### Issue @@ -32,7 +32,7 @@ Ensure that the timestamp authority's signature has one of the following digest ## Scenario 2 -
    Package 'SamplePackage v1.0.0' from source 'https://contoso.com/index.json': The primary signature's timestamp signature has an unsupported digest algorithm.
    +> Package 'SamplePackage v1.0.0' from source 'https://contoso.com/index.json': The primary signature's timestamp signature has an unsupported digest algorithm. ### Issue diff --git a/docs/reference/errors-and-warnings/NU3025.md b/docs/reference/errors-and-warnings/NU3025.md index f80ff68b3..ea3569e9b 100644 --- a/docs/reference/errors-and-warnings/NU3025.md +++ b/docs/reference/errors-and-warnings/NU3025.md @@ -14,7 +14,7 @@ f1_keywords: ## Scenario 1 -
    Package 'SamplePackage v1.0.0' from source 'https://contoso.com/index.json': The timestamp signing certificate is not yet valid.
    +> Package 'SamplePackage v1.0.0' from source 'https://contoso.com/index.json': The timestamp signing certificate is not yet valid. ### Issue @@ -29,7 +29,7 @@ Please ensure that the Timestamp Authority's signing certificate is currently va ## Scenario 2 -
    Package 'SamplePackage v1.0.0' from source 'https://contoso.com/index.json': The primary signature's timestamp signing certificate is not yet valid.
    +> Package 'SamplePackage v1.0.0' from source 'https://contoso.com/index.json': The primary signature's timestamp signing certificate is not yet valid. ### Issue diff --git a/docs/reference/errors-and-warnings/NU3026.md b/docs/reference/errors-and-warnings/NU3026.md index 8d078a2d4..2fafbfb69 100644 --- a/docs/reference/errors-and-warnings/NU3026.md +++ b/docs/reference/errors-and-warnings/NU3026.md @@ -12,7 +12,7 @@ f1_keywords: # NuGet Warning NU3026 -
    Package 'SamplePackage v1.0.0' from source 'https://contoso.com/index.json': The timestamp response is invalid. Nonces did not match.
    +> Package 'SamplePackage v1.0.0' from source 'https://contoso.com/index.json': The timestamp response is invalid. Nonces did not match. ### Issue diff --git a/docs/reference/errors-and-warnings/NU3027.md b/docs/reference/errors-and-warnings/NU3027.md index 4a0316d6e..382dcad8f 100644 --- a/docs/reference/errors-and-warnings/NU3027.md +++ b/docs/reference/errors-and-warnings/NU3027.md @@ -12,7 +12,7 @@ f1_keywords: # NuGet Warning NU3027 -
    Package 'SamplePackage v1.0.0' from source 'https://contoso.com/index.json': The signature should be timestamped to enable long-term signature validity after the certificate has expired.
    +> Package 'SamplePackage v1.0.0' from source 'https://contoso.com/index.json': The signature should be timestamped to enable long-term signature validity after the certificate has expired. ### Issue diff --git a/docs/reference/errors-and-warnings/NU3028.md b/docs/reference/errors-and-warnings/NU3028.md index bbb2e1e8e..5ad0ba503 100644 --- a/docs/reference/errors-and-warnings/NU3028.md +++ b/docs/reference/errors-and-warnings/NU3028.md @@ -14,17 +14,22 @@ f1_keywords: *NuGet 4.6.0+* -
    The author primary signature's timestamp found a chain building issue: The revocation function was unable to check revocation because the revocation server could not be reached. For more information, visit https://aka.ms/certificateRevocationMode
    +> The author primary signature's timestamp found a chain building issue: The revocation function was unable to check revocation because the revocation server could not be reached. For more information, visit https://aka.ms/certificateRevocationMode ### Issue + Certificate chain building failed for the timestamp signature. The timestamp signing certificate is untrusted, revoked, or revocation information for the certificate is unavailable. -On Windows only, this issue may occur the first time a root certificate is observed. During certificate chain building, Windows fetches relevant 3rd party root certificates on first use and adds them as locally trusted root certificates. Internally, Windows initiates this network fetch with an RPC call, and if the system is sufficiently busy, this RPC call may fail. This failure results in the root certificate not being locally trusted. For NuGet users, the resulting error is "A certification chain processed correctly but terminated in a root certificate that is not trusted by the trust provider." +On Windows only, NU3028 may occur the first time a root certificate is observed and with the message "A certification chain processed correctly but terminated in a root certificate that is not trusted by the trust provider." If the issue is resolved with retries, [there is an option which may help](../Signed-Package-Verification-Options.md#retry-untrusted-root-failures). ### Solution + Use a trusted and valid certificate. Check internet connectivity. +For Linux and macOS, see [NuGet signed-package verification](/dotnet/core/tools/nuget-signed-package-verification). Specifically for untrusted root certificate warnings/errors on Linux and macOS, also see [NU3042](NU3042.md). + #### Revocation check mode + > [!Note] > This option is available starting from NuGet 4.8.1. @@ -36,19 +41,7 @@ However, in some cases, this may have unintended concequences such as the packag When the revocation check mode is set to `offline`, the warning will be downgraded to an informational level. -
    The author primary signature's timestamp found a chain building issue: The revocation function was unable to check revocation because the certificate is not available in the cached certificate revocation list and NUGET_CERT_REVOCATION_MODE environment variable has been set to offline. For more information, visit https://aka.ms/certificateRevocationMode.
    - -#### Retry untrusted root failures -> [!Note] -> This option is available starting from NuGet 6.0.0 Preview 5 and only applies to the Windows-specific failure described in the [Issue](#issue) section. - -Retrying will typically succeed. You can opt-in to an experimental, automatic retry for untrusted root failures on Windows by setting an environment variable named `NUGET_EXPERIMENTAL_CHAIN_BUILD_RETRY_POLICY` with a value consisting of 2 comma-delimited positive integers representing retry count and sleep interval in milliseconds, respectively. There are no default values; you need to pick retry values that are sensible for you. - -For example, setting the environment variable to a value of `3,1000` like so: - -
    set NUGET_EXPERIMENTAL_CHAIN_BUILD_RETRY_POLICY=3,1000
    - -...would try up to 4 times (initial try plus 3 retries) with 1 second (1,000 ms) between each try. +> The author primary signature's timestamp found a chain building issue: The revocation function was unable to check revocation because the certificate is not available in the cached certificate revocation list and NUGET_CERT_REVOCATION_MODE environment variable has been set to offline. For more information, visit https://aka.ms/certificateRevocationMode. > [!Note] > NU3028 is raised as an error in most cases. diff --git a/docs/reference/errors-and-warnings/NU3029.md b/docs/reference/errors-and-warnings/NU3029.md index 689e83f96..7eb3898f4 100644 --- a/docs/reference/errors-and-warnings/NU3029.md +++ b/docs/reference/errors-and-warnings/NU3029.md @@ -12,7 +12,7 @@ f1_keywords: # NuGet Warning NU3029 -
    Package 'SamplePackage v1.0.0' from source 'https://contoso.com/index.json': The timestamp signature is invalid.
    +> Package 'SamplePackage v1.0.0' from source 'https://contoso.com/index.json': The timestamp signature is invalid. ### Issue diff --git a/docs/reference/errors-and-warnings/NU3030.md b/docs/reference/errors-and-warnings/NU3030.md index 45c892b2b..1c1966246 100644 --- a/docs/reference/errors-and-warnings/NU3030.md +++ b/docs/reference/errors-and-warnings/NU3030.md @@ -12,7 +12,7 @@ f1_keywords: # NuGet Warning NU3030 -
    Package 'SamplePackage v1.0.0' from source 'https://contoso.com/index.json': The primary signature's timestamp's message imprint uses an unsupported hash algorithm.
    +> Package 'SamplePackage v1.0.0' from source 'https://contoso.com/index.json': The primary signature's timestamp's message imprint uses an unsupported hash algorithm. ### Issue diff --git a/docs/reference/errors-and-warnings/NU3031.md b/docs/reference/errors-and-warnings/NU3031.md index d590213c0..d065571b2 100644 --- a/docs/reference/errors-and-warnings/NU3031.md +++ b/docs/reference/errors-and-warnings/NU3031.md @@ -12,7 +12,7 @@ f1_keywords: # NuGet Warning NU3031 -
    Package 'SamplePackage v1.0.0' from source 'https://contoso.com/index.json': The repository countersignature is invalid.
    +> Package 'SamplePackage v1.0.0' from source 'https://contoso.com/index.json': The repository countersignature is invalid. ### Issue diff --git a/docs/reference/errors-and-warnings/NU3032.md b/docs/reference/errors-and-warnings/NU3032.md index 447de425b..3265c81ad 100644 --- a/docs/reference/errors-and-warnings/NU3032.md +++ b/docs/reference/errors-and-warnings/NU3032.md @@ -14,7 +14,7 @@ f1_keywords: ## Scenario 1 -
    Package 'SamplePackage v1.0.0' from source 'https://contoso.com/index.json': The package already contains a repository countersignature. Please remove the existing signature before adding a new repository countersignature.
    +> Package 'SamplePackage v1.0.0' from source 'https://contoso.com/index.json': The package already contains a repository countersignature. Please remove the existing signature before adding a new repository countersignature. ### Issue @@ -29,7 +29,7 @@ Remove the existing signature before adding a new repository countersignature. ## Scenario 2 -
    Package 'SamplePackage v1.0.0' from source 'https://contoso.com/index.json': The package signature contains multiple repository countersignatures.
    +> Package 'SamplePackage v1.0.0' from source 'https://contoso.com/index.json': The package signature contains multiple repository countersignatures. ### Issue diff --git a/docs/reference/errors-and-warnings/NU3033.md b/docs/reference/errors-and-warnings/NU3033.md index ffabc561a..9349057ee 100644 --- a/docs/reference/errors-and-warnings/NU3033.md +++ b/docs/reference/errors-and-warnings/NU3033.md @@ -14,7 +14,7 @@ f1_keywords: ## Scenario 1 -
    Package 'SamplePackage v1.0.0' from source 'https://contoso.com/index.json': A repository primary signature must not have a repository countersignature.
    +> Package 'SamplePackage v1.0.0' from source 'https://contoso.com/index.json': A repository primary signature must not have a repository countersignature. ### Issue @@ -28,7 +28,7 @@ Try to re-sign the package with either an author signature or a repository signa ## Scenario 2 -
    Package 'SamplePackage v1.0.0' from source 'https://contoso.com/index.json': A repository primary signature must not have a repository countersignature.
    +> Package 'SamplePackage v1.0.0' from source 'https://contoso.com/index.json': A repository primary signature must not have a repository countersignature. ### Issue diff --git a/docs/reference/errors-and-warnings/NU3034.md b/docs/reference/errors-and-warnings/NU3034.md index c1c139fd9..43886c386 100644 --- a/docs/reference/errors-and-warnings/NU3034.md +++ b/docs/reference/errors-and-warnings/NU3034.md @@ -1,8 +1,8 @@ --- title: NuGet Error NU3034 description: NU3034 Error code -author: patbel -ms.author: patbel +author: JonDouglas +ms.author: jodou ms.date: 11/12/2018 ms.topic: reference ms.reviewer: rmpablos @@ -12,10 +12,13 @@ f1_keywords: # NuGet Error NU3034 -
    Package 'SamplePackage v1.0.0' from source 'https://contoso.com/index.json': signatureValidationMode is set to require, so packages are allowed only if signed by trusted signers; however, no trusted signers were specified.
    -
    Package 'SamplePackage v1.0.0' from source 'https://contoso.com/index.json': The package signature certificate fingerprint does not match any certificate fingerprint in the allow list.
    -
    Package 'SamplePackage v1.0.0' from source 'https://contoso.com/index.json': This repository indicated that all its packages are repository signed; however, it listed no signing certificates.
    -
    Package 'SamplePackage v1.0.0' from source 'https://contoso.com/index.json': This package was not repository signed with a certificate listed by this repository.
    +> Package 'SamplePackage v1.0.0' from source 'https://contoso.com/index.json': signatureValidationMode is set to require, so packages are allowed only if signed by trusted signers; however, no trusted signers were specified. + +> Package 'SamplePackage v1.0.0' from source 'https://contoso.com/index.json': The package signature certificate fingerprint does not match any certificate fingerprint in the allow list. + +> Package 'SamplePackage v1.0.0' from source 'https://contoso.com/index.json': This repository indicated that all its packages are repository signed; however, it listed no signing certificates. + +> Package 'SamplePackage v1.0.0' from source 'https://contoso.com/index.json': This package was not repository signed with a certificate listed by this repository. ### Issue diff --git a/docs/reference/errors-and-warnings/NU3036.md b/docs/reference/errors-and-warnings/NU3036.md index 8710049cc..854f65bdf 100644 --- a/docs/reference/errors-and-warnings/NU3036.md +++ b/docs/reference/errors-and-warnings/NU3036.md @@ -14,7 +14,7 @@ f1_keywords: ## Scenario 1 -
    Package 'SamplePackage v1.0.0' from source 'https://contoso.com/index.json': The timestamp's generalized time is outside the timestamping certificate's validity period.
    +> Package 'SamplePackage v1.0.0' from source 'https://contoso.com/index.json': The timestamp's generalized time is outside the timestamping certificate's validity period. ### Issue @@ -29,7 +29,7 @@ Try to re-sign and timestamp the package. If the problem persists, contact the t ## Scenario 2 -
    Package 'SamplePackage v1.0.0' from source 'https://contoso.com/index.json': The primary signature's timestamp's generalized time is outside the timestamping certificate's validity period.
    +> Package 'SamplePackage v1.0.0' from source 'https://contoso.com/index.json': The primary signature's timestamp's generalized time is outside the timestamping certificate's validity period. ### Issue diff --git a/docs/reference/errors-and-warnings/NU3037.md b/docs/reference/errors-and-warnings/NU3037.md index 3119bb38a..0ae04c9ef 100644 --- a/docs/reference/errors-and-warnings/NU3037.md +++ b/docs/reference/errors-and-warnings/NU3037.md @@ -18,6 +18,7 @@ A NuGet package signature has expired. A package signature shares the same validity period as the certificate used to generate the signature. A package signature is invalid outside of that validity period. To ensure long-term validity --- even beyond the signing certificate’s validity period --- a package signature should be timestamped with a trusted timestamp. Trusted timestamps must be added while a package signature is still valid and not expired. +On Windows only, NU3037 may occur the first time a root certificate is observed and with the message "The repository primary signature validity period has expired." If the issue is resolved with retries, [there is an option which may help](../Signed-Package-Verification-Options.md#retry-untrusted-root-failures). ### Solution diff --git a/docs/reference/errors-and-warnings/NU3040.md b/docs/reference/errors-and-warnings/NU3040.md index 0040b2619..95b15be40 100644 --- a/docs/reference/errors-and-warnings/NU3040.md +++ b/docs/reference/errors-and-warnings/NU3040.md @@ -1,8 +1,8 @@ --- title: NuGet Warning NU3040 description: NU3040 Warning code -author: patbel -ms.author: patbel +author: JonDouglas +ms.author: jodou ms.date: 11/12/2018 ms.topic: reference ms.reviewer: rmpablos @@ -12,7 +12,7 @@ f1_keywords: # NuGet Warning NU3040 -
    There are two certificates with conflicting allowUntrustedRoot attributes in the computed settings. The allowUntrustedRoot attribute is going to be set to false. Certificate: SHA256-3F9001EA83C560D712C24CF213C3D312CB3BFF51EE89435D3430BD06B5D0EECE
    +> There are two certificates with conflicting allowUntrustedRoot attributes in the computed settings. The allowUntrustedRoot attribute is going to be set to false. Certificate: SHA256-3F9001EA83C560D712C24CF213C3D312CB3BFF51EE89435D3430BD06B5D0EECE ### Issue diff --git a/docs/reference/errors-and-warnings/NU3042.md b/docs/reference/errors-and-warnings/NU3042.md new file mode 100644 index 000000000..04497a9f6 --- /dev/null +++ b/docs/reference/errors-and-warnings/NU3042.md @@ -0,0 +1,46 @@ +--- +title: NuGet Warning NU3042 +description: NU3042 warning code +author: dtivel +ms.author: dtivel +ms.date: 03/22/2023 +ms.topic: reference +ms.reviewer: +f1_keywords: + - "NU3042" +--- + +# NuGet Warning NU3042 + +*NuGet 6.6.0+ on Linux and macOS only* + +> The following X.509 root certificate is untrusted because it is not present in the certificate bundle at <file-path>. For more information, see documentation for NU3042.
    +>     Subject: <certificate subject>
    +>     Fingerprint (SHA-256): <certificate fingerprint>
    +>     Certificate (PEM):
    +> <PEM-encoded certificate> + +### Issue + +Warning NU3042 is raised when signed package verification failed because a root certificate was not found in the appropriate trusted root certificate bundle, either code signing or timestamping. This warning will only be raised on Linux and macOS when signed package verification is enabled, never on Windows. NU3042 should accompany an [NU3018](NU3018.md) or [NU3028](NU3028.md). + +Each .NET 7+ SDK release contains two root certificate bundles sourced from the [Microsoft Trusted Root Program](https://aka.ms/RootCert). One certificate bundle contains all trusted roots valid for code signing, while the other contains all trusted roots valid for timestamping. NuGet uses these certificate bundles on Linux and macOS when signed package verification is enabled. + +On Linux, NuGet will prefer a system-wide code signing certificate bundle over the .NET SDK's code signing certificate bundle. + +The root cause for NU3042 is likely one of the following: + +* (Linux only) The system-wide code signing certificate bundle does not contain the root certificate referenced in the warning. +* The .NET SDK's certificate bundles are out of date. + +For more information, see [NuGet signed-package verification](/dotnet/core/tools/nuget-signed-package-verification). + +### Solution + +On Linux, if you trust the certificate and are using a system-wide code signing certificate bundle, consider adding the root certificate to the bundle. This solution may not be suitable because it will grant system-wide trust. + +If the .NET SDK's certificate bundles are out-of-date, update to a more recent release of the .NET SDK. + +If all else fails, opt out of signed package verification by setting the environment variable `DOTNET_NUGET_SIGNATURE_VERIFICATION` to `false` and [open an issue with the NuGet team](https://github.com/NuGet/Home/issues) to suggest how signed package verification can be improved on your platform. + +For more information, see [NuGet signed-package verification](/dotnet/core/tools/nuget-signed-package-verification). diff --git a/docs/reference/errors-and-warnings/NU3043.md b/docs/reference/errors-and-warnings/NU3043.md new file mode 100644 index 000000000..93cecd27d --- /dev/null +++ b/docs/reference/errors-and-warnings/NU3043.md @@ -0,0 +1,58 @@ +--- +title: NuGet Warning NU3043 +description: NU3043 warning code +author: kartheekp-ms +ms.date: 09/11/2024 +ms.topic: reference +f1_keywords: + - "NU3043" +--- + +# NuGet Warning NU3043 + +> Invalid value for `--certificate-fingerprint` option in the `dotnet nuget sign` command or the `CertificateFingerprint` option in the `NuGet.exe sign` command. +The value must be a SHA-256, SHA-384, or SHA-512 certificate fingerprint (in hexadecimal). + +This warning is promoted to an error in the .NET 10 SDK, and will be promoted to an error in NuGet.exe around .NET 10's release. + +## Issue + +Starting with .NET 9 and NuGet.exe 6.12, NU3043 warning is raised when a SHA-1 certificate fingerprint is passed to the sign commands. +SHA-1 is considered insecure and should no longer be used. + +## Solution + +To resolve this warning, ensure that you provide a valid SHA-256, SHA-384, or SHA-512 certificate fingerprint (in hexadecimal) for the `--certificate-fingerprint` option in the `dotnet nuget sign` command or the `CertificateFingerprint` option in the `NuGet.exe sign` command. + +You can use the following scripts to compute SHA-2 family hashes for certificates. + +### PowerShell +To use the script, you need to save the certificate to a local folder. + +```powershell +$certificate = [System.Security.Cryptography.X509Certificates.X509Certificate2]::new($certPath) +$stream = [System.IO.MemoryStream]::new($certificate.RawData) + +Try +{ + (Get-FileHash -Algorithm SHA256 $stream).Hash +} +Finally +{ + $stream.Dispose() + $certificate.Dispose() +} +``` +### OpenSSL (Linux/macOS) + +If the certificate is in PEM or CRT format: +```sh +openssl x509 -in path/to/certificate -outform der | sha256sum +``` + +If the certificate is already in DER format: +```sh +sha256sum path/to/certificate +``` +> [!TIP] +> For SHA-384 or SHA-512, replace sha256sum with sha384sum or sha512sum as needed. diff --git a/docs/reference/errors-and-warnings/NU5001.md b/docs/reference/errors-and-warnings/NU5001.md index 101d6682f..c5ec558be 100644 --- a/docs/reference/errors-and-warnings/NU5001.md +++ b/docs/reference/errors-and-warnings/NU5001.md @@ -11,7 +11,7 @@ f1_keywords: --- # NuGet Error NU5001 -
    Unable to output resolved nuspec file because it would overwrite the original at 'F:\project\project.nuspec'.
    +> Unable to output resolved nuspec file because it would overwrite the original at 'F:\project\project.nuspec'. ### Issue diff --git a/docs/reference/errors-and-warnings/NU5002.md b/docs/reference/errors-and-warnings/NU5002.md index 556e0aae8..24672a3ee 100644 --- a/docs/reference/errors-and-warnings/NU5002.md +++ b/docs/reference/errors-and-warnings/NU5002.md @@ -11,7 +11,7 @@ f1_keywords: --- # NuGet Error NU5002 -
    Please specify a nuspec, project.json, or project file to use.
    +> Please specify a nuspec, project.json, or project file to use. ### Issue diff --git a/docs/reference/errors-and-warnings/NU5003.md b/docs/reference/errors-and-warnings/NU5003.md index 83e5e5c44..415f01851 100644 --- a/docs/reference/errors-and-warnings/NU5003.md +++ b/docs/reference/errors-and-warnings/NU5003.md @@ -11,7 +11,7 @@ f1_keywords: --- # NuGet Error NU5003 -
    Failed to build package because of an unsupported targetFramework value on 'System.Net'.
    +> Failed to build package because of an unsupported targetFramework value on 'System.Net'. ### Issue diff --git a/docs/reference/errors-and-warnings/NU5004.md b/docs/reference/errors-and-warnings/NU5004.md index 70d0121ac..2e008e785 100644 --- a/docs/reference/errors-and-warnings/NU5004.md +++ b/docs/reference/errors-and-warnings/NU5004.md @@ -11,7 +11,7 @@ f1_keywords: --- # NuGet Error NU5004 -
    Failed to build package. Ensure 'F:\project\project.nuspec' includes assembly files. For help on building symbols package, visit http://docs.nuget.org/.
    +> Failed to build package. Ensure 'F:\project\project.nuspec' includes assembly files. For help on building symbols package, visit https://docs.nuget.org/. ### Issue diff --git a/docs/reference/errors-and-warnings/NU5005.md b/docs/reference/errors-and-warnings/NU5005.md index 6506a3777..ef54649f9 100644 --- a/docs/reference/errors-and-warnings/NU5005.md +++ b/docs/reference/errors-and-warnings/NU5005.md @@ -11,7 +11,7 @@ f1_keywords: --- # NuGet Error NU5005 -
    Ensure 'F:\project\project.nuspec' includes source and symbol files. For help on building symbols package, visit http://docs.nuget.org/.
    +> Ensure 'F:\project\project.nuspec' includes source and symbol files. For help on building symbols package, visit https://docs.nuget.org/. ### Issue diff --git a/docs/reference/errors-and-warnings/NU5007.md b/docs/reference/errors-and-warnings/NU5007.md index 203389722..3b499e554 100644 --- a/docs/reference/errors-and-warnings/NU5007.md +++ b/docs/reference/errors-and-warnings/NU5007.md @@ -11,7 +11,7 @@ f1_keywords: --- # NuGet Error NU5007 -
    No build found in F:\project\bin\Debug\net461\project.dll. Use the -Build option or build the project.
    +> No build found in F:\project\bin\Debug\net461\project.dll. Use the -Build option or build the project. ### Issue diff --git a/docs/reference/errors-and-warnings/NU5008.md b/docs/reference/errors-and-warnings/NU5008.md index d013cdb86..c837ed1a4 100644 --- a/docs/reference/errors-and-warnings/NU5008.md +++ b/docs/reference/errors-and-warnings/NU5008.md @@ -11,7 +11,7 @@ f1_keywords: --- # NuGet Error NU5008 -
    Manifest file not found at 'F:\project\project.nuspec'
    +> Manifest file not found at 'F:\project\project.nuspec' ### Issue diff --git a/docs/reference/errors-and-warnings/NU5009.md b/docs/reference/errors-and-warnings/NU5009.md index 3da5c1008..792d50a34 100644 --- a/docs/reference/errors-and-warnings/NU5009.md +++ b/docs/reference/errors-and-warnings/NU5009.md @@ -11,7 +11,7 @@ f1_keywords: --- # NuGet Error NU5009 -
    Cannot find version of msbuild.
    +> Cannot find version of msbuild. ### Issue diff --git a/docs/reference/errors-and-warnings/NU5010.md b/docs/reference/errors-and-warnings/NU5010.md index 4d94bf141..15c1a66f6 100644 --- a/docs/reference/errors-and-warnings/NU5010.md +++ b/docs/reference/errors-and-warnings/NU5010.md @@ -11,7 +11,7 @@ f1_keywords: --- # NuGet Error NU5010 -
    Version string specified for package reference '9.9.9.9.9' is invalid.
    +> Version string specified for package reference '9.9.9.9.9' is invalid. ### Issue diff --git a/docs/reference/errors-and-warnings/NU5011.md b/docs/reference/errors-and-warnings/NU5011.md index 87469ed52..d437c1606 100644 --- a/docs/reference/errors-and-warnings/NU5011.md +++ b/docs/reference/errors-and-warnings/NU5011.md @@ -11,7 +11,7 @@ f1_keywords: --- # NuGet Error NU5011 -
    Unable to extract metadata from 'project.csproj'.
    +> Unable to extract metadata from 'project.csproj'. ### Issue diff --git a/docs/reference/errors-and-warnings/NU5012.md b/docs/reference/errors-and-warnings/NU5012.md index 4e46b3aa1..ee612fa1c 100644 --- a/docs/reference/errors-and-warnings/NU5012.md +++ b/docs/reference/errors-and-warnings/NU5012.md @@ -11,7 +11,7 @@ f1_keywords: --- # NuGet Error NU5012 -
    Unable to find 'F:\project\bin\Debug\net461\project.dll'. Make sure the project has been built.
    +> Unable to find 'F:\project\bin\Debug\net461\project.dll'. Make sure the project has been built. ### Issue diff --git a/docs/reference/errors-and-warnings/NU5013.md b/docs/reference/errors-and-warnings/NU5013.md index e1c551b00..187f889be 100644 --- a/docs/reference/errors-and-warnings/NU5013.md +++ b/docs/reference/errors-and-warnings/NU5013.md @@ -11,7 +11,7 @@ f1_keywords: --- # NuGet Error NU5013 -
    Failed to build 'project.csproj'
    +> Failed to build 'project.csproj' ### Issue diff --git a/docs/reference/errors-and-warnings/NU5014.md b/docs/reference/errors-and-warnings/NU5014.md index da935113f..cb07c53ac 100644 --- a/docs/reference/errors-and-warnings/NU5014.md +++ b/docs/reference/errors-and-warnings/NU5014.md @@ -11,7 +11,7 @@ f1_keywords: --- # NuGet Error NU5014 -
    Error occurred when processing file 'F:\project2\project2.csproj': The 'id' start tag on line 4 position 10 does not match the end tag of 'ids'. Line 4, position 20.
    +> Error occurred when processing file 'F:\project2\project2.csproj': The 'id' start tag on line 4 position 10 does not match the end tag of 'ids'. Line 4, position 20. ### Issue diff --git a/docs/reference/errors-and-warnings/NU5015.md b/docs/reference/errors-and-warnings/NU5015.md index 34ddf8367..92c082f94 100644 --- a/docs/reference/errors-and-warnings/NU5015.md +++ b/docs/reference/errors-and-warnings/NU5015.md @@ -11,14 +11,16 @@ f1_keywords: --- # NuGet Error NU5015 -
    project.json cannot contain multiple Target Frameworks.
    + +> [!WARNING] +> project.json support has been removed starting with [NuGet 7.0](../../release-notes/NuGet-7.0.md) and this error will no longer be raised. + +> project.json cannot contain multiple Target Frameworks. ### Issue The project.json file passed to NuGet pack operation contains multiple target frameworks. - ### Solution Please fix the project.json file to contain only a single target framework. - diff --git a/docs/reference/errors-and-warnings/NU5016.md b/docs/reference/errors-and-warnings/NU5016.md index 74c14cc5c..d70ed874c 100644 --- a/docs/reference/errors-and-warnings/NU5016.md +++ b/docs/reference/errors-and-warnings/NU5016.md @@ -11,7 +11,7 @@ f1_keywords: --- # NuGet Error NU5016 -
    Package version constraints for 'NuGet.Versioning' return a version range that is empty.
    +> Package version constraints for 'NuGet.Versioning' return a version range that is empty. ### Issue diff --git a/docs/reference/errors-and-warnings/NU5017.md b/docs/reference/errors-and-warnings/NU5017.md index ffda1be4e..67a3648c8 100644 --- a/docs/reference/errors-and-warnings/NU5017.md +++ b/docs/reference/errors-and-warnings/NU5017.md @@ -11,7 +11,7 @@ f1_keywords: --- # NuGet Error NU5017 -
    Cannot create a package that has no dependencies nor content.
    +> Cannot create a package that has no dependencies nor content. ### Issue diff --git a/docs/reference/errors-and-warnings/NU5018.md b/docs/reference/errors-and-warnings/NU5018.md index 44b50fcc9..d505d56ac 100644 --- a/docs/reference/errors-and-warnings/NU5018.md +++ b/docs/reference/errors-and-warnings/NU5018.md @@ -11,7 +11,7 @@ f1_keywords: --- # NuGet Error NU5018 -
    Invalid assembly reference 'xunit.dll'. Ensure that a file named 'xunit.dll' exists in the lib directory.
    +> Invalid assembly reference 'xunit.dll'. Ensure that a file named 'xunit.dll' exists in the lib directory. ### Issue diff --git a/docs/reference/errors-and-warnings/NU5019.md b/docs/reference/errors-and-warnings/NU5019.md index 165772bf3..a5195e127 100644 --- a/docs/reference/errors-and-warnings/NU5019.md +++ b/docs/reference/errors-and-warnings/NU5019.md @@ -11,7 +11,7 @@ f1_keywords: --- # NuGet Error NU5019 -
     File not found: 'bad_file.path'
    +> File not found: 'bad_file.path' ### Issue diff --git a/docs/reference/errors-and-warnings/NU5020.md b/docs/reference/errors-and-warnings/NU5020.md index b6c771748..56c685737 100644 --- a/docs/reference/errors-and-warnings/NU5020.md +++ b/docs/reference/errors-and-warnings/NU5020.md @@ -11,7 +11,7 @@ f1_keywords: --- # NuGet Error NU5020 -
    A source file was added with an empty path.
    +> A source file was added with an empty path. ### Issue diff --git a/docs/reference/errors-and-warnings/NU5021.md b/docs/reference/errors-and-warnings/NU5021.md index d89e38f1c..d419bb941 100644 --- a/docs/reference/errors-and-warnings/NU5021.md +++ b/docs/reference/errors-and-warnings/NU5021.md @@ -11,7 +11,7 @@ f1_keywords: --- # NuGet Error NU5021 -
    The project directory for the source file 'src/Project/Code.cs' could not be found.
    +> The project directory for the source file 'src/Project/Code.cs' could not be found. ### Issue diff --git a/docs/reference/errors-and-warnings/NU5022.md b/docs/reference/errors-and-warnings/NU5022.md index 370c50b8e..1656f4f02 100644 --- a/docs/reference/errors-and-warnings/NU5022.md +++ b/docs/reference/errors-and-warnings/NU5022.md @@ -11,7 +11,7 @@ f1_keywords: --- # NuGet Error NU5022 -
    MinClient Version string specified '9.9.9.9.9' is invalid.
    +> MinClient Version string specified '9.9.9.9.9' is invalid. ### Issue diff --git a/docs/reference/errors-and-warnings/NU5023.md b/docs/reference/errors-and-warnings/NU5023.md index f88252691..9b319ac03 100644 --- a/docs/reference/errors-and-warnings/NU5023.md +++ b/docs/reference/errors-and-warnings/NU5023.md @@ -11,7 +11,7 @@ f1_keywords: --- # NuGet Error NU5023 -
    The assets file produced by restore does not exist. Try restoring the project again. The expected location of the assets file is F:\project\obj\project.assets.json.
    +> The assets file produced by restore does not exist. Try restoring the project again. The expected location of the assets file is F:\project\obj\project.assets.json. ### Issue diff --git a/docs/reference/errors-and-warnings/NU5024.md b/docs/reference/errors-and-warnings/NU5024.md index c542ab37a..6350658f5 100644 --- a/docs/reference/errors-and-warnings/NU5024.md +++ b/docs/reference/errors-and-warnings/NU5024.md @@ -11,7 +11,7 @@ f1_keywords: --- # NuGet Error NU5024 -
    PackageVersion string specified '9.9.9.9.9' is invalid.
    +> PackageVersion string specified '9.9.9.9.9' is invalid. ### Issue diff --git a/docs/reference/errors-and-warnings/NU5025.md b/docs/reference/errors-and-warnings/NU5025.md index e041791ea..3ed29ba0d 100644 --- a/docs/reference/errors-and-warnings/NU5025.md +++ b/docs/reference/errors-and-warnings/NU5025.md @@ -11,7 +11,7 @@ f1_keywords: --- # NuGet Error NU5025 -
    The assets file found does not contain a valid package spec. Try restoring the project again. The location of the assets file is F:\project\obj\project.assets.json.
    +> The assets file found does not contain a valid package spec. Try restoring the project again. The location of the assets file is F:\project\obj\project.assets.json. ### Issue diff --git a/docs/reference/errors-and-warnings/NU5026.md b/docs/reference/errors-and-warnings/NU5026.md index 239d61f4e..b1d9917cc 100644 --- a/docs/reference/errors-and-warnings/NU5026.md +++ b/docs/reference/errors-and-warnings/NU5026.md @@ -11,7 +11,7 @@ f1_keywords: --- # NuGet Error NU5026 -
    The file ''F:\project\bin\Debug\net461\project.exe' to be packed was not found on disk.
    +> The file ''F:\project\bin\Debug\net461\project.exe' to be packed was not found on disk. ### Issue diff --git a/docs/reference/errors-and-warnings/NU5027.md b/docs/reference/errors-and-warnings/NU5027.md index e5261eeb7..8effdd12b 100644 --- a/docs/reference/errors-and-warnings/NU5027.md +++ b/docs/reference/errors-and-warnings/NU5027.md @@ -11,7 +11,7 @@ f1_keywords: --- # NuGet Error NU5027 -
    Invalid target framework for the file 'F:\project\project.dll'.
    +> Invalid target framework for the file 'F:\project\project.dll'. ### Issue diff --git a/docs/reference/errors-and-warnings/NU5028.md b/docs/reference/errors-and-warnings/NU5028.md index 12c7ad06f..2b8e8b89e 100644 --- a/docs/reference/errors-and-warnings/NU5028.md +++ b/docs/reference/errors-and-warnings/NU5028.md @@ -11,7 +11,7 @@ f1_keywords: --- # NuGet Error NU5028 -
    No project was provided to the PackTask.
    +> No project was provided to the PackTask. ### Issue diff --git a/docs/reference/errors-and-warnings/NU5029.md b/docs/reference/errors-and-warnings/NU5029.md index f6e5ff460..18e600f49 100644 --- a/docs/reference/errors-and-warnings/NU5029.md +++ b/docs/reference/errors-and-warnings/NU5029.md @@ -11,7 +11,7 @@ f1_keywords: --- # NuGet Error NU5029 -
    NuspecProperties should be in the form of 'key1=value1;key2=value2'.
    +> NuspecProperties should be in the form of 'key1=value1;key2=value2'. ### Issue diff --git a/docs/reference/errors-and-warnings/NU5030.md b/docs/reference/errors-and-warnings/NU5030.md index 654669992..e7e76da82 100644 --- a/docs/reference/errors-and-warnings/NU5030.md +++ b/docs/reference/errors-and-warnings/NU5030.md @@ -10,7 +10,7 @@ f1_keywords: --- # NuGet Error NU5030 -
    The license file 'LICENSE.txt' does not exist in the package.
    +> The license file 'LICENSE.txt' does not exist in the package. ### Issue diff --git a/docs/reference/errors-and-warnings/NU5031.md b/docs/reference/errors-and-warnings/NU5031.md index 01ccd5ea7..e87a11e57 100644 --- a/docs/reference/errors-and-warnings/NU5031.md +++ b/docs/reference/errors-and-warnings/NU5031.md @@ -10,7 +10,7 @@ f1_keywords: --- # NuGet Error NU5031 -
    The license file 'LICENSE.txt' has an invalid extension. Valid options are .txt, .md or none.
    +> The license file 'LICENSE.txt' has an invalid extension. Valid options are .txt, .md or none. ### Issue diff --git a/docs/reference/errors-and-warnings/NU5032.md b/docs/reference/errors-and-warnings/NU5032.md index afc9634db..886e4c77e 100644 --- a/docs/reference/errors-and-warnings/NU5032.md +++ b/docs/reference/errors-and-warnings/NU5032.md @@ -10,7 +10,7 @@ f1_keywords: --- # NuGet Error NU5032 -
    The license expression 'MIT OR OR Apache-2.0' cannot be parsed succesfully. The license expression is invalid.
    +> The license expression 'MIT OR OR Apache-2.0' cannot be parsed succesfully. The license expression is invalid. ### Issue diff --git a/docs/reference/errors-and-warnings/NU5033.md b/docs/reference/errors-and-warnings/NU5033.md index 3569d58db..0840e32dd 100644 --- a/docs/reference/errors-and-warnings/NU5033.md +++ b/docs/reference/errors-and-warnings/NU5033.md @@ -10,7 +10,7 @@ f1_keywords: --- # NuGet Error NU5033 -
    Invalid metadata. Cannot specify both a License Expression and a License File.
    +> Invalid metadata. Cannot specify both a License Expression and a License File. ### Issue diff --git a/docs/reference/errors-and-warnings/NU5034.md b/docs/reference/errors-and-warnings/NU5034.md index 1db56fd9e..e44ae8707 100644 --- a/docs/reference/errors-and-warnings/NU5034.md +++ b/docs/reference/errors-and-warnings/NU5034.md @@ -10,7 +10,7 @@ f1_keywords: --- # NuGet Error NU5034 -
    The PackageLicenseExpressionVersion string '2.0.0-InvalidSystemVersion' is not a valid version.
    +> The PackageLicenseExpressionVersion string '2.0.0-InvalidSystemVersion' is not a valid version. ### Issue diff --git a/docs/reference/errors-and-warnings/NU5035.md b/docs/reference/errors-and-warnings/NU5035.md index 472e217be..d2b8aa165 100644 --- a/docs/reference/errors-and-warnings/NU5035.md +++ b/docs/reference/errors-and-warnings/NU5035.md @@ -10,7 +10,7 @@ f1_keywords: --- # NuGet Error NU5035 -
    The PackageLicenseUrl cannot be used in conjunction with the PackageLicenseFile and PackageLicenseExpression.
    +> The PackageLicenseUrl cannot be used in conjunction with the PackageLicenseFile and PackageLicenseExpression. ### Issue diff --git a/docs/reference/errors-and-warnings/NU5036.md b/docs/reference/errors-and-warnings/NU5036.md index 0859655d4..bd3f14d75 100644 --- a/docs/reference/errors-and-warnings/NU5036.md +++ b/docs/reference/errors-and-warnings/NU5036.md @@ -11,7 +11,7 @@ f1_keywords: --- # NuGet Error NU5036 -
    This package has an improperly escaped Url in LicenseUrl
    +> This package has an improperly escaped Url in LicenseUrl ### Issue diff --git a/docs/reference/errors-and-warnings/NU5037.md b/docs/reference/errors-and-warnings/NU5037.md index af357a185..bf74dc5c8 100644 --- a/docs/reference/errors-and-warnings/NU5037.md +++ b/docs/reference/errors-and-warnings/NU5037.md @@ -11,7 +11,8 @@ f1_keywords: --- # NuGet Error NU5037 -
    The package is missing the required nuspec file.
    + +> The package is missing the required nuspec file. ### Issue @@ -29,9 +30,7 @@ Contact the package author. Restore fails for a project managed with the `PackageReference` format. For example: -``` -The package is missing the required nuspec file. Path: C:\.\.\.nuget\packages\x\1.0.0.'x' represents package name and '1.0.0' represents package version. -``` +> The package is missing the required nuspec file. Path: C:\.\.\.nuget\packages\x\1.0.0.'x' represents package name and '1.0.0' represents package version. ### Solution diff --git a/docs/reference/errors-and-warnings/NU5038.md b/docs/reference/errors-and-warnings/NU5038.md index 27b38557a..282d1f988 100644 --- a/docs/reference/errors-and-warnings/NU5038.md +++ b/docs/reference/errors-and-warnings/NU5038.md @@ -11,7 +11,7 @@ f1_keywords: --- # NuGet Error NU5038 -
    The readme file 'readme.txt' has an invalid extension. It must end in .md.
    +> The readme file 'readme.txt' has an invalid extension. It must end in .md. ### Issue diff --git a/docs/reference/errors-and-warnings/NU5039.md b/docs/reference/errors-and-warnings/NU5039.md index 31b4b9e51..ddc6034f1 100644 --- a/docs/reference/errors-and-warnings/NU5039.md +++ b/docs/reference/errors-and-warnings/NU5039.md @@ -12,7 +12,7 @@ f1_keywords: # NuGet Error NU5039 -
    The readme file 'readme.md' does not exist in the package.
    +> The readme file 'readme.md' does not exist in the package. ### Issue diff --git a/docs/reference/errors-and-warnings/NU5040.md b/docs/reference/errors-and-warnings/NU5040.md index 0d90383ef..de314e8bb 100644 --- a/docs/reference/errors-and-warnings/NU5040.md +++ b/docs/reference/errors-and-warnings/NU5040.md @@ -12,7 +12,7 @@ f1_keywords: # NuGet Error NU5040 -
    The readme file 'readme.md' is empty.
    +> The readme file 'readme.md' is empty. ### Issue diff --git a/docs/reference/errors-and-warnings/NU5041.md b/docs/reference/errors-and-warnings/NU5041.md index 7574654df..a6278fb0c 100644 --- a/docs/reference/errors-and-warnings/NU5041.md +++ b/docs/reference/errors-and-warnings/NU5041.md @@ -12,7 +12,7 @@ f1_keywords: # NuGet Error NU5041 -
    Cannot open the readme file 'readme.md'
    +> Cannot open the readme file 'readme.md' ### Issue diff --git a/docs/reference/errors-and-warnings/NU5042.md b/docs/reference/errors-and-warnings/NU5042.md index 2ebf18b01..9fd147aa3 100644 --- a/docs/reference/errors-and-warnings/NU5042.md +++ b/docs/reference/errors-and-warnings/NU5042.md @@ -9,11 +9,14 @@ f1_keywords: - "NU5042" --- -# NuGet Error NU5042 +# NuGet Error NU5042 (Obsolete) -
    `project.json` pack is disabled in the current NuGet version, and will be permanently removed in a future version.
-Please consider migrating 'MyProject' to `PackageReference` and using the pack targets.
-You can set the 'NUGET_ENABLE_LEGACY_PROJECT_JSON_PACK' environment variable to 'true' to temporarily reenable this functionality.
    +> [!WARNING] +> project.json support has been removed starting with [NuGet 7.0](../../release-notes/NuGet-7.0.md) and this error will no longer be raised. + +> `project.json` pack is disabled in the current NuGet version, and will be permanently removed in a future version. +> Please consider migrating 'MyProject' to `PackageReference` and using the pack targets. +> You can set the 'NUGET_ENABLE_LEGACY_PROJECT_JSON_PACK' environment variable to 'true' to temporarily reenable this functionality. ### Issue @@ -21,4 +24,4 @@ NuGet.exe pack for project.json projects is not supported. ### Solution -Migrate your project to PackageReference and use the pack targets instead. \ No newline at end of file +[Migrate your project to PackageReference](../../archive/project-json.md#migrate-projectjson-to-packagereference) and use the pack targets instead. diff --git a/docs/reference/errors-and-warnings/NU5045.md b/docs/reference/errors-and-warnings/NU5045.md index a38ca3a7c..897e0f521 100644 --- a/docs/reference/errors-and-warnings/NU5045.md +++ b/docs/reference/errors-and-warnings/NU5045.md @@ -10,7 +10,7 @@ f1_keywords: # NuGet Warning NU5045 -
    The 'icon' element 'icon.svg' has an invalid file extension. Valid options are .png, .jpg or .jpeg.
    +> The 'icon' element 'icon.svg' has an invalid file extension. Valid options are .png, .jpg or .jpeg. ### Issue diff --git a/docs/reference/errors-and-warnings/NU5046.md b/docs/reference/errors-and-warnings/NU5046.md index aa0130d9d..5825565ee 100644 --- a/docs/reference/errors-and-warnings/NU5046.md +++ b/docs/reference/errors-and-warnings/NU5046.md @@ -1,8 +1,8 @@ --- title: NuGet Error NU5046 description: NU5046 Error code -author: dominoFire -ms.author: feaguila +author: JonDouglas +ms.author: jodou ms.date: 9/4/2019 ms.topic: reference ms.reviewer: karann @@ -12,7 +12,7 @@ f1_keywords: # NuGet Error NU5046 -
    The icon file 'icon.png' does not exist in the package.
    +> The icon file 'icon.png' does not exist in the package. ### Issue diff --git a/docs/reference/errors-and-warnings/NU5047.md b/docs/reference/errors-and-warnings/NU5047.md index dc8604639..44a3a86e2 100644 --- a/docs/reference/errors-and-warnings/NU5047.md +++ b/docs/reference/errors-and-warnings/NU5047.md @@ -1,8 +1,8 @@ --- title: NuGet Error NU5047 description: NU5047 Error code -author: dominoFire -ms.author: feaguila +author: JonDouglas +ms.author: jodou ms.date: 9/4/2019 ms.topic: reference ms.reviewer: karann @@ -12,7 +12,7 @@ f1_keywords: # NuGet Error NU5047 -
    The icon file size must not exceed 1 megabyte.
    +> The icon file size must not exceed 1 megabyte. ### Issue diff --git a/docs/reference/errors-and-warnings/NU5048.md b/docs/reference/errors-and-warnings/NU5048.md index 26340e502..e948b398b 100644 --- a/docs/reference/errors-and-warnings/NU5048.md +++ b/docs/reference/errors-and-warnings/NU5048.md @@ -2,7 +2,7 @@ title: NuGet Warning NU5048 description: NU5048 Warning code author: dominoFire -ms.author: feaguila +ms.author: jodou ms.date: 9/4/2019 ms.topic: reference ms.reviewer: karann @@ -12,7 +12,7 @@ f1_keywords: # NuGet Warning NU5048 -
    The 'PackageIconUrl'/'iconUrl' element is deprecated. Consider using the 'PackageIcon'/'icon' element instead. Learn more at https://aka.ms/deprecateIconUrl
    +> The 'PackageIconUrl'/'iconUrl' element is deprecated. Consider using the 'PackageIcon'/'icon' element instead. Learn more at https://aka.ms/deprecateIconUrl ### Issue diff --git a/docs/reference/errors-and-warnings/NU5049.md b/docs/reference/errors-and-warnings/NU5049.md index 65b97276e..4e186a366 100644 --- a/docs/reference/errors-and-warnings/NU5049.md +++ b/docs/reference/errors-and-warnings/NU5049.md @@ -11,7 +11,7 @@ f1_keywords: # NuGet Error NU5049 -
    The `pack` command for SDK-style projects is not supported, use `dotnet pack` or `msbuild -t:pack` to pack this project instead. You can override this behavior by setting the 'NUGET_ENABLE_LEGACY_CSPROJ_PACK' environment variable to 'true'.
    +> The `pack` command for SDK-style projects is not supported, use `dotnet pack` or `msbuild -t:pack` to pack this project instead. You can override this behavior by setting the 'NUGET_ENABLE_LEGACY_CSPROJ_PACK' environment variable to 'true'. ### Issue diff --git a/docs/reference/errors-and-warnings/NU5100.md b/docs/reference/errors-and-warnings/NU5100.md index 8ae38a462..fe9fa082b 100644 --- a/docs/reference/errors-and-warnings/NU5100.md +++ b/docs/reference/errors-and-warnings/NU5100.md @@ -11,7 +11,7 @@ f1_keywords: --- # NuGet Warning NU5100 -
    The assembly 'bin\Debug\net461\project.dll' is not inside the 'lib' folder and hence it won't be added as a reference when the package is installed into a project. Move it into the 'lib' folder if it needs to be referenced.
    +> The assembly 'bin\Debug\net461\project.dll' is not inside the 'lib' folder and hence it won't be added as a reference when the package is installed into a project. Move it into the 'lib' folder if it needs to be referenced. ### Issue diff --git a/docs/reference/errors-and-warnings/NU5101.md b/docs/reference/errors-and-warnings/NU5101.md index 9a20f02fb..4f884638b 100644 --- a/docs/reference/errors-and-warnings/NU5101.md +++ b/docs/reference/errors-and-warnings/NU5101.md @@ -13,7 +13,7 @@ f1_keywords: # NuGet Warning NU5101 ## Scenario 1 -
    The assembly 'lib\project.dll' is placed directly under 'lib' folder. It is recommended that assemblies be placed inside a framework-specific folder. Move it into a framework-specific folder.
    +> The assembly 'lib\project.dll' is placed directly under 'lib' folder. It is recommended that assemblies be placed inside a framework-specific folder. Move it into a framework-specific folder. ### Issue @@ -26,7 +26,7 @@ While packaging a folder please ensure that all assembly files are placed inside ## Scenario 2 -
    The assembly 'lib\project.dll' will be ignored when the package is installed after the migration.
    +> The assembly 'lib\project.dll' will be ignored when the package is installed after the migration. ### Issue diff --git a/docs/reference/errors-and-warnings/NU5102.md b/docs/reference/errors-and-warnings/NU5102.md index 25cf64e5e..c95d23f99 100644 --- a/docs/reference/errors-and-warnings/NU5102.md +++ b/docs/reference/errors-and-warnings/NU5102.md @@ -11,7 +11,7 @@ f1_keywords: --- # NuGet Warning NU5102 -
    The value "http://project_url_here_or_delete_this_line/" for ProjectUrl is a sample value and should be removed. Replace it with an appropriate value or remove it and rebuild your package.
    +> The value "http://project_url_here_or_delete_this_line/" for ProjectUrl is a sample value and should be removed. Replace it with an appropriate value or remove it and rebuild your package. ### Issue diff --git a/docs/reference/errors-and-warnings/NU5103.md b/docs/reference/errors-and-warnings/NU5103.md index 9f94a4c60..ab9bd4c60 100644 --- a/docs/reference/errors-and-warnings/NU5103.md +++ b/docs/reference/errors-and-warnings/NU5103.md @@ -11,7 +11,7 @@ f1_keywords: --- # NuGet Warning NU5103 -
    The folder 'lib\random_tfm\temp.dll' under 'lib' is not recognized as a valid framework name or a supported culture identifier. Rename it to a valid framework name or culture identifier.
    +> The folder 'lib\random_tfm\temp.dll' under 'lib' is not recognized as a valid framework name or a supported culture identifier. Rename it to a valid framework name or culture identifier. ### Issue diff --git a/docs/reference/errors-and-warnings/NU5104.md b/docs/reference/errors-and-warnings/NU5104.md index 860b0d909..a25e8b315 100644 --- a/docs/reference/errors-and-warnings/NU5104.md +++ b/docs/reference/errors-and-warnings/NU5104.md @@ -11,7 +11,7 @@ f1_keywords: --- # NuGet Warning NU5104 -
    A stable release of a package should not have a prerelease dependency. Either modify the version spec of dependency "NuGet.Versioning [4.7.0-preview4.5065, )" or update the version field in the nuspec.
    +> A stable release of a package should not have a prerelease dependency. Either modify the version spec of dependency "NuGet.Versioning [4.7.0-preview4.5065, )" or update the version field in the nuspec. ### Issue @@ -22,3 +22,5 @@ The project or nuspec being packaged contains a dependency on a prerelease packa If you intend to create a prerelease package then please refer to SemVer2 guidelines and add a prerelease tag to the version property i.e. `1.0.0-pre`. If you intend to create a stable package then please update the specified dependency version to a stable version. +> [!NOTE] +> Mixing stable and prerelease packages may lead to unexpected behaviors at resolution time. Learn more about how [PackageReference](../../concepts/Dependency-Resolution.md#version-ranges-and-prerelease-versions-with-packagereference) and [packages.config](../../concepts/Dependency-Resolution.md#version-ranges-and-prerelease-versions-with-packagesconfig) projects handle this resolution. diff --git a/docs/reference/errors-and-warnings/NU5105.md b/docs/reference/errors-and-warnings/NU5105.md index 4c278c447..da447a0c9 100644 --- a/docs/reference/errors-and-warnings/NU5105.md +++ b/docs/reference/errors-and-warnings/NU5105.md @@ -11,7 +11,7 @@ f1_keywords: --- # NuGet Warning NU5105 -
    The package version '1.2.3+semver2.metadata' uses SemVer 2.0.0 or components of SemVer 1.0.0 that are not supported on legacy clients. Change the package version to a SemVer 1.0.0 string. If the version contains a release label it must start with a letter. This message can be ignored if the package is not intended for older clients.
    +> The package version '1.2.3+semver2.metadata' uses SemVer 2.0.0 or components of SemVer 1.0.0 that are not supported on legacy clients. Change the package version to a SemVer 1.0.0 string. If the version contains a release label it must start with a letter. This message can be ignored if the package is not intended for older clients. ### Issue diff --git a/docs/reference/errors-and-warnings/NU5106.md b/docs/reference/errors-and-warnings/NU5106.md index 52524a311..637373f03 100644 --- a/docs/reference/errors-and-warnings/NU5106.md +++ b/docs/reference/errors-and-warnings/NU5106.md @@ -11,7 +11,7 @@ f1_keywords: --- # NuGet Warning NU5106 -
    The file at 'lib\WinRT\temp.dll' uses the obsolete 'WinRT' as the framework folder. Replace 'WinRT' or 'WinRT45' with 'NetCore45'.
    +> The file at 'lib\WinRT\temp.dll' uses the obsolete 'WinRT' as the framework folder. Replace 'WinRT' or 'WinRT45' with 'NetCore45'. ### Issue diff --git a/docs/reference/errors-and-warnings/NU5107.md b/docs/reference/errors-and-warnings/NU5107.md index 595d1ace8..3ae39e017 100644 --- a/docs/reference/errors-and-warnings/NU5107.md +++ b/docs/reference/errors-and-warnings/NU5107.md @@ -11,7 +11,7 @@ f1_keywords: --- # NuGet Warning NU5107 -
    The file 'tools/subfolder/init.ps1' will be ignored by NuGet because it is not directly under 'tools' folder. Place the file directly under 'tools' folder.
    +> The file 'tools/subfolder/init.ps1' will be ignored by NuGet because it is not directly under 'tools' folder. Place the file directly under 'tools' folder. ### Issue diff --git a/docs/reference/errors-and-warnings/NU5108.md b/docs/reference/errors-and-warnings/NU5108.md index dd7774181..ce801cc36 100644 --- a/docs/reference/errors-and-warnings/NU5108.md +++ b/docs/reference/errors-and-warnings/NU5108.md @@ -11,7 +11,7 @@ f1_keywords: --- # NuGet Warning NU5108 -
    The transform file 'other\code.pp' is outside the 'content' folder and hence will not be transformed during installation of this package. Move it into the 'content' folder.
    +> The transform file 'other\code.pp' is outside the 'content' folder and hence will not be transformed during installation of this package. Move it into the 'content' folder. ### Issue diff --git a/docs/reference/errors-and-warnings/NU5109.md b/docs/reference/errors-and-warnings/NU5109.md index 26ff11cc8..9641ff624 100644 --- a/docs/reference/errors-and-warnings/NU5109.md +++ b/docs/reference/errors-and-warnings/NU5109.md @@ -11,7 +11,7 @@ f1_keywords: --- # NuGet Warning NU5109 -
    The file at 'tools/_._' uses the symbol for empty directory '_._', but it is present in a directory that contains other files. Please remove this file from directories that contain other files.
    +> The file at 'tools/_._' uses the symbol for empty directory '_._', but it is present in a directory that contains other files. Please remove this file from directories that contain other files. ### Issue diff --git a/docs/reference/errors-and-warnings/NU5110.md b/docs/reference/errors-and-warnings/NU5110.md index fe9b4a099..191f63eab 100644 --- a/docs/reference/errors-and-warnings/NU5110.md +++ b/docs/reference/errors-and-warnings/NU5110.md @@ -11,7 +11,7 @@ f1_keywords: --- # NuGet Warning NU5110 -
    The script file 'other\init.ps1' is outside the 'tools' folder and hence will not be executed during installation of this package. Move it into the 'tools' folder.
    +> The script file 'other\init.ps1' is outside the 'tools' folder and hence will not be executed during installation of this package. Move it into the 'tools' folder. ### Issue diff --git a/docs/reference/errors-and-warnings/NU5111.md b/docs/reference/errors-and-warnings/NU5111.md index 962d82d3d..fee3943e9 100644 --- a/docs/reference/errors-and-warnings/NU5111.md +++ b/docs/reference/errors-and-warnings/NU5111.md @@ -11,7 +11,7 @@ f1_keywords: --- # NuGet Warning NU5111 -
    The script file 'tools\random.ps1' is not recognized by NuGet and hence will not be executed during installation of this package. Rename it to install.ps1, uninstall.ps1 or init.ps1 and place it directly under 'tools'.
    +> The script file 'tools\random.ps1' is not recognized by NuGet and hence will not be executed during installation of this package. Rename it to install.ps1, uninstall.ps1 or init.ps1 and place it directly under 'tools'. ### Issue diff --git a/docs/reference/errors-and-warnings/NU5112.md b/docs/reference/errors-and-warnings/NU5112.md index 192844f22..8b77a6fed 100644 --- a/docs/reference/errors-and-warnings/NU5112.md +++ b/docs/reference/errors-and-warnings/NU5112.md @@ -11,7 +11,7 @@ f1_keywords: --- # NuGet Warning NU5112 -
    The version of dependency 'NuGet.Versioning' is not specified. Specify the version of dependency and rebuild your package.
    +> The version of dependency 'NuGet.Versioning' is not specified. Specify the version of dependency and rebuild your package. ### Issue diff --git a/docs/reference/errors-and-warnings/NU5114.md b/docs/reference/errors-and-warnings/NU5114.md index a2dfc2236..4a5d32b9b 100644 --- a/docs/reference/errors-and-warnings/NU5114.md +++ b/docs/reference/errors-and-warnings/NU5114.md @@ -11,7 +11,7 @@ f1_keywords: --- # NuGet Warning NU5114 -
    'SolutionDir' key already exists in Properties collection. Overriding value.
    +> 'SolutionDir' key already exists in Properties collection. Overriding value. ### Issue diff --git a/docs/reference/errors-and-warnings/NU5115.md b/docs/reference/errors-and-warnings/NU5115.md index 941c84d85..d9c6a8a3d 100644 --- a/docs/reference/errors-and-warnings/NU5115.md +++ b/docs/reference/errors-and-warnings/NU5115.md @@ -11,7 +11,7 @@ f1_keywords: --- # NuGet Warning NU5115 -
    Description was not specified. Using 'Description'.
    +> Description was not specified. Using 'Description'. ### Issue diff --git a/docs/reference/errors-and-warnings/NU5116.md b/docs/reference/errors-and-warnings/NU5116.md index 7127aaebe..469fbfc1a 100644 --- a/docs/reference/errors-and-warnings/NU5116.md +++ b/docs/reference/errors-and-warnings/NU5116.md @@ -11,7 +11,7 @@ f1_keywords: --- # NuGet Warning NU5116 -
     'Content\sample.txt' was included in the project but doesn't exist. Skipping...
    +> 'Content\sample.txt' was included in the project but doesn't exist. Skipping... ### Issue diff --git a/docs/reference/errors-and-warnings/NU5117.md b/docs/reference/errors-and-warnings/NU5117.md index 3d198a771..187fb6c8b 100644 --- a/docs/reference/errors-and-warnings/NU5117.md +++ b/docs/reference/errors-and-warnings/NU5117.md @@ -11,7 +11,7 @@ f1_keywords: --- # NuGet Warning NU5117 -
     '$(MSBuildProjectDirectory)/tools/sample.txt' was included in the project but the path could not be resolved. Skipping...
    +> '$(MSBuildProjectDirectory)/tools/sample.txt' was included in the project but the path could not be resolved. Skipping... ### Issue diff --git a/docs/reference/errors-and-warnings/NU5118.md b/docs/reference/errors-and-warnings/NU5118.md index a8bf62a31..99b5e5242 100644 --- a/docs/reference/errors-and-warnings/NU5118.md +++ b/docs/reference/errors-and-warnings/NU5118.md @@ -11,7 +11,7 @@ f1_keywords: --- # NuGet Warning NU5118 -
    File 'F :\validation\test\proj\tools\readme.1.txt' is not added because the package already contains file 'tools\readme.txt'
    +> File 'F :\validation\test\proj\tools\readme.1.txt' is not added because the package already contains file 'tools\readme.txt' ### Issue diff --git a/docs/reference/errors-and-warnings/NU5119.md b/docs/reference/errors-and-warnings/NU5119.md index 619691945..8b92ad1fa 100644 --- a/docs/reference/errors-and-warnings/NU5119.md +++ b/docs/reference/errors-and-warnings/NU5119.md @@ -11,7 +11,7 @@ f1_keywords: --- # NuGet Warning NU5119 -
    File 'F:\project\binary\Libuv.1.10.0.nupkg' was not added to the package. Files and folders starting with '.' or ending with '.nupkg' are excluded by default. To include this file, use -NoDefaultExcludes from the commandline
    +> File 'F:\project\binary\Libuv.1.10.0.nupkg' was not added to the package. Files and folders starting with '.' or ending with '.nupkg' are excluded by default. To include this file, use -NoDefaultExcludes from the commandline ### Issue diff --git a/docs/reference/errors-and-warnings/NU5120.md b/docs/reference/errors-and-warnings/NU5120.md index bd45bd1d7..18e7a1db9 100644 --- a/docs/reference/errors-and-warnings/NU5120.md +++ b/docs/reference/errors-and-warnings/NU5120.md @@ -11,7 +11,7 @@ f1_keywords: --- # NuGet Warning NU5120 -
    install.ps1 script will be ignored when the package is installed after the migration.
    +> install.ps1 script will be ignored when the package is installed after the migration. ### Issue diff --git a/docs/reference/errors-and-warnings/NU5121.md b/docs/reference/errors-and-warnings/NU5121.md index 31ee44496..f2a3aeb8f 100644 --- a/docs/reference/errors-and-warnings/NU5121.md +++ b/docs/reference/errors-and-warnings/NU5121.md @@ -11,7 +11,7 @@ f1_keywords: --- # NuGet Warning NU5121 -
     'content' assets will not be available when the package is installed after the migration.
    +> 'content' assets will not be available when the package is installed after the migration. ### Issue diff --git a/docs/reference/errors-and-warnings/NU5122.md b/docs/reference/errors-and-warnings/NU5122.md index fa928b1fc..01a31181a 100644 --- a/docs/reference/errors-and-warnings/NU5122.md +++ b/docs/reference/errors-and-warnings/NU5122.md @@ -11,7 +11,7 @@ f1_keywords: --- # NuGet Warning NU5122 -
    XDT transform file 'tools/transform.xdt' will not be applied when the package is installed after the migration.
    +> XDT transform file 'tools/transform.xdt' will not be applied when the package is installed after the migration. ### Issue diff --git a/docs/reference/errors-and-warnings/NU5123.md b/docs/reference/errors-and-warnings/NU5123.md index 7931c2c37..3ac6486ea 100644 --- a/docs/reference/errors-and-warnings/NU5123.md +++ b/docs/reference/errors-and-warnings/NU5123.md @@ -11,7 +11,7 @@ f1_keywords: --- # NuGet Warning NU5123 -
    The file 'content/<LongPath>/readme.txt' path, name, or both are too long. Your package might not work without long file path support. Please shorten the file path or file name.
    +> The file 'content/<LongPath>/readme.txt' path, name, or both are too long. Your package might not work without long file path support. Please shorten the file path or file name. ### Issue diff --git a/docs/reference/errors-and-warnings/NU5124.md b/docs/reference/errors-and-warnings/NU5124.md index 39fcaec77..522840ba3 100644 --- a/docs/reference/errors-and-warnings/NU5124.md +++ b/docs/reference/errors-and-warnings/NU5124.md @@ -10,7 +10,7 @@ f1_keywords: --- # NuGet Warning NU5124 -
    The license identifier 'Microsoft-SpecialLicense' is not recognized by the current toolset.
    +> The license identifier 'Microsoft-SpecialLicense' is not recognized by the current toolset. ### Issue diff --git a/docs/reference/errors-and-warnings/NU5125.md b/docs/reference/errors-and-warnings/NU5125.md index d6a21b797..313f74c7a 100644 --- a/docs/reference/errors-and-warnings/NU5125.md +++ b/docs/reference/errors-and-warnings/NU5125.md @@ -10,7 +10,7 @@ f1_keywords: --- # NuGet Warning NU5125 -
    The 'licenseUrl' element will be deprecated. Consider using the 'license' element instead.
    +> The 'licenseUrl' element will be deprecated. Consider using the 'license' element instead. ### Issue diff --git a/docs/reference/errors-and-warnings/NU5126.md b/docs/reference/errors-and-warnings/NU5126.md index a91a1d10b..43224ecb2 100644 --- a/docs/reference/errors-and-warnings/NU5126.md +++ b/docs/reference/errors-and-warnings/NU5126.md @@ -10,7 +10,7 @@ f1_keywords: # NuGet Warning NU5126 -
    `project.json` pack is deprecated. Please consider migrating '{0}' to `PackageReference` and using the pack targets
    +> `project.json` pack is deprecated. Please consider migrating '{0}' to `PackageReference` and using the pack targets ### Issue diff --git a/docs/reference/errors-and-warnings/NU5127.md b/docs/reference/errors-and-warnings/NU5127.md index 8e1ba098f..5e50a7523 100644 --- a/docs/reference/errors-and-warnings/NU5127.md +++ b/docs/reference/errors-and-warnings/NU5127.md @@ -2,23 +2,31 @@ title: NuGet Warning NU5127 description: NU5127 Warning code author: zivkan -ms.date: 09/20/2019 +ms.date: 05/05/2025 ms.topic: reference -ms.reviewer: karann f1_keywords: - NU5127 --- # NuGet Warning NU5127 -
    This package does not contain a lib/ or ref/ folder, and will therefore be treated as compatible for all frameworks. Since framework specific files were found under the build/ directory for net45, netstandard2.0, consider creating the following empty files to correctly narrow the compatibility of the package:
--lib/net45/_._
--lib/netstandard2.0/_._
    +> This package does not contain a lib/ or ref/ folder, and will therefore be treated as compatible for all frameworks. Since framework specific files were found under the build/ directory for net45, netstandard2.0, consider creating the following empty files to correctly narrow the compatibility of the package:
    +> -lib/net45/_._
    +> -lib/netstandard2.0/_._ ### Issue -Projects using packages with `PackageReference` only use `lib/` and `ref/` assemblies to determine package compatibility. Therefore, a package without any `lib/` or `ref/` files will be considered compatible with all projects. However, if that package contains build files specific to one or more [Target Framework Monikers (TFMs)](../target-frameworks.md), a package consumer may expect the package to fail if none of the build files are used. +Projects using packages with `PackageReference` only use `lib/` and `ref/` assemblies to determine package compatibility. +Therefore, a package without any `lib/` or `ref/` files will be considered compatible with all projects. +However, packages containing MSBuild props or targets that are specific to one or more target frameworks show intent in only being compatible with those target frameworks. + +For example, consider a package `PackageA` contains a single file, `build/net8.0/PackageA.targets`. +If this package is referenced by a project targeting `net48` (.NET Framework, Version 4.8), NuGet will not emit any warnings or errors, but also will not select any assets from the package. +Therefore, the package consumer will not be notified that the package does not work correctly with their project. ### Solution -As the warning message suggests, create an empty file named `_._` in the lib folder for the TFMs listed. This will allow NuGet to fail the restore for `PackageReference` projects when the project is incompatible with the package. +As the warning message suggests, create an empty file named `_._` in the lib folder for the TFMs listed. +This will allow NuGet to fail the restore for `PackageReference` projects when the project is incompatible with the package. + +If your package is intended to be compatible with all target frameworks, but only take effect for certain target frameworks, create a file `build/{PackageId}.props` whose contents are ``. diff --git a/docs/reference/errors-and-warnings/NU5128.md b/docs/reference/errors-and-warnings/NU5128.md index 7ded238b1..c2b14d33a 100644 --- a/docs/reference/errors-and-warnings/NU5128.md +++ b/docs/reference/errors-and-warnings/NU5128.md @@ -13,8 +13,8 @@ f1_keywords: ## Scenario 1 -
    Some target frameworks declared in the dependencies group of the nuspec and the lib/ref folder do not have exact matches in the other location. Consult the list of actions below:
-- Add a dependency group for .NETStandard2.0 to the nuspec
    +> Some target frameworks declared in the dependencies group of the nuspec and the lib/ref folder do not have exact matches in the other location. Consult the list of actions below: +> - Add a dependency group for .NETStandard2.0 to the nuspec ### Issue @@ -50,8 +50,8 @@ If you do not wish your package to be compatible with the reported TFM, modify y ## Scenario 2 -
    Some target frameworks declared in the dependencies group of the nuspec and the lib/ref folder do not have exact matches in the other location. Consult the list of actions below:
-- Add lib or ref assemblies for the netstandard2.0 target framework
    +> Some target frameworks declared in the dependencies group of the nuspec and the lib/ref folder do not have exact matches in the other location. Consult the list of actions below: +> - Add lib or ref assemblies for the netstandard2.0 target framework ### Issue diff --git a/docs/reference/errors-and-warnings/NU5129.md b/docs/reference/errors-and-warnings/NU5129.md index ccd56200c..3e75b385f 100644 --- a/docs/reference/errors-and-warnings/NU5129.md +++ b/docs/reference/errors-and-warnings/NU5129.md @@ -11,9 +11,7 @@ f1_keywords: # NuGet Warning NU5129 -``` -At least one . file was found in '//', but '//.' was not. -``` +> At least one .<extension> file was found in '<build_folder>/<tfm>/', but '<build_folder>/<tfm>/<package_id>.<extension>' was not. `` is one of: `targets`, `props`. `` is one of: `build`, `buildTransitive`, `buildCrossTargeting`, `buildMultiTargeting`. @@ -22,13 +20,16 @@ At least one . file was found in '//', but ' At least one .targets file was found in 'build/netstandard2.0/', but 'build/netstandard2.0/MyPackage.targets' was not. + +> At least one .props file was found in 'build/netstandard2.0/', but 'build/netstandard2.0/MyPackage.props' was not. + +> At least one .props file was found in 'buildTransitive/net472/', but 'buildTransitive/net472/My.Package.Id.props' was not. + +> At least one .targets file was found in 'buildMultitargeting/netcoreapp3.0/', but 'buildMultitargeting/netcoreapp3.0/Contoso.Utilities. +targets' was not. + +> At least one .props file was found in 'build/', but 'build/AdventureWorks.Tools.props' was not. ### Issue diff --git a/docs/reference/errors-and-warnings/NU5130.md b/docs/reference/errors-and-warnings/NU5130.md index e04d10328..af139a88a 100644 --- a/docs/reference/errors-and-warnings/NU5130.md +++ b/docs/reference/errors-and-warnings/NU5130.md @@ -11,8 +11,8 @@ f1_keywords: # NuGet Warning NU5130 -
    Some target frameworks declared in the dependencies group of the nuspec and the lib/ref folder have compatible matches, but not exact matches in the other location. Unless intentional, consult the list of actions below:
-- Add a dependency group for .NETFramework4.7.2 to the nuspec
    +> Some target frameworks declared in the dependencies group of the nuspec and the lib/ref folder have compatible matches, but not exact matches in the other location. Unless intentional, consult the list of actions below: +> - Add a dependency group for .NETFramework4.7.2 to the nuspec ### Issue diff --git a/docs/reference/errors-and-warnings/NU5131.md b/docs/reference/errors-and-warnings/NU5131.md index 947cef557..26953b57d 100644 --- a/docs/reference/errors-and-warnings/NU5131.md +++ b/docs/reference/errors-and-warnings/NU5131.md @@ -11,8 +11,8 @@ f1_keywords: # NuGet Warning NU5131 -
    References were found in the nuspec, but some reference assemblies were not found in both the nuspec and ref folder. Add the following reference assemblies:
-- Add AssemblyName.dll to the ref/net472/ directory
    +> References were found in the nuspec, but some reference assemblies were not found in both the nuspec and ref folder. Add the following reference assemblies: +> - Add AssemblyName.dll to the ref/net472/ directory ### Issue diff --git a/docs/reference/errors-and-warnings/NU5133.md b/docs/reference/errors-and-warnings/NU5133.md index 2cf0963d3..ea8282dda 100644 --- a/docs/reference/errors-and-warnings/NU5133.md +++ b/docs/reference/errors-and-warnings/NU5133.md @@ -14,7 +14,7 @@ f1_keywords: ## Example -
    Warning NU5133: NuGet.exe file on path \Downloads\nuget.exe needs to be unblocked after downloading.
    +> Warning NU5133: NuGet.exe file on path \Downloads\nuget.exe needs to be unblocked after downloading. ### Issue When downloading a file on Windows, in this case nuget.exe, through a web browser, the `Mark Of The Web` may be added. diff --git a/docs/reference/errors-and-warnings/NU5501.md b/docs/reference/errors-and-warnings/NU5501.md index f6591f8d3..0df5db23b 100644 --- a/docs/reference/errors-and-warnings/NU5501.md +++ b/docs/reference/errors-and-warnings/NU5501.md @@ -14,7 +14,7 @@ f1_keywords: ## Scenario 1 -
    The following dependency group(s) require(s) dots in the framework version: net50-windows7.0
    +> The following dependency group(s) require(s) dots in the framework version: net50-windows7.0 ### Issue @@ -48,7 +48,7 @@ Change `net50` to `net5.0`. ## Scenario 2 -
    The following packaged file folder(s) require(s) dots in the framework version: contentFiles/any/net50/a.img.
    +> The following packaged file folder(s) require(s) dots in the framework version: contentFiles/any/net50/a.img. ### Issue diff --git a/docs/reference/extensibility/NuGet-Credential-Providers-for-Visual-Studio.md b/docs/reference/extensibility/NuGet-Credential-Providers-for-Visual-Studio.md index 6b10f8121..e567da4aa 100644 --- a/docs/reference/extensibility/NuGet-Credential-Providers-for-Visual-Studio.md +++ b/docs/reference/extensibility/NuGet-Credential-Providers-for-Visual-Studio.md @@ -4,7 +4,7 @@ description: NuGet credential providers authenticate with feeds by implementing author: JonDouglas ms.author: jodou ms.date: 01/09/2017 -ms.topic: conceptual +ms.topic: how-to --- # Authenticating feeds in Visual Studio with NuGet credential providers @@ -31,8 +31,7 @@ The NuGet Visual Studio Extension 3.6+ implements an internal CredentialService During credential acquisition, the credential service will try credential providers in the following order, stopping as soon as credentials are acquired: 1. Credentials will be fetched from NuGet configuration files (using the built-in `SettingsCredentialProvider`). -1. If the package source is on Visual Studio Team Services, the `VisualStudioAccountProvider` will be used. -1. All other plug-in Visual Studio credential providers will be tried sequentially. +1. Visual Studio credential providers will be tried sequentially. 1. Try to use all NuGet cross platform credential providers sequentially. 1. If no credentials have been acquired yet, the user will be prompted for credentials using a standard basic authentication dialog. diff --git a/docs/reference/extensibility/NuGet-Cross-Platform-Authentication-Plugin.md b/docs/reference/extensibility/NuGet-Cross-Platform-Authentication-Plugin.md index a0e8d027b..624db0a23 100644 --- a/docs/reference/extensibility/NuGet-Cross-Platform-Authentication-Plugin.md +++ b/docs/reference/extensibility/NuGet-Cross-Platform-Authentication-Plugin.md @@ -4,7 +4,7 @@ description: NuGet cross platform authentication plugins for NuGet.exe, dotnet.e author: nkolev92 ms.author: nikolev ms.date: 07/01/2018 -ms.topic: conceptual +ms.topic: article --- # NuGet cross platform authentication plugin @@ -58,10 +58,14 @@ The following table summarizes how the plugin should behave for all combinations | IsNonInteractive | CanShowDialog | Plugin behavior | | ---------------- | ------------- | --------------- | -| true | true | The IsNonInteractive switch takes precedence over the dialog switch. The plugin is not allowed to pop a dialog. This combination is only valid for .NET Framework plugins | -| true | false | The IsNonInteractive switch takes precedence over the dialog switch. The plugin is not allowed to block. This combination is only valid for .NET Core plugins | -| false | true | The plugin should show a dialog. This combination is only valid for .NET Framework plugins | -| false | false | The plugin should/can not show a dialog. The plugin should use device flow to authenticate by logging an instruction message via the logger. This combination is only valid for .NET Core plugins | +| true | true | The IsNonInteractive switch takes precedence over the dialog switch. The plugin is not allowed to block. | +| true | false | The IsNonInteractive switch takes precedence over the dialog switch. The plugin is not allowed to block. | +| false | true | The plugin can show a dialog if required. For example, interactive login, or account selection. | +| false | false | The plugin should/can not show a dialog. The plugin should use device flow to authenticate by logging an instruction message via the logger. | + +Prior to [NuGet 7.0](../../release-notes/NuGet-7.0.md), NuGet would always set `CanShowDialog` to false on the dotnet CLI, and true for MSBuild restore. +From 7.0, NuGet will always set `CanShowDialog` to true, but plugins should still detect when graphical interfaces are not available. +For example when running on Linux over an SSH connection without X forwarding, or a PowerShell remote session. Please refer to the following specs before writing a plugin. diff --git a/docs/reference/extensibility/NuGet-Cross-Platform-Plugins.md b/docs/reference/extensibility/NuGet-Cross-Platform-Plugins.md index 02428709d..3fd832a9e 100644 --- a/docs/reference/extensibility/NuGet-Cross-Platform-Plugins.md +++ b/docs/reference/extensibility/NuGet-Cross-Platform-Plugins.md @@ -4,7 +4,7 @@ description: NuGet cross platform plugins for NuGet.exe, dotnet.exe, msbuild.exe author: nkolev92 ms.author: nikolev ms.date: 07/01/2018 -ms.topic: conceptual +ms.topic: article --- # NuGet cross platform plugins @@ -12,20 +12,11 @@ ms.topic: conceptual In NuGet 4.8+ support for cross platform plugins has been added. This was achieved with by building a new plugin extensibility model, that has to conform to a strict set of rules of operation. The plugins are self-contained executables (runnables in the .NET Core world), that the NuGet Clients launch in a separate process. -This is a true write once, run everywhere plugin. It will work with all NuGet client tools. -The plugins can be either .NET Framework (NuGet.exe, MSBuild.exe and Visual Studio), or .NET Core (dotnet.exe). -A versioned communication protocol between the NuGet Client and the plugin is defined. During the startup handshake, the 2 processes negotiate the protocol version. - -In order to cover all NuGet client tools scenarios, one would need both a .NET Framework and a .NET Core plugin. -The below describes the client/framework combinations of the plugins. - -| Client tool | Framework | -| ------------ | --------- | -| Visual Studio | .NET Framework | -| dotnet.exe | .NET Core | -| NuGet.exe | .NET Framework | -| MSBuild.exe | .NET Framework | -| NuGet.exe on Mono | .NET Framework | +This is a true write once, run everywhere plugin. +It will work with all NuGet client tools. +The plugins can be written in any programming language, but the easiest plugin development and installation experience will be with .NET. +A versioned communication protocol between the NuGet Client and the plugin is defined. +During the startup handshake, the 2 processes negotiate the protocol version. ## How does it work @@ -41,17 +32,22 @@ The high level workflow can be described as follows: The current protocol version is *2.0.0*. Under this version, the requirements are as follows: -- Have a valid, trusted Authenticode signature assemblies that will run on Windows and Mono. There is no special trust requirement for assemblies run on Linux and Mac yet. [Relevant issue](https://github.com/NuGet/Home/issues/6702) - Support stateless launching under the current security context of NuGet client tools. For example, NuGet client tools will not perform elevation or additional initialization outside of the plugin protocol described later. - Be non interactive, unless explicitly specified. - Adhere to the negotiated plugin protocol version. - Respond to all requests within a reasonable time period. - Honor cancellation requests for any in-progress operation. +Plugins discovered from the PATH environment variable (for example, installed via `dotnet tool`) additionally must match the filename pattern `nuget-plugin-*`. +The `nuget-plugin-` part must be written entirely in lowercase letters. + +NuGet 6.12 (MSBuild 17.12, and .NET SDK 9.0.100) and earlier also required plugins to be Authenticode signed on Windows. + The technical specification is described in more detail in the following specs: - [NuGet Package Download Plugin](https://github.com/NuGet/Home/wiki/NuGet-Package-Download-Plugin) - [NuGet cross plat authentication plugin](https://github.com/NuGet/Home/wiki/NuGet-cross-plat-authentication-plugin) +- [Dotnet Tools Plugins](https://github.com/NuGet/Home/blob/dev/accepted/2024/support-nuget-authentication-plugins-dotnet-tools.md) ## Client - Plugin interaction @@ -65,23 +61,27 @@ After 1 minute of inactivity a plugin is considered idle and is shut down. ## Plugin installation and discovery -The plugins will be discovered via a convention based directory structure. -CI/CD scenarios and power users can use environment variables to override the behavior. When using environment variables, only absolute paths are allowed. Note that `NUGET_NETFX_PLUGIN_PATHS` and `NUGET_NETCORE_PLUGIN_PATHS` are only available with 5.3+ version of the NuGet tooling and later. +NuGet searches for plugins from a convention based directory structure, and scanning the PATH environment variable. + +### Convention based discovery + +CI/CD scenarios and power users can use environment variables to override the behavior. +When using environment variables, only absolute paths are allowed. Note that `NUGET_NETFX_PLUGIN_PATHS` and `NUGET_NETCORE_PLUGIN_PATHS` are only available with 5.3+ version of the NuGet tooling and later. - `NUGET_NETFX_PLUGIN_PATHS` - defines the plugins that will be used by the .NET Framework based tooling (NuGet.exe/MSBuild.exe/Visual Studio). Takes precedence over `NUGET_PLUGIN_PATHS`. (NuGet version 5.3+ only) - `NUGET_NETCORE_PLUGIN_PATHS` - defines the plugins that will be used by the .NET Core based tooling (dotnet.exe). Takes precedence over `NUGET_PLUGIN_PATHS`. (NuGet version 5.3+ only) - `NUGET_PLUGIN_PATHS` - defines the plugins that will be used for that NuGet process, priority preserved. If this environment variable is set, it overrides the convention based discovery. Ignored if either of the framework specific variables is specified. -- User-location, the NuGet Home location in `%UserProfile%/.nuget/plugins`. This location cannot be overriden. A different root directory will be used for .NET Core and .NET Framework plugins. +- User-location, the NuGet Home location in `%UserProfile%/.nuget/plugins`. This location cannot be overridden. A different root directory will be used for .NET Core and .NET Framework plugins. -| Framework | Root discovery location | -| ------- | ------------------------ | -| .NET Core | `%UserProfile%/.nuget/plugins/netcore` | -| .NET Framework | `%UserProfile%/.nuget/plugins/netfx` | +| Framework | Root discovery location | Used by | +| ------- | ------------------------ | ---- | +| .NET Core | `%UserProfile%/.nuget/plugins/netcore` | dotnet CLI | +| .NET Framework | `%UserProfile%/.nuget/plugins/netfx` | MSBuild, NuGet.exe, Visual Studio | Each plugin should be installed in its own folder. The plugin entry point will be the name of the installed folder, with the .dll extensions for .NET Core, and .exe extension for .NET Framework. -``` +```text .nuget plugins netfx @@ -96,8 +96,17 @@ The plugin entry point will be the name of the installed folder, with the .dll e ... ``` -> [!Note] -> There is currently no user story for the installation of the plugins. It's as simple as moving the required files into the predetermined location. +### PATH discovery + +Starting from [NuGet 6.13](../../release-notes/NuGet-6.13.md), NuGet will search each directory provided in the PATH environment variable for files matching the pattern `nuget-plugin-*`. +The pattern matching is case-sensitive, and `nuget-plugin-` must be written entirely in lowercase letters. +On Windows the file must have an `.exe` or `.bat` extension. +On Linux and Mac the file must have the executable bit set. + +This allows NuGet plugins to be installed via `dotnet tool` commands, WinGet, a Linux distribution's package manager, or any other method that can put executables on the user's PATH. +This also allows NuGet plugins to be written in any programming language (previously plugins for Linux and Mac must be written in .NET). + +We recommend plugins are developed in .NET, so that you can use the [NuGet.Protocol package](https://www.nuget.org/packages/NuGet.Protocol) to avoid needing to write the json RPC code, and to allow customers to discover your plugin via `dotnet package search nuget-plugin`. ## Supported operations diff --git a/docs/reference/extensibility/nuget-exe-Credential-Providers.md b/docs/reference/extensibility/nuget-exe-Credential-Providers.md index 391c48f03..b0242a3b1 100644 --- a/docs/reference/extensibility/nuget-exe-Credential-Providers.md +++ b/docs/reference/extensibility/nuget-exe-Credential-Providers.md @@ -4,14 +4,14 @@ description: nuget.exe credential providers authenticate with a feed, and are im author: JonDouglas ms.author: jodou ms.date: 12/12/2017 -ms.topic: conceptual +ms.topic: concept-article --- # Authenticating feeds with nuget.exe credential providers -In version `3.3` support was added for `nuget.exe` specific credential providers. Since then, in version `4.8` [support for credential providers](NuGet-Cross-Platform-Authentication-Plugin.md) that work across all command line scenarios (`nuget.exe`, `dotnet.exe`, `msbuild.exe`) was added. +In version `3.3` support was added for `nuget.exe` specific (v1) credential providers. Since then, in version `4.8` [support for (v2) credential providers](NuGet-Cross-Platform-Authentication-Plugin.md) that work across all command line scenarios (`nuget.exe`, `dotnet.exe`, `msbuild.exe`) was added. -See [Consuming Packages from authenticated feeds](../../consume-packages/consuming-packages-authenticated-feeds.md#nugetexe) for more details on all authentication approaches for `nuget.exe` +See [Consuming Packages from authenticated feeds](../../consume-packages/consuming-packages-authenticated-feeds.md) for more details on all authentication approaches. ## nuget.exe credential provider discovery diff --git a/docs/reference/media/registered-certs.png b/docs/reference/media/registered-certs.png index 39a20e9eb..2b9cc1b64 100644 Binary files a/docs/reference/media/registered-certs.png and b/docs/reference/media/registered-certs.png differ diff --git a/docs/reference/msbuild-targets.md b/docs/reference/msbuild-targets.md index 2c1f78327..b4601c9c3 100644 --- a/docs/reference/msbuild-targets.md +++ b/docs/reference/msbuild-targets.md @@ -4,7 +4,7 @@ description: NuGet pack and restore can work directly as MSBuild targets with Nu author: nkolev92 ms.author: nikolev ms.date: 2/4/2022 -ms.topic: conceptual +ms.topic: article no-loc: [NuGet, MSBuild, .nuspec, nuspec] --- @@ -38,6 +38,9 @@ Similarly, you can write an MSBuild task, write your own target and consume NuGe For .NET projects that use the `PackageReference` format, using `msbuild -t:pack` draws inputs from the project file to use in creating a NuGet package. +Non-SDK-style projects will need to install the NuGet.Build.Tasks.Pack package when using Visual Studio 2022 or earlier. +We recommend uninstalling this package when upgrading to Visual Studio 2026 to ensure your project can use the latest pack features and bug fixes. + The following table describes the MSBuild properties that can be added to a project file within the first `` node. You can make these edits easily in Visual Studio 2017 and later by right-clicking the project and selecting **Edit {project_name}** on the context menu. For convenience, the table is organized by the equivalent property in a [`.nuspec` file](../reference/nuspec.md). > [!NOTE] @@ -307,7 +310,8 @@ When using `MSBuild -t:pack -p:IsTool=true`, all output files, as specified in t ### Packing using a `.nuspec` file -Although it is recommended that you [include all the properties](../reference/msbuild-targets.md#pack-target) that are usually in the `.nuspec` file in the project file instead, you can choose to use a `.nuspec` file to pack your project. For a non-SDK-style project that uses `PackageReference`, you must import `NuGet.Build.Tasks.Pack.targets` so that the pack task can be executed. You still need to restore the project before you can pack a nuspec file. (An SDK-style project includes the pack targets by default.) +Although it is recommended that you [include all the properties](../reference/msbuild-targets.md#pack-target) that are usually in the `.nuspec` file in the project file instead, you can choose to use a `.nuspec` file to pack your project. +You still need to restore the project before you can pack a nuspec file. (An SDK-style project includes the pack targets by default.) The target framework of the project file is irrelevant and not used when packing a nuspec. The following three MSBuild properties are relevant to packing using a `.nuspec`: @@ -426,7 +430,7 @@ Additional restore settings may come from MSBuild properties in the project file | `RestorePackagesPath` | User packages folder path. | | `RestoreDisableParallel` | Limit downloads to one at a time. | | `RestoreConfigFile` | Path to a `Nuget.Config` file to apply. | -| `RestoreNoCache` | If true, avoids using cached packages. See [Managing the global packages and cache folders](../consume-packages/managing-the-global-packages-and-cache-folders.md). | +| `RestoreNoHttpCache` | If true, avoids using http cached packages. See [Managing the global packages and cache folders](../consume-packages/managing-the-global-packages-and-cache-folders.md). | | `RestoreIgnoreFailedSources` | If true, ignores failing or missing package sources. | | `RestoreFallbackFolders` | Fallback folders, used in the same way the user packages folder is used. | | `RestoreAdditionalProjectSources` | Additional sources to use during restore. | @@ -444,6 +448,7 @@ Additional restore settings may come from MSBuild properties in the project file | `RestorePackagesConfig` | An opt-in switch, that restores projects with packages.config. Support with `MSBuild -t:restore` only. | | `RestoreRepositoryPath` | packages.config only. Specifies the packages directory to which the packages should be restored. `SolutionDirectory` will be used if not specified. | | `RestoreUseStaticGraphEvaluation` | An opt-in switch to use static graph MSBuild evaluation instead of the standard evaluation. Static graph evaluation is an experimental feature that's significantly faster for large repos and solutions. | +| `RestoreUseLegacyDependencyResolver` | An opt-out to use the legacy dependency resolver. NuGet's dependency resolver implementation was rewritten in the [6.12 release](../../docs/release-notes/NuGet-6.12.md). This switch forces the previous algorithm to be used. | The `ExcludeRestorePackageImports` property is an internal property used by NuGet. It should not be modified or set in any MSBuild files. diff --git a/docs/reference/nuget-config-file.md b/docs/reference/nuget-config-file.md index c48453f33..83aa92383 100644 --- a/docs/reference/nuget-config-file.md +++ b/docs/reference/nuget-config-file.md @@ -30,13 +30,14 @@ Contains miscellaneous configuration settings, which can be set using the [`nuge | Key | Value | | --- | --- | -| dependencyVersion (`packages.config` only) | The default `DependencyVersion` value for package install, restore, and update, when the `-DependencyVersion` switch is not specified directly. This value is also used by the NuGet Package Manager UI. Values are `Lowest`, `HighestPatch`, `HighestMinor`, `Highest`. | -| globalPackagesFolder (projects using PackageReference only) | The location of the default global packages folder. The default is `%userprofile%\.nuget\packages` (Windows) or `~/.nuget/packages` (Mac/Linux). A relative path can be used in project-specific `nuget.config` files. This setting is overridden by the `NUGET_PACKAGES` environment variable, which takes precedence. | -| repositoryPath (`packages.config` only) | The location in which to install NuGet packages instead of the default `$(Solutiondir)/packages` folder. A relative path can be used in project-specific `nuget.config` files. | | defaultPushSource | Identifies the URL or path of the package source that should be used as the default if no other package sources are found for an operation. | +| dependencyVersion (`packages.config` only) | The default `DependencyVersion` value for package install, restore, and update, when the `-DependencyVersion` switch is not specified directly. This value is also used by the NuGet Package Manager UI. Values are `Lowest`, `HighestPatch`, `HighestMinor`, `Highest`. | +| globalPackagesFolder | The location of the default global packages folder. The default is `%userprofile%\.nuget\packages` (Windows) or `~/.nuget/packages` (Mac/Linux). A relative path can be used in project-specific `nuget.config` files. This setting is overridden by the `NUGET_PACKAGES` environment variable, which takes precedence. | | http_proxy http_proxy.user http_proxy.password no_proxy | Proxy settings to use when connecting to package sources; `http_proxy` should be in the format `http://:@`. Passwords are encrypted and cannot be added manually. For `no_proxy`, the value is a comma-separated list of domains the bypass the proxy server. You can alternately use the http_proxy and no_proxy environment variables for those values. For additional details, see [NuGet proxy settings](http://skolima.blogspot.com/2012/07/nuget-proxy-settings.html) (skolima.blogspot.com). | | maxHttpRequestsPerSource | Controls the maximum number of parallel requests sent from NuGet to every package source for package dependency resolution and downloads. The default value on `dotnet.exe` is `Int32.MaxValue` which is derived from `HttpClientHandler.MaxConnectionsPerServer` property. This setting has no impact on `dotnet.exe` for `Mac OS` because the throttling limit is set to `16` to avoid too many open files error. The default value for `NuGet client tools` that runs on `.NET Framework` such as `Visual Studio` and `nuget.exe` is `64` on `Windows` and `1` on `Mono`. The default value for `Packages.config` style projects is set to `Environment.ProcessorCount`. Configuring `maxHttpRequestsPerSource` property to a value less than the default could impact NuGet performance. | -| signatureValidationMode | Specifies the validation mode used to verify package signatures for package install, and restore. Values are `accept`, `require`. Defaults to `accept`. +| repositoryPath (`packages.config` only) | The location in which to install NuGet packages instead of the default `$(Solutiondir)/packages` folder. A relative path can be used in project-specific `nuget.config` files. | +| signatureValidationMode | Specifies the validation mode used to verify package signatures for package install, and restore. Values are `accept`, `require`. Defaults to `accept`. | +| updatePackageLastAccessTime | When set to `true`, restore will update the last access time of the `.nupkg.metadata` file in the global packages folder during restore. See [the documentation on the global packages folder for more information](../consume-packages/managing-the-global-packages-and-cache-folders.md#global-packages) | **Example**: @@ -48,6 +49,7 @@ Contains miscellaneous configuration settings, which can be set using the [`nuge + ``` @@ -113,23 +115,52 @@ Note that the source URL for nuget.org is `https://api.nuget.org/v3/index.json`. Lists all known package sources. The order is ignored during restore operations and with any project using the PackageReference format. NuGet respects the order of sources for install and update operations with projects using `packages.config`. -| Key | Value | protocolVersion | -| --- | --- | --- | -| (name to assign to the package source) | The path or URL of the package source. | The NuGet server protocol version to be used. The current version is "3". Defaults to version "2" when not pointing to a package source URL ending in `.json` (e.g. https://api.nuget.org/v3/index.json). Supported in [NuGet 3.0+](https://learn.microsoft.com/nuget/release-notes/nuget-3.0.0). See [NuGet Server API](https://learn.microsoft.com/nuget/api/overview) for more information about the version 3 protocol. | +| XML Attribute | Purpose | +| :-- | :-- | +| **Key** | (name to assign to the package source) | +| **Value** | The path or URL of the package source. | +| **protocolVersion** | The NuGet server protocol version to be used. The current version is "3". Defaults to version "2" when not pointing to a package source URL ending in `.json` (e.g. ). Supported in [NuGet 3.0+](/nuget/release-notes/nuget-3.0.0). See [NuGet Server API](/nuget/api/overview) for more information about the version 3 protocol. | +| **allowInsecureConnections** | When false, or not specified, NuGet will emit a warning when the source uses http, rather than https. If you are confident that communication with this source will never be at risk of interception attacks, you can set the value to true to suppress the warning. Supported in NuGet 6.8+. | +| **disableTLSCertificateValidation** | This configuration property allows you to disable SSL/TLS certificate validation for your HTTPS server. When set to true, the server will ignore any errors related to SSL/TLS certificates, such as expired or self-signed certificates, and establish the connection without validation. Supported in NuGet 6.11+. | **Example**: ```xml + + + ``` +> [!NOTE] +> Use package sources that you trust. + +> [!NOTE] +> When using the CLI, you can express a [`RestoreSources`](../reference/msbuild-targets.md#restore-properties) MSBuild property or [`--source`(.NET CLI)](/dotnet/core/tools/dotnet-restore#options) | [`-Source`(NuGet CLI)](/nuget/reference/cli-reference/cli-ref-restore#options) to override the `` defined in the NuGet.config. + > [!Tip] > When `` is present for a given node, NuGet ignores previously defined configuration values for that node. [Read more about how settings are applied](../consume-packages/configuring-nuget-behavior.md#how-settings-are-applied). +### auditSources + +Lists all known audit sources, which [NuGet Audit](../concepts/Auditing-Packages.md#running-a-security-audit-with-restore) will use during restore. +If no audit sources are provided, restore will use package sources and suppress [NU1905](../reference/errors-and-warnings/NU1905.md). +`auditSources` was added to [NuGet 6.12](../release-notes/NuGet-6.12.md). + +Audit sources support the same attributes as `packageSources` (`protocolVersion`, `allowInsecureConnections`), and sources that require authentication are configured with `packageSourceCredentials`, the same way as `packageSources`. + +**Example**: +```xml + + + + +``` + ### packageSourceCredentials Stores usernames and passwords for sources, typically specified with the `-username` and `-password` switches with `nuget sources`. Passwords are encrypted by default unless the `-storepasswordincleartext` option is also used. @@ -137,11 +168,17 @@ Optionally, valid authentication types can be specified with the `-validauthenti | Key | Value | | --- | --- | -| username | The user name for the source in plain text. | +| username | The user name for the source in plain text. Note: environment variables can be used for improved security. | | password | The encrypted password for the source. Encrypted passwords are only supported on Windows, and only can be decrypted when used on the same machine and via the same user as the original encryption. | | cleartextpassword | The unencrypted password for the source. Note: environment variables can be used for improved security. | | validauthenticationtypes | Comma-separated list of valid authentication types for this source. Set this to `basic` if the server advertises NTLM or Negotiate and your credentials must be sent using the Basic mechanism, for instance when using a PAT with on-premises Azure DevOps Server. Other valid values include `negotiate`, `kerberos`, `ntlm`, and `digest`, but these values are unlikely to be useful. | +> [!WARNING] +> Storing passwords in clear text is strongly discouraged. +> Please note that encrypted passwords are only supported on Windows. +> Furthermore, they can only be decrypted when used on the same machine and by the same user who originally encrypted them. +> For more information on managing credentials securely, refer to the [security best practices for consuming packages from private feeds](../consume-packages/consuming-packages-authenticated-feeds.md#security-best-practices-for-managing-credentials). + > [!Tip] > If a non-encrypted password is passed for `password` the error message ["The parameter is incorrect" will occur](https://github.com/NuGet/Home/issues/3245). @@ -162,49 +199,51 @@ In the config file, the `` element contains child node ``` -When using unencrypted passwords stored in an environment variable: +Additionally, valid authentication methods can be supplied. ```xml - + + - + + ``` -When using unencrypted passwords: +When using unencrypted passwords stored in an environment variable: ```xml - + - + ``` -Additionally, valid authentication methods can be supplied: +When using unencrypted passwords: +> [!WARNING] +> Storing passwords in clear text is strongly discouraged. ```xml - - + - ``` @@ -270,7 +309,7 @@ Identifies to the currently active source or indicates the aggregate of all sour ## trustedSigners section -Stores trusted signers used to allow package while installing or restoring. This list cannot be empty when the user sets `signatureValidationMode` to `require`. +Stores trusted signers used to allow package while installing or restoring. This list cannot be empty when the user sets `signatureValidationMode` to `require`. This section can be updated with the [`nuget trusted-signers` command](../reference/cli-reference/cli-ref-trusted-signers.md). @@ -291,10 +330,12 @@ If a `certificate` specifies `allowUntrustedRoot` as `true` the given certificat + + microsoft;aspnet;nuget @@ -404,7 +445,6 @@ The table below show environnment variable syntax and path separator support for | `$MY_VAR` | `/` | No | No | No | No | | `$MY_VAR` | `\` | No | No | No | No | - ## Example config file Below is an example `nuget.config` file that illustrates a number of settings including optional ones: @@ -451,6 +491,7 @@ Below is an example `nuget.config` file that illustrates a number of settings in See: nuget.exe help update --> + @@ -479,10 +520,12 @@ Below is an example `nuget.config` file that illustrates a number of settings in + + microsoft;aspnet;nuget diff --git a/docs/reference/nuget-exe-CLI-Reference.md b/docs/reference/nuget-exe-CLI-Reference.md index 814c72b56..7bebbea46 100644 --- a/docs/reference/nuget-exe-CLI-Reference.md +++ b/docs/reference/nuget-exe-CLI-Reference.md @@ -73,3 +73,8 @@ Developers concerned only with consuming packages, for example, need only unders > [!Note] > Command option names are case-insensitive. Options that are deprecated are not included in this reference, such as `NoPrompt` (replaced by `NonInteractive`) and `Verbose` (replaced by `Verbosity`). + +## Localization + +NuGet.exe's progress, warning and error messages are translated into the same locales as Visual Studio. +NuGet.exe ships as a single exe, and due to size considerations, only the most commonly surfaced messages are translated in all languages. diff --git a/docs/reference/nuspec.md b/docs/reference/nuspec.md index d71b059f7..da7370ef6 100644 --- a/docs/reference/nuspec.md +++ b/docs/reference/nuspec.md @@ -35,7 +35,9 @@ In this topic: ## General form and schema -The current `nuspec.xsd` schema file can be found in the [NuGet GitHub repository](https://github.com/NuGet/NuGet.Client/blob/dev/src/NuGet.Core/NuGet.Packaging/compiler/resources/nuspec.xsd). +A `nuspec.xsd` schema file can be found in the [NuGet GitHub repository](https://github.com/NuGet/NuGet.Client/blob/dev/src/NuGet.Core/NuGet.Packaging/compiler/resources/nuspec.xsd). +Note, that this file only represents the most recent schema for a `.nuspec` file. +No officially published versions exists and no version of that file corresponds to any specific NuGet version. Within this schema, a `.nuspec` file has the following general form: @@ -64,6 +66,11 @@ All XML element names in the .nuspec file are case-sensitive, as is the case for metadata element `` is correct and `` is not correct. The proper casing for each element name is documented below. +> [!Important] +> While the `.nuspec` file contains a reference to a schema +> (`xmlns="http://schemas.microsoft.com/packaging/2010/07/nuspec.xsd"`), +> The NuGet-Team has never published a schema file that could be used for automatic schema validation. + ### Required metadata elements Although the following elements are the minimum requirements for a package, you should consider adding the [optional metadata elements](#optional-metadata-elements) to improve the overall experience developers have with your package. @@ -86,9 +93,9 @@ A description of the package for UI display. When uploading a package to nuget.org, the `description` field is limited to 4000 characters. #### authors -A comma-separated list of packages authors, matching the profile names on nuget.org. These are displayed in the NuGet Gallery on nuget.org and are used to cross-reference packages by the same authors. - -When uploading a package to nuget.org, the `authors` field is limited to 4000 characters. +A comma-separated list of package authors. +The `authors` and the `owners` from the nuspec are ignored when uploading the package to nuget.org. +For setting package ownership on nuget.org, see [Managing package owners on nuget.org](../nuget-org/publish-a-package.md#managing-package-owners-on-nugetorg). ### Optional metadata elements @@ -96,7 +103,9 @@ When uploading a package to nuget.org, the `authors` field is limited to 4000 ch > [!Important] > owners is deprecated. Use authors instead. -A comma-separated list of the package creators using profile names on nuget.org. This is often the same list as in `authors`, and is ignored when uploading the package to nuget.org. See [Managing package owners on nuget.org](../nuget-org/publish-a-package.md#managing-package-owners-on-nugetorg). +A comma-separated list of package owners. +The `owners` from the nuspec is ignored when uploading the package to nuget.org. +For setting package ownership on nuget.org, see [Managing package owners on nuget.org](../nuget-org/publish-a-package.md#managing-package-owners-on-nugetorg). #### projectUrl A URL for the package's home page, often shown in UI displays as well as nuget.org. @@ -123,7 +132,7 @@ If you're licensing the package under a common license, like MIT or BSD-2-Clause > [!Note] > NuGet.org only accepts license expressions that are approved by the Open Source Initiative or the Free Software Foundation. -If your package is licensed under multiple common licenses, you can specify a composite license using the [SPDX expression syntax version 2.0](https://spdx.org/spdx-specification-21-web-version#h.jxpfx0ykyb60). For example: +If your package is licensed under multiple common licenses, you can specify a composite license using the [SPDX expression syntax version 2.0](https://spdx.github.io/spdx-spec/v2-draft/SPDX-license-expressions/#d4-composite-license-expressions). For example: `BSD-2-Clause OR MIT` @@ -201,7 +210,7 @@ For example, you would add the following to your nuspec when creating a package For the MSBuild equivalent, take a look at [Packing an icon image file](msbuild-targets.md#packing-an-icon-image-file). > [!Tip] -> You can specify both `icon` and `iconUrl` to maintain backward compatibility with sources that do not support `icon`. Visual Studio will support `icon` for packages coming from a folder-based source in a future release. +> To maintain backward compatibility with clients and sources that don't yet support `icon`, specify both `icon` and `iconUrl`. Visual Studio supports `icon` for packages coming from a folder-based source. #### readme @@ -332,7 +341,7 @@ Specifies the minimum version of the NuGet client that can install this package, ## Replacement tokens -When creating a package, the [`nuget pack` command](../reference/cli-reference/cli-ref-pack.md) replaces $-delimited tokens in the `.nuspec` file's `` node with values that come from either a project file or the `pack` command's `-properties` switch. +When creating a package, the [`nuget pack` command](../reference/cli-reference/cli-ref-pack.md) replaces $-delimited tokens in the `.nuspec` file's `` and `` nodes with values that come from either a project file or the `pack` command's `-properties` switch. On the command line, you specify token values with `nuget pack -properties =;=`. For example, you can use a token such as `$owners$` and `$desc$` in the `.nuspec` and provide the values at packing time as follows: @@ -816,11 +825,11 @@ C#-specific content for net45 and up /contentFiles/cs/net45/sample.cs ``` -Empty folders can use `.` to opt out of providing content for certain combinations of language and TxM, for example: +Empty folders can use `_._` to opt out of providing content for certain combinations of language and TxM, for example: ``` /contentFiles/vb/any/code.vb -/contentFiles/cs/any/. +/contentFiles/cs/any/_._ ``` #### Example contentFiles section diff --git a/docs/reference/packages-config.md b/docs/reference/packages-config.md index 57f5bf5de..19b8ddb60 100644 --- a/docs/reference/packages-config.md +++ b/docs/reference/packages-config.md @@ -24,7 +24,7 @@ The schema is simple: following the standard XML header is a single `` | id | Yes | The identifier of the package, such as Newtonsoft.json or Microsoft.AspNet.Mvc. | | version | Yes | The exact version of the package to install, such as 3.1.1 or 4.2.5.11-beta. A version string must have at least three numbers; a fourth is optional, as is a pre-release suffix. Ranges are not allowed. | | targetFramework | No | The [target framework moniker (TFM)](target-frameworks.md) to apply when installing the package. This is initially set to the project's target when a package is installed. As a result, different `` elements can have different TFMs. For example, if you create a project targeting .NET 4.5.2, packages installed at that point will use the TFM of net452. If you ;later retarget the project to .NET 4.6 and add more packages, those will use TFM of net46. A mismatch between the project's target and `targetFramework` attributes will generate warnings, in which case you can reinstall the affected packages. | -| allowedVersions | No | A range of allowed versions for this package applied during package update (see [Constraining upgrade versions](../consume-packages/reinstalling-and-updating-packages.md#constraining-upgrade-versions). It does *not* affect what package is installed during an install or restore operation. See [Package versioning](../concepts/package-versioning.md#version-ranges) for syntax. The PackageManager UI also disables all versions outside the allowed range. | +| allowedVersions | No | A range of allowed versions for this package applied during package update (see [Constraints on upgrade versions](../consume-packages/reinstalling-and-updating-packages.md#constraints-on-upgrade-versions). It does *not* affect what package is installed during an install or restore operation. See [Package versioning](../concepts/package-versioning.md#version-ranges) for syntax. The PackageManager UI also disables all versions outside the allowed range. | | developmentDependency | No | If the consuming project itself creates a NuGet package, setting this to `true` for a dependency prevents that package from being included when the consuming package is created. The default is `false`. | ## Examples diff --git a/docs/reference/target-frameworks.md b/docs/reference/target-frameworks.md index 39129572a..a2c1e0df5 100644 --- a/docs/reference/target-frameworks.md +++ b/docs/reference/target-frameworks.md @@ -87,8 +87,11 @@ Universal Windows Platform | uap | uap [uap10.0] | | | | netcoreapp3.1 | | | net | net5.0 | | | | net6.0 | +| | | net7.0 | +| | | net8.0 | Tizen | tizen | tizen3 | | | | tizen4 | +| Native | native | native | ## Deprecated frameworks @@ -285,7 +288,7 @@ Additional frameworks defined by third parties provide compatibility with other | | WindowsPhone 8.1 (UWP) | | | WindowsPhone 8.0 (SL) | -Additionally, NuGet packages targeting Xamarin can use additional Xamarin-defined frameworks. See [Creating NuGet packages for Xamarin](https://developer.xamarin.com/guides/cross-platform/advanced/nuget/). +Additionally, NuGet packages targeting Xamarin can use additional Xamarin-defined frameworks: | Name | Description | .NET Standard | | --- | --- | --- diff --git a/docs/release-notes/Index.md b/docs/release-notes/Index.md index 1aeb15996..745e8f4db 100644 --- a/docs/release-notes/Index.md +++ b/docs/release-notes/Index.md @@ -1,16 +1,38 @@ --- title: Release Notes description: Index of NuGet release notes and known issues for all versions. -author: anangaur -ms.author: anangaur +author: donnie-msft +ms.author: eagoodso ms.date: 05/25/2022 -ms.topic: conceptual +ms.topic: release-notes --- # Release Notes [Known Issues](../release-notes/known-issues.md) +[NuGet 7.0](../release-notes/NuGet-7.0.md) + +[NuGet 6.14](../release-notes/NuGet-6.14.md) + +[NuGet 6.13](../release-notes/NuGet-6.13.md) + +[NuGet 6.12](../release-notes/NuGet-6.12.md) + +[NuGet 6.11](../release-notes/NuGet-6.11.md) + +[NuGet 6.10](../release-notes/NuGet-6.10.md) + +[NuGet 6.9](../release-notes/NuGet-6.9.md) + +[NuGet 6.8](../release-notes/NuGet-6.8.md) + +[NuGet 6.7](../release-notes/NuGet-6.7.md) + +[NuGet 6.6](../release-notes/NuGet-6.6.md) + +[NuGet 6.5](../release-notes/NuGet-6.5.md) + [NuGet 6.4](../release-notes/NuGet-6.4.md) [NuGet 6.3](../release-notes/NuGet-6.3.md) diff --git a/docs/release-notes/Known-Issues.md b/docs/release-notes/Known-Issues.md index a23680c06..051862356 100644 --- a/docs/release-notes/Known-Issues.md +++ b/docs/release-notes/Known-Issues.md @@ -3,8 +3,8 @@ title: Known Issues description: Known issues with NuGet including authentication, package installation, and tools. author: JonDouglas ms.author: jodou -ms.date: 11/11/2016 -ms.topic: conceptual +ms.date: 06/06/2024 +ms.topic: troubleshooting-known-issue --- # Known Issues with NuGet @@ -14,6 +14,25 @@ These are the most common known issues with NuGet that are repeatedly reported. > [!Note] > Starting with NuGet 4.0, known issues are a part of the respective release notes. +## NuGet Audit settings may not be applied correctly for projects using packages.config in Visual Studio 17.10 + +NuGet Audit support was added for packages.config projects starting from NuGet 6.10 and Visual Studio 17.10. +Information on how to configure NuGet Audit can be found in our docs on [our docs on auditing packages](../concepts/Auditing-Packages.md). + +**Problem:** + +If two or more projects using packages.config in the solution use the same project name, then NuGet Audit will choose one and use the same NuGet Audit settings for both projects. + +The tracking issue to remove this limitation is [available on GitHub](https://github.com/NuGet/Home/issues/13466). + +**Workaround:** + +If all projects with the same name use the same configuration values, then there will be no functional difference when NuGet restores one project using a different project's configuration. + +NuGet.exe does not have this limitation, so you can [download NuGet.exe](../install-nuget-client-tools.md#nugetexe-cli) and run `NuGet.exe restore` on your solution to see if the NuGet Audit warnings are different on the command line to what Visual Studio is reporting. + +If it is feasible to rename the projects so they have different project names, then this problem scenario will not be encountered. + ## Authentication issues with NuGet feeds in VSTS with nuget.exe v3.4.3 **Problem:** @@ -70,7 +89,7 @@ regsvr32 "C:\Program Files (x86)\Common Files\microsoft shared\MSEnv\VsLangproj. If the command fails, check to see if the file exists in that location. -For more information about this error, see this [work item](https://nuget.codeplex.com/workitem/3609 "Work item 3609"). +For more information about this error, see this ```[work item](https://nuget.codeplex.com/workitem/3609 "Work item 3609")```. ## Build failure after package update in VS 2012 @@ -164,7 +183,7 @@ If you try to uninstall NuGet via the Visual Studio Extension Manager, you may n ## The Package Manager Console crashes when I open it in Windows XP. What's wrong? -NuGet requires Powershell 2.0 runtime. Windows XP, by default, doesn't have Powershell 2.0. You can download the Powershell 2.0 runtime from . After you install it, restart Visual Studio and you should be able to open Package Manager Console. +NuGet requires Powershell 2.0 runtime. Windows XP, by default, doesn't have Powershell 2.0. You can download the Powershell 2.0 runtime from [PowerShell 2.0 Download](https://devblogs.microsoft.com/powershell/tag/powershell-2-0-download/). After you install it, restart Visual Studio and you should be able to open Package Manager Console. ## Visual Studio 2010 SP1 Beta crashes on exit if the Package Manager Console is open. diff --git a/docs/release-notes/NuGet-1.1.md b/docs/release-notes/NuGet-1.1.md index 6d42ca832..63b2c1586 100644 --- a/docs/release-notes/NuGet-1.1.md +++ b/docs/release-notes/NuGet-1.1.md @@ -4,7 +4,7 @@ description: Release notes for NuGet 1.1 including known issues, bug fixes, adde author: JonDouglas ms.author: jodou ms.date: 11/11/2016 -ms.topic: conceptual +ms.topic: release-notes --- # NuGet 1.0 and 1.1 Release Notes @@ -34,7 +34,7 @@ The NuGet Command Line Tool requires: ## Installation -To use this [latest release](http://nuget.codeplex.com/releases/view/52018): +To use this ```[latest release](http://nuget.codeplex.com/releases/view/52018)```: * First uninstall your older build. You need to run VS as administrator to do this. * Remove all the existing feeds that you have. @@ -42,83 +42,83 @@ To use this [latest release](http://nuget.codeplex.com/releases/view/52018): ## NuGet 1.1 -The list of issues fixed in this release [can be found here](http://nuget.codeplex.com/workitem/list/advanced?keyword=&status=All&type=All&priority=All&release=NuGet%201.1&assignedTo=All&component=All&sortField=LastUpdatedDate&sortDirection=Descending&page=0) +The list of issues fixed in this release ```[can be found here](http://nuget.codeplex.com/workitem/list/advanced?keyword=&status=All&type=All&priority=All&release=NuGet%201.1&assignedTo=All&component=All&sortField=LastUpdatedDate&sortDirection=Descending&page=0)``` ## NuGet 1.0 RTM One issue was fixed for RTM since the RC. -* [Issue 474: Removing Packages Affects All Project In Solution](http://nuget.codeplex.com/workitem/474) +* ```[Issue 474: Removing Packages Affects All Project In Solution](http://nuget.codeplex.com/workitem/474)``` ## Release Candidate The following are the changes made in this Release Candidate since CTP 2. Visit the Issue Tracker to see the full list of bugs. -* [Updating Package from Console does not update dependencies.](http://nuget.codeplex.com/workitem/443) -* [Adding package picks up bin not package reference (CTP1)](http://nuget.codeplex.com/workitem/442) -* [Updating a package leaves broken references](http://nuget.codeplex.com/workitem/440) -* [Get-Package -Updates fails in the dialog, or when the 'All' aggregate source is selected in the console](http://nuget.codeplex.com/workitem/439) -* [Getting package verification errors](http://nuget.codeplex.com/workitem/426) -* [Warn users when a package cannot be installed from the Add Package Dialog](http://nuget.codeplex.com/workitem/425) -* [Get-Package -Updates throws when updating large number of packages](http://nuget.codeplex.com/workitem/424) -* [Improve error handling when nuspec files are authored incorrectly](http://nuget.codeplex.com/workitem/423) -* [Nuget pack ignores specified files](http://nuget.codeplex.com/workitem/422) -* [Removing the second-to-last package source and then clicking "Move Down" crashes VS](http://nuget.codeplex.com/workitem/418) -* [Remove assembly reference while installing packages](http://nuget.codeplex.com/workitem/413) -* [InvalidOperationException when opening Settings dialog](http://nuget.codeplex.com/workitem/411) -* [Access Key for Package Source in Package Manager Console doesn't work](http://nuget.codeplex.com/workitem/410) -* [NuGet VS Settings Dialog Access Keys Give Focus to Wrong Fields](http://nuget.codeplex.com/workitem/409) -* [Package ID intellisense should not query too many items](http://nuget.codeplex.com/workitem/404) -* [Failure adding package to project with a dot character in the Project name](http://nuget.codeplex.com/workitem/403) -* [Issue with specified files in nuspec](http://nuget.codeplex.com/workitem/400) -* [Correct official feed should get registered when using newer build](http://nuget.codeplex.com/workitem/399) -* [Tags should use spaces instead of #](http://nuget.codeplex.com/workitem/397) -* [IPackageMetadata lacks some useful information](http://nuget.codeplex.com/workitem/388) -* [Add Report Abuse Link to the Dialog](http://nuget.codeplex.com/workitem/386) -* [Using App_Data to unzip packages breaks in Visual Studio](http://nuget.codeplex.com/workitem/380) -* [Implement Tags](http://nuget.codeplex.com/workitem/376) -* [PackageBuilder allows empty package with no dependencies to be created](http://nuget.codeplex.com/workitem/373) -* [Add Owners Field for the Package](http://nuget.codeplex.com/workitem/365) -* [Update the VSIX manifest to say NuGet Package Manager rather than VSIX Tools](http://nuget.codeplex.com/workitem/364) -* [Get-Package command throws error when All source is selected](http://nuget.codeplex.com/workitem/359) -* [Allow ordering of package sources in Options dialog](http://nuget.codeplex.com/workitem/356) -* [Update-Package does not remove older version](http://nuget.codeplex.com/workitem/352) -* [Implement Version Range Specification for Dependencies](http://nuget.codeplex.com/workitem/347) -* [Visual Studio crashes when clicking "Add new package"](http://nuget.codeplex.com/workitem/346) -* [Display Downloads and Ratings in the Add Package Dialog](http://nuget.codeplex.com/workitem/345) -* [Changing between package sources in the Dialog doesn't update active source](http://nuget.codeplex.com/workitem/344) -* [Remove Key Binding for Package Manager Console Window](http://nuget.codeplex.com/workitem/339) -* [Install-Package is not recognized as the name of a cmdlet...](http://nuget.codeplex.com/workitem/338) -* [Installing a package from a local feed the dependencies on regular feeds are not resolved](http://nuget.codeplex.com/workitem/332) -* [RemoveDependencies should skip dependencies that are still in use](http://nuget.codeplex.com/workitem/331) -* [If cancelling page navigation, user cannot navigate to a different page while the original page request returns](http://nuget.codeplex.com/workitem/325) -* [Investigate performance of NuPack.Server for serving feeds with large number of packages.](http://nuget.codeplex.com/workitem/324) -* [The second time I filter for a package it uses the "New" package source, instead of the previously selected source.](http://nuget.codeplex.com/workitem/321) -* [Default package source should be selected when selecting the "Online" tab on the dialog.](http://nuget.codeplex.com/workitem/320) -* [List-Package should show installed packages by default](http://nuget.codeplex.com/workitem/309) -* [Assembly Reference HintPaths](http://nuget.codeplex.com/workitem/294) -* [Exception while opening Package Manager Console](http://nuget.codeplex.com/workitem/268) -* [Console intellisense downloads entire feed](http://nuget.codeplex.com/workitem/259) -* ['Default' package source should be renamed to 'Active'](http://nuget.codeplex.com/workitem/258) -* [Package sources UI: pressing OK should add the new source if Name/Source fields are non-empty](http://nuget.codeplex.com/workitem/257) -* [Dialog becomes super slow when the number of installed packages is large](http://nuget.codeplex.com/workitem/243) -* [Support Binding Redirects for Strong Named Assemblies](http://nuget.codeplex.com/workitem/238) -* [Add Package Reference... UI to include drop down for Package source](http://nuget.codeplex.com/workitem/226) -* [NuPack needs to support config transform agnostically of the config file name](http://nuget.codeplex.com/workitem/224) -* [Allows BasePath to be Overriden in NuPack.exe](http://nuget.codeplex.com/workitem/222) -* [Package Source Fallback Behavior](http://nuget.codeplex.com/workitem/204) -* [Crash on GUI](http://nuget.codeplex.com/workitem/201) -* [Add sorting options to Add Package Dialog](http://nuget.codeplex.com/workitem/179) -* [shortcut key to clear the Package Manager Console](http://nuget.codeplex.com/workitem/174) -* [PowerConsole causes NuPack Console to fail](http://nuget.codeplex.com/workitem/166) -* [Console and Add Package Dialog should set user agent in requests](http://nuget.codeplex.com/workitem/141) -* [Set version number of the VSIX and NuPack.exe in the build.](http://nuget.codeplex.com/workitem/134) -* [Hide common PowerShell parameters from -?](http://nuget.codeplex.com/workitem/118) -* [Add -detailed help for console commands](http://nuget.codeplex.com/workitem/110) -* [Add Package Dialog Should Allow Choosing the Current Package Source](http://nuget.codeplex.com/workitem/88) -* [Move NuPack.Core classes into different namespaces](http://nuget.codeplex.com/workitem/50) -* [Add help to cmdlets](http://nuget.codeplex.com/workitem/23) -* [Verify hash from feed after package download](http://nuget.codeplex.com/workitem/18) +* ```[Updating Package from Console does not update dependencies.](http://nuget.codeplex.com/workitem/443)``` +* ```[Adding package picks up bin not package reference (CTP1)](http://nuget.codeplex.com/workitem/442)``` +* ```[Updating a package leaves broken references](http://nuget.codeplex.com/workitem/440)``` +* ```[Get-Package -Updates fails in the dialog, or when the 'All' aggregate source is selected in the console](http://nuget.codeplex.com/workitem/439)``` +* ```[Getting package verification errors](http://nuget.codeplex.com/workitem/426)``` +* ```[Warn users when a package cannot be installed from the Add Package Dialog](http://nuget.codeplex.com/workitem/425)``` +* ```[Get-Package -Updates throws when updating large number of packages](http://nuget.codeplex.com/workitem/424)``` +* ```[Improve error handling when nuspec files are authored incorrectly](http://nuget.codeplex.com/workitem/423)``` +* ```[Nuget pack ignores specified files](http://nuget.codeplex.com/workitem/422)``` +* ```[Removing the second-to-last package source and then clicking "Move Down" crashes VS](http://nuget.codeplex.com/workitem/418)``` +* ```[Remove assembly reference while installing packages](http://nuget.codeplex.com/workitem/413)``` +* ```[InvalidOperationException when opening Settings dialog](http://nuget.codeplex.com/workitem/411)``` +* ```[Access Key for Package Source in Package Manager Console doesn't work](http://nuget.codeplex.com/workitem/410)``` +* ```[NuGet VS Settings Dialog Access Keys Give Focus to Wrong Fields](http://nuget.codeplex.com/workitem/409)``` +* ```[Package ID intellisense should not query too many items](http://nuget.codeplex.com/workitem/404)``` +* ```[Failure adding package to project with a dot character in the Project name](http://nuget.codeplex.com/workitem/403)``` +* ```[Issue with specified files in nuspec](http://nuget.codeplex.com/workitem/400)``` +* ```[Correct official feed should get registered when using newer build](http://nuget.codeplex.com/workitem/399)``` +* ```[Tags should use spaces instead of #](http://nuget.codeplex.com/workitem/397)``` +* ```[IPackageMetadata lacks some useful information](http://nuget.codeplex.com/workitem/388)``` +* ```[Add Report Abuse Link to the Dialog](http://nuget.codeplex.com/workitem/386)``` +* ```[Using App_Data to unzip packages breaks in Visual Studio](http://nuget.codeplex.com/workitem/380)``` +* ```[Implement Tags](http://nuget.codeplex.com/workitem/376)``` +* ```[PackageBuilder allows empty package with no dependencies to be created](http://nuget.codeplex.com/workitem/373)``` +* ```[Add Owners Field for the Package](http://nuget.codeplex.com/workitem/365)``` +* ```[Update the VSIX manifest to say NuGet Package Manager rather than VSIX Tools](http://nuget.codeplex.com/workitem/364)``` +* ```[Get-Package command throws error when All source is selected](http://nuget.codeplex.com/workitem/359)``` +* ```[Allow ordering of package sources in Options dialog](http://nuget.codeplex.com/workitem/356)``` +* ```[Update-Package does not remove older version](http://nuget.codeplex.com/workitem/352)``` +* ```[Implement Version Range Specification for Dependencies](http://nuget.codeplex.com/workitem/347)``` +* ```[Visual Studio crashes when clicking "Add new package"](http://nuget.codeplex.com/workitem/346)``` +* ```[Display Downloads and Ratings in the Add Package Dialog](http://nuget.codeplex.com/workitem/345)``` +* ```[Changing between package sources in the Dialog doesn't update active source](http://nuget.codeplex.com/workitem/344)``` +* ```[Remove Key Binding for Package Manager Console Window](http://nuget.codeplex.com/workitem/339)``` +* ```[Install-Package is not recognized as the name of a cmdlet...](http://nuget.codeplex.com/workitem/338)``` +* ```[Installing a package from a local feed the dependencies on regular feeds are not resolved](http://nuget.codeplex.com/workitem/332)``` +* ```[RemoveDependencies should skip dependencies that are still in use](http://nuget.codeplex.com/workitem/331)``` +* ```[If cancelling page navigation, user cannot navigate to a different page while the original page request returns](http://nuget.codeplex.com/workitem/325)``` +* ```[Investigate performance of NuPack.Server for serving feeds with large number of packages.](http://nuget.codeplex.com/workitem/324)``` +* ```[The second time I filter for a package it uses the "New" package source, instead of the previously selected source.](http://nuget.codeplex.com/workitem/321)``` +* ```[Default package source should be selected when selecting the "Online" tab on the dialog.](http://nuget.codeplex.com/workitem/320)``` +* ```[List-Package should show installed packages by default](http://nuget.codeplex.com/workitem/309)``` +* ```[Assembly Reference HintPaths](http://nuget.codeplex.com/workitem/294)``` +* ```[Exception while opening Package Manager Console](http://nuget.codeplex.com/workitem/268)``` +* ```[Console intellisense downloads entire feed](http://nuget.codeplex.com/workitem/259)``` +* ```['Default' package source should be renamed to 'Active'](http://nuget.codeplex.com/workitem/258)``` +* ```[Package sources UI: pressing OK should add the new source if Name/Source fields are non-empty](http://nuget.codeplex.com/workitem/257)``` +* ```[Dialog becomes super slow when the number of installed packages is large](http://nuget.codeplex.com/workitem/243)``` +* ```[Support Binding Redirects for Strong Named Assemblies](http://nuget.codeplex.com/workitem/238)``` +* ```[Add Package Reference... UI to include drop down for Package source](http://nuget.codeplex.com/workitem/226)``` +* ```[NuPack needs to support config transform agnostically of the config file name](http://nuget.codeplex.com/workitem/224)``` +* ```[Allows BasePath to be Overriden in NuPack.exe](http://nuget.codeplex.com/workitem/222)``` +* ```[Package Source Fallback Behavior](http://nuget.codeplex.com/workitem/204)``` +* ```[Crash on GUI](http://nuget.codeplex.com/workitem/201)``` +* ```[Add sorting options to Add Package Dialog](http://nuget.codeplex.com/workitem/179)``` +* ```[shortcut key to clear the Package Manager Console](http://nuget.codeplex.com/workitem/174)``` +* ```[PowerConsole causes NuPack Console to fail](http://nuget.codeplex.com/workitem/166)``` +* ```[Console and Add Package Dialog should set user agent in requests](http://nuget.codeplex.com/workitem/141)``` +* ```[Set version number of the VSIX and NuPack.exe in the build.](http://nuget.codeplex.com/workitem/134)``` +* ```[Hide common PowerShell parameters from -?](http://nuget.codeplex.com/workitem/118)``` +* ```[Add -detailed help for console commands](http://nuget.codeplex.com/workitem/110)``` +* ```[Add Package Dialog Should Allow Choosing the Current Package Source](http://nuget.codeplex.com/workitem/88)``` +* ```[Move NuPack.Core classes into different namespaces](http://nuget.codeplex.com/workitem/50)``` +* ```[Add help to cmdlets](http://nuget.codeplex.com/workitem/23)``` +* ```[Verify hash from feed after package download](http://nuget.codeplex.com/workitem/18)``` ## CTP 2 @@ -129,143 +129,143 @@ The following are the most significant changes made in CTP 2: * Updated the `.nuspec` Format. The `.nuspec` format now includes the *iconUrl* field for specifying a 32x32 png icon which will show up in the Add Package Dialog. So be sure to set that to distinguish your package. The `.nuspec` format also includes the new *projectUrl* field which you can use to point to a web page that provides more information about your package. This build will not work with old `.nupkg` files. If you get null reference exceptions, you're using an old `.nupkg` file and -need to rebuild it with the updated [NuGet command line tool](http://nuget.codeplex.com/releases/52017/download/165468). +need to rebuild it with the updated ```[NuGet command line tool](http://nuget.codeplex.com/releases/52017/download/165468)```. The following is a list of features and bugs that were fixed for NuGet CTP 2 (does not include bugs for minor code cleanups etc.). -* [Error unpacking package assemblies when specifiying the TargetFramework for an assembly.](http://nuget.codeplex.com/workitem/10) -* [Make NuPack Console window more discoverable](http://nuget.codeplex.com/workitem/14) -* [ILMerge the nupack.exe release](http://nuget.codeplex.com/workitem/19) -* [Better error/exception handling](http://nuget.codeplex.com/workitem/24) -* [[Nupack.Core]: PackageManager should gracefully handle feed-related errors](http://nuget.codeplex.com/workitem/28) -* [Need a new icon for the console](http://nuget.codeplex.com/workitem/29) -* [Localize strings in the Dialog](http://nuget.codeplex.com/workitem/38) -* [NuPack caches downloaded .nupack files in memory](http://nuget.codeplex.com/workitem/40) -* [NuPack Console: Change the default shortcut for displaying console](http://nuget.codeplex.com/workitem/48) -* [ProjectSystem should support default values for common properties](http://nuget.codeplex.com/workitem/49) -* [Running nupack.exe in a folder with just one nuspec file should use that nuspec](http://nuget.codeplex.com/workitem/52) -* [Project Menu Shows Up Even When No Project/Solution Is Loaded](http://nuget.codeplex.com/workitem/54) -* [build.cmd fails on a clean clone of the codebase](http://nuget.codeplex.com/workitem/56) -* [Updates available feature](http://nuget.codeplex.com/workitem/57) -* [Dialog: Adding a package through the dialog removes the prompt in the console](http://nuget.codeplex.com/workitem/73) -* [Adding a package by clicking 'Install' is often slow, with no visual feedback](http://nuget.codeplex.com/workitem/80) -* [There is no way to discover which of my installed packages have updates.](http://nuget.codeplex.com/workitem/82) -* [There is no way to update an installed package in the dialog.](http://nuget.codeplex.com/workitem/83) -* [There is no way to uninstall an installed package in the dialog](http://nuget.codeplex.com/workitem/84) -* [“Add Package Reference…” appears on the context menu of installed references](http://nuget.codeplex.com/workitem/85) -* [After updating a package from the console, it shows both the old version and the new version as installed](http://nuget.codeplex.com/workitem/86) -* [The activity in the console, when using the dialog, disappears after use](http://nuget.codeplex.com/workitem/87) -* [Cleanup command line parsing in nupack.exe](http://nuget.codeplex.com/workitem/89) -* [Add a friendly name to package sources](http://nuget.codeplex.com/workitem/98) -* [Update .nuspec to support including package icons](http://nuget.codeplex.com/workitem/103) -* [Feed UI doesn't allow copying the URL](http://nuget.codeplex.com/workitem/105) -* [Better remove-package error handling.](http://nuget.codeplex.com/workitem/107) -* [Typing in Console Window depends on cursor focus](http://nuget.codeplex.com/workitem/112) -* [Error messages look awful](http://nuget.codeplex.com/workitem/116) -* [The performance of Remove-Package for a package that isn't installed is bad](http://nuget.codeplex.com/workitem/117) -* [Removing a package fails when there are no package sources](http://nuget.codeplex.com/workitem/119) -* [Remove-Package fails when the package source is unavailable](http://nuget.codeplex.com/workitem/120) -* [Add Title to the package metadata and the feed.](http://nuget.codeplex.com/workitem/125) -* [Add the -Source parameter back to Add-Package](http://nuget.codeplex.com/workitem/127) -* [List-Package should have a -Source parameter](http://nuget.codeplex.com/workitem/128) -* [Update NuPack.Server to require NuPack User Agent To Download Package](http://nuget.codeplex.com/workitem/142) -* [License Acceptance Dialog Must List Licenses For All Dependencies That Require Acceptance](http://nuget.codeplex.com/workitem/145) -* [Log an error when a package throws in the feed](http://nuget.codeplex.com/workitem/150) -* [NuPack.exe should not allow an empty <licenseurl> element](http://nuget.codeplex.com/workitem/152) -* [Rename List-Package to Get-Package, Add-Package to Install-Package, and Remove-Package to Uninstall-Package](http://nuget.codeplex.com/workitem/155) -* [Using the Add Package Reference menu item from the Solution Navigator crashes Visual Studio](http://nuget.codeplex.com/workitem/158) -* ["Available package sources" label is missing a colon](http://nuget.codeplex.com/workitem/160) -* [Make .nuspec xml element casing consistently camel cased](http://nuget.codeplex.com/workitem/161) -* [The NuPack VSIX's manifest needs to turn on the 'admin' bit](http://nuget.codeplex.com/workitem/162) -* [If you run List-Package with no feeds, you get null ref error](http://nuget.codeplex.com/workitem/164) -* [nuget.exe: specify destination path](http://nuget.codeplex.com/workitem/171) -* [Powershell Errors Opening Package Management Console on WinXP](http://nuget.codeplex.com/workitem/175) -* [VS Crashes while trying to load package list](http://nuget.codeplex.com/workitem/176) -* [allow meta packages (no files, only dependencies)](http://nuget.codeplex.com/workitem/180) -* [Convert Powershell Script to Powershell 2.0 Module](http://nuget.codeplex.com/workitem/181) -* [PathResolver should discard path portion preceeding wildcard characters when target is specified](http://nuget.codeplex.com/workitem/183) -* [No dependencies](http://nuget.codeplex.com/workitem/186) -* [Error installing Elmah](http://nuget.codeplex.com/workitem/192) -* [Config transforms don't work correctly with <configsections>](http://nuget.codeplex.com/workitem/194) -* [The variable '$global:projectCache' cannot be retrieved because it has not been set](http://nuget.codeplex.com/workitem/203) -* [Add MSBuild task for creating NuPack packages](http://nuget.codeplex.com/workitem/205) -* [list-package needs to support searching/filtering](http://nuget.codeplex.com/workitem/206) -* [Always display a link to license if the package author provides a license URL](http://nuget.codeplex.com/workitem/208) -* [Occasional "Access Denied" exception with Remove-Package](http://nuget.codeplex.com/workitem/213) -* [Unit Tests Failing: InvalidPackageIsExcludedFromFeedItems & CreatingFeedConvertsPackagesToAtomEntries](http://nuget.codeplex.com/workitem/214) -* [Allow for a fallback/default set of files if a specfic framework version cannot be found](http://nuget.codeplex.com/workitem/223) -* [Add Package Reference... UI cannot remove a package](http://nuget.codeplex.com/workitem/225) -* [Add Package Reference crashes studio when one or more project is unloaded](http://nuget.codeplex.com/workitem/228) -* [Config transform does not appear to work on web.debug.config file](http://nuget.codeplex.com/workitem/229) -* [init.ps1 not firing on custom package](http://nuget.codeplex.com/workitem/237) -* [When adding paths to the feedlist, the default button is set to OK, so if I press ENTER it automatically closes](http://nuget.codeplex.com/workitem/240) -* [Attempt to uninstall a dependency will crash VS if attempted 2 times in a row](http://nuget.codeplex.com/workitem/241) -* [Display the Project URL in the Add Package dialog](http://nuget.codeplex.com/workitem/253) -* [Default the Add-Package dialog to Installed Packages](http://nuget.codeplex.com/workitem/254) -* [Change Add Package Dialog menu item.](http://nuget.codeplex.com/workitem/261) -* [Rename namespaces and assemblies](http://nuget.codeplex.com/workitem/274) -* [Rename the NuPack Project to NuGet](http://nuget.codeplex.com/workitem/282) -* [Add the following text under the list of dependencies](http://nuget.codeplex.com/workitem/288) -* [Change the license acceptance text in the License Acceptance Dialog](http://nuget.codeplex.com/workitem/291) -* [Change the text in the License Acceptance Dialog above the list of packages](http://nuget.codeplex.com/workitem/292) -* [OData doesn't work with an fwlink URL](http://nuget.codeplex.com/workitem/304) -* [Package Manager UI: Over aggressive caching of package count used for paging](http://nuget.codeplex.com/workitem/317) -* [NuPack / NuGet -> Package Manager Console error](http://nuget.codeplex.com/workitem/335) -* [Add Package Dialog shows License Acceptance For Already Installed Packaged](http://nuget.codeplex.com/workitem/336) +* ```[Error unpacking package assemblies when specifiying the TargetFramework for an assembly.](http://nuget.codeplex.com/workitem/10)``` +* ```[Make NuPack Console window more discoverable](http://nuget.codeplex.com/workitem/14)``` +* ```[ILMerge the nupack.exe release](http://nuget.codeplex.com/workitem/19)``` +* ```[Better error/exception handling](http://nuget.codeplex.com/workitem/24)``` +* ```[[Nupack.Core]: PackageManager should gracefully handle feed-related errors](http://nuget.codeplex.com/workitem/28)``` +* ```[Need a new icon for the console](http://nuget.codeplex.com/workitem/29)``` +* ```[Localize strings in the Dialog](http://nuget.codeplex.com/workitem/38)``` +* ```[NuPack caches downloaded .nupack files in memory](http://nuget.codeplex.com/workitem/40)``` +* ```[NuPack Console: Change the default shortcut for displaying console](http://nuget.codeplex.com/workitem/48)``` +* ```[ProjectSystem should support default values for common properties](http://nuget.codeplex.com/workitem/49)``` +* ```[Running nupack.exe in a folder with just one nuspec file should use that nuspec](http://nuget.codeplex.com/workitem/52)``` +* ```[Project Menu Shows Up Even When No Project/Solution Is Loaded](http://nuget.codeplex.com/workitem/54)``` +* ```[build.cmd fails on a clean clone of the codebase](http://nuget.codeplex.com/workitem/56)``` +* ```[Updates available feature](http://nuget.codeplex.com/workitem/57)``` +* ```[Dialog: Adding a package through the dialog removes the prompt in the console](http://nuget.codeplex.com/workitem/73)``` +* ```[Adding a package by clicking 'Install' is often slow, with no visual feedback](http://nuget.codeplex.com/workitem/80)``` +* ```[There is no way to discover which of my installed packages have updates.](http://nuget.codeplex.com/workitem/82)``` +* ```[There is no way to update an installed package in the dialog.](http://nuget.codeplex.com/workitem/83)``` +* ```[There is no way to uninstall an installed package in the dialog](http://nuget.codeplex.com/workitem/84)``` +* ```[“Add Package Reference…” appears on the context menu of installed references](http://nuget.codeplex.com/workitem/85)``` +* ```[After updating a package from the console, it shows both the old version and the new version as installed](http://nuget.codeplex.com/workitem/86)``` +* ```[The activity in the console, when using the dialog, disappears after use](http://nuget.codeplex.com/workitem/87)``` +* ```[Cleanup command line parsing in nupack.exe](http://nuget.codeplex.com/workitem/89)``` +* ```[Add a friendly name to package sources](http://nuget.codeplex.com/workitem/98)``` +* ```[Update .nuspec to support including package icons](http://nuget.codeplex.com/workitem/103)``` +* ```[Feed UI doesn't allow copying the URL](http://nuget.codeplex.com/workitem/105)``` +* ```[Better remove-package error handling.](http://nuget.codeplex.com/workitem/107)``` +* ```[Typing in Console Window depends on cursor focus](http://nuget.codeplex.com/workitem/112)``` +* ```[Error messages look awful](http://nuget.codeplex.com/workitem/116)``` +* ```[The performance of Remove-Package for a package that isn't installed is bad](http://nuget.codeplex.com/workitem/117)``` +* ```[Removing a package fails when there are no package sources](http://nuget.codeplex.com/workitem/119)``` +* ```[Remove-Package fails when the package source is unavailable](http://nuget.codeplex.com/workitem/120)``` +* ```[Add Title to the package metadata and the feed.](http://nuget.codeplex.com/workitem/125)``` +* ```[Add the -Source parameter back to Add-Package](http://nuget.codeplex.com/workitem/127)``` +* ```[List-Package should have a -Source parameter](http://nuget.codeplex.com/workitem/128)``` +* ```[Update NuPack.Server to require NuPack User Agent To Download Package](http://nuget.codeplex.com/workitem/142)``` +* ```[License Acceptance Dialog Must List Licenses For All Dependencies That Require Acceptance](http://nuget.codeplex.com/workitem/145)``` +* ```[Log an error when a package throws in the feed](http://nuget.codeplex.com/workitem/150)``` +* ```[NuPack.exe should not allow an empty <licenseurl> element](http://nuget.codeplex.com/workitem/152)``` +* ```[Rename List-Package to Get-Package, Add-Package to Install-Package, and Remove-Package to Uninstall-Package](http://nuget.codeplex.com/workitem/155)``` +* ```[Using the Add Package Reference menu item from the Solution Navigator crashes Visual Studio](http://nuget.codeplex.com/workitem/158)``` +* ```["Available package sources" label is missing a colon](http://nuget.codeplex.com/workitem/160)``` +* ```[Make .nuspec xml element casing consistently camel cased](http://nuget.codeplex.com/workitem/161)``` +* ```[The NuPack VSIX's manifest needs to turn on the 'admin' bit](http://nuget.codeplex.com/workitem/162)``` +* ```[If you run List-Package with no feeds, you get null ref error](http://nuget.codeplex.com/workitem/164)``` +* ```[nuget.exe: specify destination path](http://nuget.codeplex.com/workitem/171)``` +* ```[Powershell Errors Opening Package Management Console on WinXP](http://nuget.codeplex.com/workitem/175)``` +* ```[VS Crashes while trying to load package list](http://nuget.codeplex.com/workitem/176)``` +* ```[allow meta packages (no files, only dependencies)](http://nuget.codeplex.com/workitem/180)``` +* ```[Convert Powershell Script to Powershell 2.0 Module](http://nuget.codeplex.com/workitem/181)``` +* ```[PathResolver should discard path portion preceeding wildcard characters when target is specified](http://nuget.codeplex.com/workitem/183)``` +* ```[No dependencies](http://nuget.codeplex.com/workitem/186)``` +* ```[Error installing Elmah](http://nuget.codeplex.com/workitem/192)``` +* ```[Config transforms don't work correctly with <configsections>](http://nuget.codeplex.com/workitem/194)``` +* ```[The variable '$global:projectCache' cannot be retrieved because it has not been set](http://nuget.codeplex.com/workitem/203)``` +* ```[Add MSBuild task for creating NuPack packages](http://nuget.codeplex.com/workitem/205)``` +* ```[list-package needs to support searching/filtering](http://nuget.codeplex.com/workitem/206)``` +* ```[Always display a link to license if the package author provides a license URL](http://nuget.codeplex.com/workitem/208)``` +* ```[Occasional "Access Denied" exception with Remove-Package](http://nuget.codeplex.com/workitem/213)``` +* ```[Unit Tests Failing: InvalidPackageIsExcludedFromFeedItems & CreatingFeedConvertsPackagesToAtomEntries](http://nuget.codeplex.com/workitem/214)``` +* ```[Allow for a fallback/default set of files if a specfic framework version cannot be found](http://nuget.codeplex.com/workitem/223)``` +* ```[Add Package Reference... UI cannot remove a package](http://nuget.codeplex.com/workitem/225)``` +* ```[Add Package Reference crashes studio when one or more project is unloaded](http://nuget.codeplex.com/workitem/228)``` +* ```[Config transform does not appear to work on web.debug.config file](http://nuget.codeplex.com/workitem/229)``` +* ```[init.ps1 not firing on custom package](http://nuget.codeplex.com/workitem/237)``` +* ```[When adding paths to the feedlist, the default button is set to OK, so if I press ENTER it automatically closes](http://nuget.codeplex.com/workitem/240)``` +* ```[Attempt to uninstall a dependency will crash VS if attempted 2 times in a row](http://nuget.codeplex.com/workitem/241)``` +* ```[Display the Project URL in the Add Package dialog](http://nuget.codeplex.com/workitem/253)``` +* ```[Default the Add-Package dialog to Installed Packages](http://nuget.codeplex.com/workitem/254)``` +* ```[Change Add Package Dialog menu item.](http://nuget.codeplex.com/workitem/261)``` +* ```[Rename namespaces and assemblies](http://nuget.codeplex.com/workitem/274)``` +* ```[Rename the NuPack Project to NuGet](http://nuget.codeplex.com/workitem/282)``` +* ```[Add the following text under the list of dependencies](http://nuget.codeplex.com/workitem/288)``` +* ```[Change the license acceptance text in the License Acceptance Dialog](http://nuget.codeplex.com/workitem/291)``` +* ```[Change the text in the License Acceptance Dialog above the list of packages](http://nuget.codeplex.com/workitem/292)``` +* ```[OData doesn't work with an fwlink URL](http://nuget.codeplex.com/workitem/304)``` +* ```[Package Manager UI: Over aggressive caching of package count used for paging](http://nuget.codeplex.com/workitem/317)``` +* ```[NuPack / NuGet -> Package Manager Console error](http://nuget.codeplex.com/workitem/335)``` +* ```[Add Package Dialog shows License Acceptance For Already Installed Packaged](http://nuget.codeplex.com/workitem/336)``` ## CTP 1 The following is a list of features and bugs that were fixed for NuGet CTP 1. -* [Package extension should be renamed to .nupack](http://nuget.codeplex.com/workitem/1) -* [Move package file into folder](http://nuget.codeplex.com/workitem/2) -* [Merge install & Add PS commands](http://nuget.codeplex.com/workitem/3) -* [Create aliases for Verb-Noun cmdlets](http://nuget.codeplex.com/workitem/4) -* [NuPack gets confused when switching solution in VS](http://nuget.codeplex.com/workitem/6) -* [We should hide the 'packages' solution folder by default](http://nuget.codeplex.com/workitem/11) -* [Add support for token replacement in content items.](http://nuget.codeplex.com/workitem/12) -* [NuPack.UI should use the PackageSource API](http://nuget.codeplex.com/workitem/26) -* [[Nupack.Core]: PackageManager marks packages as installed prior to installing them](http://nuget.codeplex.com/workitem/27) -* [Deleting default project from solution still shows the deleted project as default](http://nuget.codeplex.com/workitem/30) -* [New-Package fails with "Cannot add part for the specified URI because it's already in the package."](http://nuget.codeplex.com/workitem/32) -* [Remove "NuPack" strings from Visual Studio GUI](http://nuget.codeplex.com/workitem/35) -* [Add Apache Header To a COPYRIGHT.txt file](http://nuget.codeplex.com/workitem/36) -* [Remove Update-PackageSource Command](http://nuget.codeplex.com/workitem/37) -* [Package Manager unusable when loading profile throws an exception](http://nuget.codeplex.com/workitem/39) -* [init.ps1, install.ps1 and uninstall.ps1 need to receive additional state](http://nuget.codeplex.com/workitem/41) -* [Combine Console and GUI Packages Into One Package](http://nuget.codeplex.com/workitem/42) -* [Xml transform logic doesn't work if applied to XML that isn't at the root](http://nuget.codeplex.com/workitem/43) -* [Manage package sources settings dialog not updating the NuPack console](http://nuget.codeplex.com/workitem/44) -* [NuPack Console UI: Rename 'Package feed' drop-down list to 'Package source'](http://nuget.codeplex.com/workitem/45) -* [NuPack Console Options: Rename 'Repository UI' to be consistent with NuPack Console](http://nuget.codeplex.com/workitem/46) -* [Add-Package fails against a website that was opened from IIS or a URL](http://nuget.codeplex.com/workitem/53) -* [Package Manager Source Doesn't Work With FwLink](http://nuget.codeplex.com/workitem/55) -* [Set the default package source](http://nuget.codeplex.com/workitem/59) -* [When adding package sources in option, when only one source is supplied, assume it's the default.](http://nuget.codeplex.com/workitem/60) -* [The Dialog UI shows fake "recent" packages](http://nuget.codeplex.com/workitem/62) -* [Options: Clicking cancel does not cancel changes](http://nuget.codeplex.com/workitem/63) -* [Add Package Reference Dialog Search should be case insensitive](http://nuget.codeplex.com/workitem/65) -* [Fix company metadata in AssemblyInfo.cs files](http://nuget.codeplex.com/workitem/67) -* [Version number for the VSIX](http://nuget.codeplex.com/workitem/71) -* [Remove-Package: Using -? displays help twice](http://nuget.codeplex.com/workitem/72) -* [Execute install/uninstall packages for project level packages](http://nuget.codeplex.com/workitem/74) -* [Server unable to create feed when one nupack fails validation](http://nuget.codeplex.com/workitem/90) -* [Need to Replace NuPack Icons](http://nuget.codeplex.com/workitem/94) -* [NTLM http proxy does not authenticate to the package feed.](http://nuget.codeplex.com/workitem/96) -* [The dialog doesn't always start centered in the VS window](http://nuget.codeplex.com/workitem/100) -* [Many of the fields in a packages details are not being populated in the dialog](http://nuget.codeplex.com/workitem/102) -* [Dialog UI doesn't show Authors' names](http://nuget.codeplex.com/workitem/108) -* [Why -Version for Remove-Package](http://nuget.codeplex.com/workitem/113) -* [Remove the Recent tab on the Dialog UI](http://nuget.codeplex.com/workitem/115) -* [VS crash when right click on solution folder after opening Dialog UI at least one.](http://nuget.codeplex.com/workitem/126) -* [Change the -Local parameter of List-Package to -Installed](http://nuget.codeplex.com/workitem/129) -* [Rename packages.xml to NuPack.config](http://nuget.codeplex.com/workitem/132) -* [Console forces cursor to the end of line](http://nuget.codeplex.com/workitem/135) -* [Remove-Package intellisense is broken](http://nuget.codeplex.com/workitem/136) -* [Add RequireLicenseAcceptance Flag to .nuspec and Feed](http://nuget.codeplex.com/workitem/137) -* [Add LicenseUrl to .nuspec Format and Package Feed](http://nuget.codeplex.com/workitem/138) -* [Clicking Install For Package That Requires Acceptance Should Show Acceptance Dialog](http://nuget.codeplex.com/workitem/139) -* [Add Disclaimer Text to the Add Package Dialog](http://nuget.codeplex.com/workitem/140) -* [Add Disclaimer When the Package Console is run the first time](http://nuget.codeplex.com/workitem/143) -* [Display Disclaimer After Installing Package In The Console](http://nuget.codeplex.com/workitem/144) -* [Rename the .nupack extension to .nupkg](http://nuget.codeplex.com/workitem/146) \ No newline at end of file +* ```[Package extension should be renamed to .nupack](http://nuget.codeplex.com/workitem/1)``` +* ```[Move package file into folder](http://nuget.codeplex.com/workitem/2)``` +* ```[Merge install & Add PS commands](http://nuget.codeplex.com/workitem/3)``` +* ```[Create aliases for Verb-Noun cmdlets](http://nuget.codeplex.com/workitem/4)``` +* ```[NuPack gets confused when switching solution in VS](http://nuget.codeplex.com/workitem/6)``` +* ```[We should hide the 'packages' solution folder by default](http://nuget.codeplex.com/workitem/11)``` +* ```[Add support for token replacement in content items.](http://nuget.codeplex.com/workitem/12)``` +* ```[NuPack.UI should use the PackageSource API](http://nuget.codeplex.com/workitem/26)``` +* ```[[Nupack.Core]: PackageManager marks packages as installed prior to installing them](http://nuget.codeplex.com/workitem/27)``` +* ```[Deleting default project from solution still shows the deleted project as default](http://nuget.codeplex.com/workitem/30)``` +* ```[New-Package fails with "Cannot add part for the specified URI because it's already in the package."](http://nuget.codeplex.com/workitem/32)``` +* ```[Remove "NuPack" strings from Visual Studio GUI](http://nuget.codeplex.com/workitem/35)``` +* ```[Add Apache Header To a COPYRIGHT.txt file](http://nuget.codeplex.com/workitem/36)``` +* ```[Remove Update-PackageSource Command](http://nuget.codeplex.com/workitem/37)``` +* ```[Package Manager unusable when loading profile throws an exception](http://nuget.codeplex.com/workitem/39)``` +* ```[init.ps1, install.ps1 and uninstall.ps1 need to receive additional state](http://nuget.codeplex.com/workitem/41)``` +* ```[Combine Console and GUI Packages Into One Package](http://nuget.codeplex.com/workitem/42)``` +* ```[Xml transform logic doesn't work if applied to XML that isn't at the root](http://nuget.codeplex.com/workitem/43)``` +* ```[Manage package sources settings dialog not updating the NuPack console](http://nuget.codeplex.com/workitem/44)``` +* ```[NuPack Console UI: Rename 'Package feed' drop-down list to 'Package source'](http://nuget.codeplex.com/workitem/45)``` +* ```[NuPack Console Options: Rename 'Repository UI' to be consistent with NuPack Console](http://nuget.codeplex.com/workitem/46)``` +* ```[Add-Package fails against a website that was opened from IIS or a URL](http://nuget.codeplex.com/workitem/53)``` +* ```[Package Manager Source Doesn't Work With FwLink](http://nuget.codeplex.com/workitem/55)``` +* ```[Set the default package source](http://nuget.codeplex.com/workitem/59)``` +* ```[When adding package sources in option, when only one source is supplied, assume it's the default.](http://nuget.codeplex.com/workitem/60)``` +* ```[The Dialog UI shows fake "recent" packages](http://nuget.codeplex.com/workitem/62)``` +* ```[Options: Clicking cancel does not cancel changes](http://nuget.codeplex.com/workitem/63)``` +* ```[Add Package Reference Dialog Search should be case insensitive](http://nuget.codeplex.com/workitem/65)``` +* ```[Fix company metadata in AssemblyInfo.cs files](http://nuget.codeplex.com/workitem/67)``` +* ```[Version number for the VSIX](http://nuget.codeplex.com/workitem/71)``` +* ```[Remove-Package: Using -? displays help twice](http://nuget.codeplex.com/workitem/72)``` +* ```[Execute install/uninstall packages for project level packages](http://nuget.codeplex.com/workitem/74)``` +* ```[Server unable to create feed when one nupack fails validation](http://nuget.codeplex.com/workitem/90)``` +* ```[Need to Replace NuPack Icons](http://nuget.codeplex.com/workitem/94)``` +* ```[NTLM http proxy does not authenticate to the package feed.](http://nuget.codeplex.com/workitem/96)``` +* ```[The dialog doesn't always start centered in the VS window](http://nuget.codeplex.com/workitem/100)``` +* ```[Many of the fields in a packages details are not being populated in the dialog](http://nuget.codeplex.com/workitem/102)``` +* ```[Dialog UI doesn't show Authors' names](http://nuget.codeplex.com/workitem/108)``` +* ```[Why -Version for Remove-Package](http://nuget.codeplex.com/workitem/113)``` +* ```[Remove the Recent tab on the Dialog UI](http://nuget.codeplex.com/workitem/115)``` +* ```[VS crash when right click on solution folder after opening Dialog UI at least one.](http://nuget.codeplex.com/workitem/126)``` +* ```[Change the -Local parameter of List-Package to -Installed](http://nuget.codeplex.com/workitem/129)``` +* ```[Rename packages.xml to NuPack.config](http://nuget.codeplex.com/workitem/132)``` +* ```[Console forces cursor to the end of line](http://nuget.codeplex.com/workitem/135)``` +* ```[Remove-Package intellisense is broken](http://nuget.codeplex.com/workitem/136)``` +* ```[Add RequireLicenseAcceptance Flag to .nuspec and Feed](http://nuget.codeplex.com/workitem/137)``` +* ```[Add LicenseUrl to .nuspec Format and Package Feed](http://nuget.codeplex.com/workitem/138)``` +* ```[Clicking Install For Package That Requires Acceptance Should Show Acceptance Dialog](http://nuget.codeplex.com/workitem/139)``` +* ```[Add Disclaimer Text to the Add Package Dialog](http://nuget.codeplex.com/workitem/140)``` +* ```[Add Disclaimer When the Package Console is run the first time](http://nuget.codeplex.com/workitem/143)``` +* ```[Display Disclaimer After Installing Package In The Console](http://nuget.codeplex.com/workitem/144)``` +* ```[Rename the .nupack extension to .nupkg](http://nuget.codeplex.com/workitem/146)``` diff --git a/docs/release-notes/NuGet-1.2.md b/docs/release-notes/NuGet-1.2.md index 6571b9e6e..f43a1121a 100644 --- a/docs/release-notes/NuGet-1.2.md +++ b/docs/release-notes/NuGet-1.2.md @@ -4,7 +4,7 @@ description: Release notes for NuGet 1.2 including known issues, bug fixes, adde author: JonDouglas ms.author: jodou ms.date: 11/11/2016 -ms.topic: conceptual +ms.topic: release-notes --- # NuGet 1.2 Release Notes @@ -68,12 +68,12 @@ you won’t need to specify it every time you push a package. For more details o ### Package Explorer Package Explorer has been updated to support NuGet 1.2. For more information, check out the -[Package Explorer release notes](http://nuget.codeplex.com/wikipage?title=New%20features%20in%20NuGet%20Package%20Explorer%201.0). +```[Package Explorer release notes](http://nuget.codeplex.com/wikipage?title=New%20features%20in%20NuGet%20Package%20Explorer%201.0)```. ## Other features/fixes The previous list were the most noticeable of the many features we implemented and bugs we fixed. All in all, we -implemented/fixed [59 work items](http://nuget.codeplex.com/workitem/list/advanced?keyword=&status=All&type=All&priority=All&release=NuGet%201.2&assignedTo=All&component=All&sortField=Votes&sortDirection=Descending&page=0) +implemented/fixed ```[59 work items](http://nuget.codeplex.com/workitem/list/advanced?keyword=&status=All&type=All&priority=All&release=NuGet%201.2&assignedTo=All&component=All&sortField=Votes&sortDirection=Descending&page=0)``` in this release. ## Known Issues @@ -87,4 +87,4 @@ need to update that project with the latest version of NuGet.Server. you need to uninstall NuGet first and then install it. This is listed in our [Known Issues page](../release-notes/known-issues.md) which provides more details. The issue only affects those running Visual Studio 2010 SP1 and have a version of NuGet 1.0 installed that was incorrectly signed. This version was only made available from the CodePlex website for a brief -period so this issue shouldn't affect too many people. \ No newline at end of file +period so this issue shouldn't affect too many people. diff --git a/docs/release-notes/NuGet-1.3.md b/docs/release-notes/NuGet-1.3.md index de62ac8dc..74115f60a 100644 --- a/docs/release-notes/NuGet-1.3.md +++ b/docs/release-notes/NuGet-1.3.md @@ -4,7 +4,7 @@ description: Release notes for NuGet 1.3 including known issues, bug fixes, adde author: JonDouglas ms.author: jodou ms.date: 11/11/2016 -ms.topic: conceptual +ms.topic: release-notes --- # NuGet 1.3 Release Notes @@ -105,7 +105,7 @@ Thanks to community contributions, NuGet includes support for WiX project types ## Bug Fixes -For a full list of bug fixes, please view the [NuGet Issue Tracker for this release](http://nuget.codeplex.com/workitem/list/advanced?keyword=&status=All&type=All&priority=All&release=NuGet%201.3&assignedTo=All&component=All&sortField=LastUpdatedDate&sortDirection=Descending&page=0). +For a full list of bug fixes, please view the ```[NuGet Issue Tracker for this release](http://nuget.codeplex.com/workitem/list/advanced?keyword=&status=All&type=All&priority=All&release=NuGet%201.3&assignedTo=All&component=All&sortField=LastUpdatedDate&sortDirection=Descending&page=0)```. ## Bug fixes worth noting diff --git a/docs/release-notes/NuGet-1.4.md b/docs/release-notes/NuGet-1.4.md index 144fa5524..71514285b 100644 --- a/docs/release-notes/NuGet-1.4.md +++ b/docs/release-notes/NuGet-1.4.md @@ -4,7 +4,7 @@ description: Release notes for NuGet 1.4 including known issues, bug fixes, adde author: JonDouglas ms.author: jodou ms.date: 11/11/2016 -ms.topic: conceptual +ms.topic: release-notes --- # NuGet 1.4 Release Notes @@ -167,19 +167,19 @@ vsixinstaller.exe /uninstall:NuPackToolsVsix.Microsoft.67e54e40-0ae3-42c5-a949-f ## Bug Fixes NuGet 1.4 had a total of 88 work items fixed. 71 of those were marked as bugs. -For a full list of work items fixed in NuGet 1.4, please view the [NuGet Issue Tracker for this release](http://nuget.codeplex.com/workitem/list/advanced?keyword=&status=All&type=All&priority=All&release=NuGet%201.4&assignedTo=All&component=All&sortField=LastUpdatedDate&sortDirection=Descending&page=0). +For a full list of work items fixed in NuGet 1.4, please view the ```[NuGet Issue Tracker for this release](http://nuget.codeplex.com/workitem/list/advanced?keyword=&status=All&type=All&priority=All&release=NuGet%201.4&assignedTo=All&component=All&sortField=LastUpdatedDate&sortDirection=Descending&page=0)```. ## Bug fixes worth noting: -* [Issue 603](http://nuget.codeplex.com/workitem/603): Package dependencies across different repositories resolves +* ```[Issue 603](http://nuget.codeplex.com/workitem/603)```: Package dependencies across different repositories resolves correctly when specifying a specific package source. -* [Issue 1036](http://nuget.codeplex.com/workitem/1036): Adding `NuGet Pack SomeProject.csproj` to post-build event no longer causes an infinite loop. -* [Issue 961](http://nuget.codeplex.com/workitem/961): `-Source` flag supports relative paths. +* ```[Issue 1036](http://nuget.codeplex.com/workitem/1036)```: Adding `NuGet Pack SomeProject.csproj` to post-build event no longer causes an infinite loop. +* ```[Issue 961](http://nuget.codeplex.com/workitem/961)```: `-Source` flag supports relative paths. ## NuGet 1.4 Update Shortly after the release of NuGet 1.4, we found a couple of issues that were important to fix. The specific version number of this update to 1.4 is 1.4.20615.9020. ### Bug Fixes -* [Issue 1220](http://nuget.codeplex.com/workitem/1220): Update-Package doesnt execute `install.ps1`/`uninstall.ps1` in all projects when there is more than one project -* [Issue 1156](http://nuget.codeplex.com/workitem/1156): Package Manager Consol stuck on W2K3/XP (when Powershell 2 is not installed) +* ```[Issue 1220](http://nuget.codeplex.com/workitem/1220)```: Update-Package doesnt execute `install.ps1`/`uninstall.ps1` in all projects when there is more than one project +* ```[Issue 1156](http://nuget.codeplex.com/workitem/1156)```: Package Manager Consol stuck on W2K3/XP (when Powershell 2 is not installed) diff --git a/docs/release-notes/NuGet-1.5.md b/docs/release-notes/NuGet-1.5.md index 364687dbf..3bb052e73 100644 --- a/docs/release-notes/NuGet-1.5.md +++ b/docs/release-notes/NuGet-1.5.md @@ -4,7 +4,8 @@ description: Release notes for NuGet 1.5 including known issues, bug fixes, adde author: JonDouglas ms.author: jodou ms.date: 11/11/2016 -ms.topic: conceptual +ms.topic: release-notes +ms.custom: sfi-image-nochange --- # NuGet 1.5 Release Notes @@ -135,13 +136,13 @@ not to include any file in the package. ## Bug Fixes NuGet 1.5 had a total of 107 work items fixed. 103 of those were marked as bugs. -For a full list of work items fixed in NuGet 1.5, please view the [NuGet Issue Tracker for this release](http://nuget.codeplex.com/workitem/list/advanced?keyword=&status=All&type=All&priority=All&release=NuGet%201.5&assignedTo=All&component=All&sortField=Summary&sortDirection=Descending&page=0). +For a full list of work items fixed in NuGet 1.5, please view the ```[NuGet Issue Tracker for this release](http://nuget.codeplex.com/workitem/list/advanced?keyword=&status=All&type=All&priority=All&release=NuGet%201.5&assignedTo=All&component=All&sortField=Summary&sortDirection=Descending&page=0)```. ## Bug fixes worth noting: -* [Issue 1273](http://nuget.codeplex.com/workitem/1273): Made `packages.config` more version control +* ```[Issue 1273](http://nuget.codeplex.com/workitem/1273)```: Made `packages.config` more version control friendly by sorting packages alphabetically and removing extra whitespace. -* [Issue 844](http://nuget.codeplex.com/workitem/844): Version numbers are now normalized so that +* ```[Issue 844](http://nuget.codeplex.com/workitem/844)```: Version numbers are now normalized so that `Install-Package 1.0` works on a package with the version `1.0.0`. -* [Issue 1060](http://nuget.codeplex.com/workitem/1060): When creating a package using nuget.exe, +* ```[Issue 1060](http://nuget.codeplex.com/workitem/1060)```: When creating a package using nuget.exe, the `-Version` flag overrides the `` element. diff --git a/docs/release-notes/NuGet-1.6.md b/docs/release-notes/NuGet-1.6.md index 7ccaa4892..4dd8dd1ca 100644 --- a/docs/release-notes/NuGet-1.6.md +++ b/docs/release-notes/NuGet-1.6.md @@ -4,7 +4,7 @@ description: Release notes for NuGet 1.6 including known issues, bug fixes, adde author: JonDouglas ms.author: jodou ms.date: 11/11/2016 -ms.topic: conceptual +ms.topic: release-notes --- # NuGet 1.6 Release Notes @@ -59,4 +59,4 @@ NuGet 1.6 allows unchecking a package source to disable it, but keep it around. NuGet 1.6 had a total of 106 work items fixed. 95 of those were classified as bugs and 10 of those were features. -For a full list of work items fixed in NuGet 1.6, please view the [NuGet Issue Tracker for this release](http://nuget.codeplex.com/workitem/list/advanced?keyword=&status=Closed&type=All&priority=All&release=NuGet%201.6&assignedTo=All&component=All&sortField=Votes&sortDirection=Descending&page=0). +For a full list of work items fixed in NuGet 1.6, please view the ```[NuGet Issue Tracker for this release](http://nuget.codeplex.com/workitem/list/advanced?keyword=&status=Closed&type=All&priority=All&release=NuGet%201.6&assignedTo=All&component=All&sortField=Votes&sortDirection=Descending&page=0)```. diff --git a/docs/release-notes/NuGet-1.7.md b/docs/release-notes/NuGet-1.7.md index a4e878be5..5a2f1b933 100644 --- a/docs/release-notes/NuGet-1.7.md +++ b/docs/release-notes/NuGet-1.7.md @@ -4,7 +4,7 @@ description: Release notes for NuGet 1.7 including known issues, bug fixes, adde author: JonDouglas ms.author: jodou ms.date: 11/11/2016 -ms.topic: conceptual +ms.topic: release-notes --- # NuGet 1.7 Release Notes @@ -62,4 +62,4 @@ nuget.exe or the handy NuGet Package Explorer to create packages. NuGet 1.7 has fixed many bugs around the Package Restore workflow and Network/Source Control scenarios. -For a full list of work items fixed in NuGet 1.7, please view the [NuGet Issue Tracker for this release](http://nuget.codeplex.com/workitem/list/advanced?keyword=&status=Closed&type=All&priority=All&release=NuGet%201.7&assignedTo=All&component=All&sortField=Votes&sortDirection=Descending&page=0). +For a full list of work items fixed in NuGet 1.7, please view the ```[NuGet Issue Tracker for this release](http://nuget.codeplex.com/workitem/list/advanced?keyword=&status=Closed&type=All&priority=All&release=NuGet%201.7&assignedTo=All&component=All&sortField=Votes&sortDirection=Descending&page=0)```. diff --git a/docs/release-notes/NuGet-1.8.md b/docs/release-notes/NuGet-1.8.md index 6895b29d3..6179df1c7 100644 --- a/docs/release-notes/NuGet-1.8.md +++ b/docs/release-notes/NuGet-1.8.md @@ -4,7 +4,7 @@ description: Release notes for NuGet 1.8 including known issues, bug fixes, adde author: JonDouglas ms.author: jodou ms.date: 11/11/2016 -ms.topic: conceptual +ms.topic: release-notes --- # NuGet 1.8 Release Notes @@ -65,11 +65,11 @@ The second method is to set the environment variable “EnableNuGetPackageRestor Now, as stated above, we have only laid the groundwork for this feature in NuGet 1.8. Practically, this means that while we’ve added all of the logic to enable the feature, it's not currently enforced in this version. It will be enabled, however, in the next release of NuGet, so we wanted to make you aware of it as soon as possible so that you can configure your environments appropriately and therefore not be impacted when we start enforce the consent constraint. -For more details, please see the [team blog post](http://blog.nuget.org/20120518/package-restore-and-consent.html) on this feature. +For more details, please see the [team blog post](https://blog.nuget.org/20120518/package-restore-and-consent.html) on this feature. ### nuget.exe Performance Improvements By modifying the install command to download and install packages in parallel, NuGet 1.8 brings dramatic performance improvements to nuget.exe – and by extension package restore. High level testing shows that performance for installing 6 packages into a project improves by about 35% in NuGet 1.8. Increasing the number of packages to 25 shows a performance gain of about 60%. ## Bug Fixes NuGet 1.8 includes quite a few bug fixes with an emphasis on the package manager console and package restore workflow, particularly as it relates to package restore consent and Windows 8 Express integration. -For a full list of work items fixed in NuGet 1.8, please view the [NuGet Issue Tracker for this release](http://nuget.codeplex.com/workitem/list/advanced?keyword=&status=Closed&type=All&priority=All&release=NuGet%201.8&assignedTo=All&component=All&sortField=Votes&sortDirection=Descending&page=0). \ No newline at end of file +For a full list of work items fixed in NuGet 1.8, please view the ```[NuGet Issue Tracker for this release](http://nuget.codeplex.com/workitem/list/advanced?keyword=&status=Closed&type=All&priority=All&release=NuGet%201.8&assignedTo=All&component=All&sortField=Votes&sortDirection=Descending&page=0)```. diff --git a/docs/release-notes/NuGet-2.0.md b/docs/release-notes/NuGet-2.0.md index d7e2f3592..d37a46008 100644 --- a/docs/release-notes/NuGet-2.0.md +++ b/docs/release-notes/NuGet-2.0.md @@ -4,7 +4,7 @@ description: Release notes for NuGet 2.0 including known issues, bug fixes, adde author: JonDouglas ms.author: jodou ms.date: 11/11/2016 -ms.topic: conceptual +ms.topic: release-notes --- # NuGet 2.0 Release Notes @@ -25,7 +25,7 @@ then you likely need to restart Visual Studio using "Run as Administrator." ## Package restore consent is now active -As described in this [post on package restore consent](http://blog.nuget.org/20120518/package-restore-and-consent.html), NuGet 2.0 will now require that consent be given to enable package restore to go online and download packages. Please ensure that you have provided consent via either the package manager configuration dialog or the EnableNuGetPackageRestore environment variable. +As described in this [post on package restore consent](https://blog.nuget.org/20120518/package-restore-and-consent.html), NuGet 2.0 will now require that consent be given to enable package restore to go online and download packages. Please ensure that you have provided consent via either the package manager configuration dialog or the EnableNuGetPackageRestore environment variable. ## Group dependencies by target frameworks @@ -97,4 +97,4 @@ The tab completion feature in the NuGet Package Manager Console has been updated ## Bug Fixes NuGet 2.0 includes many bug fixes with an emphasis on package restore consent and performance. -For a full list of work items fixed in NuGet 2.0, please view the [NuGet Issue Tracker for this release](http://nuget.codeplex.com/workitem/list/advanced?keyword=&status=Closed&type=All&priority=All&release=NuGet%202.0&assignedTo=All&component=All&sortField=Votes&sortDirection=Descending&page=0). +For a full list of work items fixed in NuGet 2.0, please view the ```[NuGet Issue Tracker for this release](http://nuget.codeplex.com/workitem/list/advanced?keyword=&status=Closed&type=All&priority=All&release=NuGet%202.0&assignedTo=All&component=All&sortField=Votes&sortDirection=Descending&page=0)```. diff --git a/docs/release-notes/NuGet-2.1.md b/docs/release-notes/NuGet-2.1.md index 5a3b00df4..e2ed72aba 100644 --- a/docs/release-notes/NuGet-2.1.md +++ b/docs/release-notes/NuGet-2.1.md @@ -4,7 +4,8 @@ description: Release notes for NuGet 2.1 including known issues, bug fixes, adde author: JonDouglas ms.author: jodou ms.date: 11/11/2016 -ms.topic: conceptual +ms.topic: release-notes +ms.custom: sfi-image-nochange --- # NuGet 2.1 Release Notes @@ -146,4 +147,4 @@ In previous versions of NuGet, updating a package source from within the Visual ## Bug Fixes -NuGet 2.1 includes many bug fixes. For a full list of work items fixed in NuGet 2.0, please view the [NuGet Issue Tracker for this release](http://nuget.codeplex.com/workitem/list/advanced?keyword=&status=Fixed&type=All&priority=All&release=NuGet%202.1&assignedTo=All&component=All&sortField=LastUpdatedDate&sortDirection=Descending&page=0). +NuGet 2.1 includes many bug fixes. For a full list of work items fixed in NuGet 2.0, please view the ```[NuGet Issue Tracker for this release](http://nuget.codeplex.com/workitem/list/advanced?keyword=&status=Fixed&type=All&priority=All&release=NuGet%202.1&assignedTo=All&component=All&sortField=LastUpdatedDate&sortDirection=Descending&page=0)```. diff --git a/docs/release-notes/NuGet-2.12-RC.md b/docs/release-notes/NuGet-2.12-RC.md index ffd6d73ac..57b3f680e 100644 --- a/docs/release-notes/NuGet-2.12-RC.md +++ b/docs/release-notes/NuGet-2.12-RC.md @@ -4,7 +4,7 @@ description: Release notes for NuGet 2.12 RC including known issues, bug fixes, author: JonDouglas ms.author: jodou ms.date: 11/11/2016 -ms.topic: conceptual +ms.topic: release-notes --- # NuGet 2.12-RC Release Notes diff --git a/docs/release-notes/NuGet-2.12.md b/docs/release-notes/NuGet-2.12.md index eef3d737a..db1e010bb 100644 --- a/docs/release-notes/NuGet-2.12.md +++ b/docs/release-notes/NuGet-2.12.md @@ -4,7 +4,7 @@ description: Release notes for NuGet 2.12 including known issues, bug fixes, add author: JonDouglas ms.author: jodou ms.date: 11/11/2016 -ms.topic: conceptual +ms.topic: release-notes --- # NuGet 2.12 Release Notes diff --git a/docs/release-notes/NuGet-2.2.1.md b/docs/release-notes/NuGet-2.2.1.md index 776d22001..84de48489 100644 --- a/docs/release-notes/NuGet-2.2.1.md +++ b/docs/release-notes/NuGet-2.2.1.md @@ -4,7 +4,7 @@ description: Release notes for NuGet 2.2.1 including known issues, bug fixes, ad author: JonDouglas ms.author: jodou ms.date: 11/11/2016 -ms.topic: conceptual +ms.topic: release-notes --- # NuGet 2.2.1 Release Notes @@ -39,7 +39,7 @@ If you produce Visual Studio templates, you can use NuGet to [preinstall package The main scenario for this feature is custom ASP.NET project templates. The built-in ASP.NET templates use preinstalled packages, pulling packages from local disk. You can now create a custom ASP.NET project template that uses the existing packages installed by ASP.NET but add extra NuGet packages into your template. ## Bug Fixes -NuGet 2.2.1 includes a few targeted bug fixes. For a list of work items fixed in NuGet 2.2.1, please view the [NuGet Issue Tracker for this release](http://nuget.codeplex.com/workitem/list/advanced?keyword=&status=Closed&type=All&priority=All&release=NuGet%202.2.1&assignedTo=All&component=All&sortField=LastUpdatedDate&sortDirection=Descending&page=0). +NuGet 2.2.1 includes a few targeted bug fixes. For a list of work items fixed in NuGet 2.2.1, please view the ```[NuGet Issue Tracker for this release](http://nuget.codeplex.com/workitem/list/advanced?keyword=&status=Closed&type=All&priority=All&release=NuGet%202.2.1&assignedTo=All&component=All&sortField=LastUpdatedDate&sortDirection=Descending&page=0)```. ## Known Issues diff --git a/docs/release-notes/NuGet-2.2.md b/docs/release-notes/NuGet-2.2.md index 99fd38138..ea2296b2c 100644 --- a/docs/release-notes/NuGet-2.2.md +++ b/docs/release-notes/NuGet-2.2.md @@ -4,7 +4,7 @@ description: Release notes for NuGet 2.2 including known issues, bug fixes, adde author: JonDouglas ms.author: jodou ms.date: 11/11/2016 -ms.topic: conceptual +ms.topic: release-notes --- # NuGet 2.2 Release Notes @@ -34,8 +34,8 @@ NuGet 2.2 now allows you to specify an entire folder in the `` element of ## Known Issues ### Package installation fails for F# projects when using the package manager console -When attempting to install a NuGet package into an F# project using the package manager console, an InvalidOperationException is thrown. We are actively working with the F# team to resolve the issue, but in the meantime, the workaround is to install NuGet packages into F# projects via NuGet's package manager dialog rather than the console. [More information is available on CodePlex](http://nuget.codeplex.com/workitem/2873). +When attempting to install a NuGet package into an F# project using the package manager console, an InvalidOperationException is thrown. We are actively working with the F# team to resolve the issue, but in the meantime, the workaround is to install NuGet packages into F# projects via NuGet's package manager dialog rather than the console. ```[More information is available on CodePlex](http://nuget.codeplex.com/workitem/2873)```. ## Bug Fixes -NuGet 2.2 includes many bug fixes. For a full list of work items fixed in NuGet 2.2, please view the [NuGet Issue Tracker for this release](http://nuget.codeplex.com/workitem/list/advanced?keyword=&status=Closed&type=All&priority=All&release=NuGet%202.2&assignedTo=All&component=All&sortField=LastUpdatedDate&sortDirection=Descending&page=0). +NuGet 2.2 includes many bug fixes. For a full list of work items fixed in NuGet 2.2, please view the ```[NuGet Issue Tracker for this release](http://nuget.codeplex.com/workitem/list/advanced?keyword=&status=Closed&type=All&priority=All&release=NuGet%202.2&assignedTo=All&component=All&sortField=LastUpdatedDate&sortDirection=Descending&page=0)```. diff --git a/docs/release-notes/NuGet-2.5.md b/docs/release-notes/NuGet-2.5.md index dcc93aaef..afaa2e90b 100644 --- a/docs/release-notes/NuGet-2.5.md +++ b/docs/release-notes/NuGet-2.5.md @@ -4,48 +4,48 @@ description: Release notes for NuGet 2.5 including known issues, bug fixes, adde author: JonDouglas ms.author: jodou ms.date: 11/11/2016 -ms.topic: conceptual +ms.topic: release-notes --- # NuGet 2.5 Release Notes [NuGet 2.2.1 Release Notes](../release-notes/nuget-2.2.1.md) | [NuGet 2.6 Release Notes](../release-notes/nuget-2.6.md) -NuGet 2.5 was released on April 25, 2013. This release was so big, we felt compelled to skip versions 2.3 and 2.4! To date, this is the largest release we've had for NuGet, with over [160 work items](https://nuget.codeplex.com/workitem/list/advanced?release=NuGet%202.5&status=all) in the release. +NuGet 2.5 was released on April 25, 2013. This release was so big, we felt compelled to skip versions 2.3 and 2.4! To date, this is the largest release we've had for NuGet, with over ```[160 work items](https://nuget.codeplex.com/workitem/list/advanced?release=NuGet%202.5&status=all)``` in the release. ## Acknowledgements We would like to thank the following external contributors for their significant contributions to NuGet 2.5: -1. [Daniel Plaisted](https://www.codeplex.com/site/users/view/dsplaisted) ([@dsplaisted](https://twitter.com/dsplaisted)) - - [#2847](https://nuget.codeplex.com/workitem/2847) - Add MonoAndroid, MonoTouch, and MonoMac to the list of known target framework identifiers. -2. [Andres G. Aragoneses](https://www.codeplex.com/site/users/view/knocte) ([@knocte](https://twitter.com/knocte)) - - [#2865](https://nuget.codeplex.com/workitem/2865) - Fix spelling of `NuGet.targets` for a case-sensitive OS -3. [David Fowler](https://www.codeplex.com/site/users/view/dfowler) ([@davidfowl](https://twitter.com/davidfowl)) +1. ```[Daniel Plaisted](https://www.codeplex.com/site/users/view/dsplaisted)``` ([@dsplaisted](https://twitter.com/dsplaisted)) + - ```[#2847](https://nuget.codeplex.com/workitem/2847)``` - Add MonoAndroid, MonoTouch, and MonoMac to the list of known target framework identifiers. +2. ```[Andres G. Aragoneses](https://www.codeplex.com/site/users/view/knocte)``` ([@knocte](https://twitter.com/knocte)) + - ```[#2865](https://nuget.codeplex.com/workitem/2865)``` - Fix spelling of `NuGet.targets` for a case-sensitive OS +3. ```[David Fowler](https://www.codeplex.com/site/users/view/dfowler)``` ([@davidfowl](https://twitter.com/davidfowl)) - Make the solution build on Mono. -4. [Andrew Theken](https://www.codeplex.com/site/users/view/atheken) ([@atheken](https://twitter.com/atheken)) +4. ```[Andrew Theken](https://www.codeplex.com/site/users/view/atheken)``` ([@atheken](https://twitter.com/atheken)) - Fix unit tests failing on Mono. -5. [Olivier Dagenais](https://www.codeplex.com/site/users/view/OliIsCool) ([@OliIsCool](https://twitter.com/oliiscool)) - - [#2920](https://nuget.codeplex.com/workitem/2920) - nuget.exe pack command does not propagate Properties to MSBuild -6. [Miroslav Bajtos](https://www.codeplex.com/site/users/view/MiroslavBajtos) ([@bajtos](https://twitter.com/bajtos)) - - [#1511](https://nuget.codeplex.com/workitem/1511) - Modified XML handling code to preserve formatting. -7. [Adam Ralph](http://www.codeplex.com/site/users/view/adamralph) ([@adamralph](https://twitter.com/adamralph)) +5. ```[Olivier Dagenais](https://www.codeplex.com/site/users/view/OliIsCool)``` ([@OliIsCool](https://twitter.com/oliiscool)) + - ```[#2920](https://nuget.codeplex.com/workitem/2920)``` - nuget.exe pack command does not propagate Properties to MSBuild +6. ```[Miroslav Bajtos](https://www.codeplex.com/site/users/view/MiroslavBajtos)``` ([@bajtos](https://twitter.com/bajtos)) + - ```[#1511](https://nuget.codeplex.com/workitem/1511)``` - Modified XML handling code to preserve formatting. +7. ```[Adam Ralph](http://www.codeplex.com/site/users/view/adamralph)``` ([@adamralph](https://twitter.com/adamralph)) - Added recognized words to custom dictionary to allow build.cmd to succeed. -8. [Bruno Roggeri](https://www.codeplex.com/site/users/view/broggeri) +8. ```[Bruno Roggeri](https://www.codeplex.com/site/users/view/broggeri)``` - Fix unit tests when running in localized VS. -9. [Gareth Evans](https://www.codeplex.com/site/users/view/garethevans) +9. ```[Gareth Evans](https://www.codeplex.com/site/users/view/garethevans)``` - Extracted interface from PackageService -10. [Maxime Brugidou](https://www.codeplex.com/site/users/view/brugidou) ([@brugidou](https://twitter.com/brugidou)) - - [#936](https://nuget.codeplex.com/workitem/936) - Handle project dependencies when packing -11. [Xavier Decoster](https://www.codeplex.com/site/users/view/XavierDecoster) ([@XavierDecoster](https://twitter.com/xavierdecoster)) - - [#2991](https://nuget.codeplex.com/workitem/2991), [#3164](https://nuget.codeplex.com/workitem/3164) - Support Clear Text Password when storing package source credentials in nuget.cofig files -12. [James Manning](http://www.codeplex.com/site/users/view/jmanning) ([@manningj](https://twitter.com/manningj)) - - [#3190](http://nuget.codeplex.com/workitem/3190), [#3191](http://nuget.codeplex.com/workitem/3191) - Fix Get-Package help description +10. ```[Maxime Brugidou](https://www.codeplex.com/site/users/view/brugidou)``` ([@brugidou](https://twitter.com/brugidou)) + - ```[#936](https://nuget.codeplex.com/workitem/936)``` - Handle project dependencies when packing +11. ```[Xavier Decoster](https://www.codeplex.com/site/users/view/XavierDecoster)``` ([@XavierDecoster](https://twitter.com/xavierdecoster)) + - ```[#2991](https://nuget.codeplex.com/workitem/2991)```, ```[#3164](https://nuget.codeplex.com/workitem/3164)``` - Support Clear Text Password when storing package source credentials in nuget.cofig files +12. ```[James Manning](http://www.codeplex.com/site/users/view/jmanning)``` ([@manningj](https://twitter.com/manningj)) + - ```[#3190](http://nuget.codeplex.com/workitem/3190)```, ```[#3191](https://nuget.codeplex.com/workitem/3191)``` - Fix Get-Package help description We also appreciate the following individuals for finding bugs with NuGet 2.5 Beta/RC that were approved and fixed before the final release: -1. [Tony Wall](https://www.codeplex.com/site/users/view/CodeChief) ([@CodeChief](https://twitter.com/codechief)) - - [#3200](https://nuget.codeplex.com/workitem/3200) - MSTest broken with lastest NuGet 2.4 and 2.5 builds +1. ```[Tony Wall](https://www.codeplex.com/site/users/view/CodeChief)``` ([@CodeChief](https://twitter.com/codechief)) + - ```[#3200](https://nuget.codeplex.com/workitem/3200)``` - MSTest broken with lastest NuGet 2.4 and 2.5 builds ## Notable features in the release @@ -119,7 +119,7 @@ Now nuget.exe pack command processes referenced projects with the following rule This allows a referenced project to be treated as a dependency if there is a `.nuspec` file, otherwise, it becomes part of the package. More details here: -[http://nuget.codeplex.com/workitem/936](http://nuget.codeplex.com/workitem/936) +```[http://nuget.codeplex.com/workitem/936](http://nuget.codeplex.com/workitem/936)``` ### Add a 'Minimum NuGet Version' property to packages @@ -154,7 +154,7 @@ Starting with NuGet 2.5, if a dependency version is already satisfied, the depen * NuGet will no longer update B, because it detects that the existing version 1.0.0 satisfies the dependency version constraint. -For more background on this change, read the detailed [work item](http://nuget.codeplex.com/workitem/1681) as well as the related [discussion thread](http://nuget.codeplex.com/discussions/436712). +For more background on this change, read the detailed ```[work item](https://nuget.codeplex.com/workitem/1681)``` as well as the related ```[discussion thread](https://nuget.codeplex.com/discussions/436712)```. ### nuget.exe outputs http requests with detailed verbosity @@ -186,6 +186,6 @@ nuget sources add -name test -source http://test -ConfigFile C:\test\.nuget\Nuge ### Support for Native projects -With NuGet 2.5, the NuGet tooling is now available for Native projects in Visual Studio. We expect most native packages will utilize the MSBuild imports feature above, using a tool created by the [CoApp project](http://coapp.org). For more information, read [the details about the tool](http://coapp.org/news/2013-03-27-The-Long-Awaited-post.html) on the coapp.org website. +With NuGet 2.5, the NuGet tooling is now available for Native projects in Visual Studio. We expect most native packages will utilize the MSBuild imports feature above, using a tool created by the [CoApp project](https://github.com/coapp). For more information, read [the details about the tool](https://github.com/coapp/coapp.org/blob/master/src/dynamic/news/2013-03-27-The-Long-Awaited-post.html.md) on the coapp.org website. The target framework name of "native" is introduced for packages to include files in \build, \content, and \tools when the package is installed into a native project. The \`lib` folder is not used for native projects. diff --git a/docs/release-notes/NuGet-2.6.1-for-WebMatrix.md b/docs/release-notes/NuGet-2.6.1-for-WebMatrix.md index 606b1a7f3..e5abd798f 100644 --- a/docs/release-notes/NuGet-2.6.1-for-WebMatrix.md +++ b/docs/release-notes/NuGet-2.6.1-for-WebMatrix.md @@ -4,7 +4,7 @@ description: Release notes for NuGet 2.6.1 for WebMatrix including known issues, author: JonDouglas ms.author: jodou ms.date: 11/11/2016 -ms.topic: conceptual +ms.topic: release-notes --- # NuGet 2.6.1 for WebMatrix Release Notes @@ -35,7 +35,7 @@ This latest release provides compatibility with the newest NuGet packages, preve Some users have reported that after installing NuGet packages in WebMatrix that include DLLs that get copied to bin, that the DLLs show up in the `bin` folder as 0-byte files. This breaks the application at runtime. -[This issue](https://nuget.codeplex.com/workitem/4060) has now been fixed. +```[This issue](https://nuget.codeplex.com/workitem/4060)``` has now been fixed. ## Other Recent Improvements diff --git a/docs/release-notes/NuGet-2.6.md b/docs/release-notes/NuGet-2.6.md index 72df70c2b..b9a4db16c 100644 --- a/docs/release-notes/NuGet-2.6.md +++ b/docs/release-notes/NuGet-2.6.md @@ -4,7 +4,7 @@ description: Release notes for NuGet 2.6 including known issues, bug fixes, adde author: JonDouglas ms.author: jodou ms.date: 11/11/2016 -ms.topic: conceptual +ms.topic: release-notes --- # NuGet 2.6 Release Notes @@ -43,7 +43,7 @@ Studio build configuration transformations. In April 2013, we made two big announcements regarding NuGet support for XDT. The first was that the XDT library itself was being itself [released as a NuGet package](https://nuget.org/packages/Microsoft.Web.Xdt) -and [open sourced on CodePlex](http://xdt.codeplex.com/). This step enabled the XDT engine +and ```[open sourced on CodePlex](http://xdt.codeplex.com/)```. This step enabled the XDT engine to be used freely by other open-source software, including the NuGet client. The second announcement was the plan to support use of the XDT engine for transformations in the NuGet client. NuGet 2.6 includes this integration. @@ -135,7 +135,7 @@ relevance boosting. ### Tracking Direct Installs vs. Dependency Installs -Package authors are relying more and more on the [Package Statistics](http://blog.nuget.org/20130226/Introducing-Package-Statistics.html) +Package authors are relying more and more on the [Package Statistics](https://blog.nuget.org/20130226/Introducing-Package-Statistics.html) provided on the NuGet Gallery. One significant missing data point that authors have asked for is a differentiation between direct package installs and dependency installs. Until now, the NuGet client did not send any context around the installation operation for whether the @@ -158,4 +158,4 @@ package authors to fully understand how developers are installing their packages ## Bug Fixes NuGet 2.6 also includes several bug fixes. For a full list of work items fixed in NuGet 2.6, please view -the [NuGet Issue Tracker for this release](https://nuget.codeplex.com/workitem/list/advanced?keyword=&status=Closed&type=All&priority=All&release=NuGet%202.6&assignedTo=All&component=All&sortField=LastUpdatedDate&sortDirection=Descending&page=0&reasonClosed=All). \ No newline at end of file +the ```[NuGet Issue Tracker for this release](https://nuget.codeplex.com/workitem/list/advanced?keyword=&status=Closed&type=All&priority=All&release=NuGet%202.6&assignedTo=All&component=All&sortField=LastUpdatedDate&sortDirection=Descending&page=0&reasonClosed=All)```. diff --git a/docs/release-notes/NuGet-2.7.1.md b/docs/release-notes/NuGet-2.7.1.md index d12300a97..b9b3ed7de 100644 --- a/docs/release-notes/NuGet-2.7.1.md +++ b/docs/release-notes/NuGet-2.7.1.md @@ -4,13 +4,13 @@ description: Release notes for NuGet 2.7.1 including known issues, bug fixes, ad author: JonDouglas ms.author: jodou ms.date: 11/11/2016 -ms.topic: conceptual +ms.topic: release-notes --- # NuGet 2.7.1 Release Notes [NuGet 2.7 Release Notes](../release-notes/nuget-2.7.md) | [NuGet 2.7.2 Release Notes](../release-notes/nuget-2.7.2.md) -NuGet 2.7.1 was released on October 7, 2013. This is a minor update to our recent 2.7 release with some targeted fixes to improve the experience of new 2.7 features. For a list of work items fixed in NuGet 2.7.1, please view the [NuGet Issue Tracker for this release](http://nuget.codeplex.com/workitem/list/advanced?keyword=&status=Closed&type=All&priority=All&release=NuGet%202.7.1&assignedTo=All&component=All&sortField=LastUpdatedDate&sortDirection=Descending&page=0). +NuGet 2.7.1 was released on October 7, 2013. This is a minor update to our recent 2.7 release with some targeted fixes to improve the experience of new 2.7 features. For a list of work items fixed in NuGet 2.7.1, please view the ```[NuGet Issue Tracker for this release](http://nuget.codeplex.com/workitem/list/advanced?keyword=&status=Closed&type=All&priority=All&release=NuGet%202.7.1&assignedTo=All&component=All&sortField=LastUpdatedDate&sortDirection=Descending&page=0)```. The complete set of features in 2.7 can be found in the [release notes](../release-notes/nuget-2.7.md) here. diff --git a/docs/release-notes/NuGet-2.7.2.md b/docs/release-notes/NuGet-2.7.2.md index d00da9daf..bc7b2a718 100644 --- a/docs/release-notes/NuGet-2.7.2.md +++ b/docs/release-notes/NuGet-2.7.2.md @@ -4,7 +4,7 @@ description: Release notes for NuGet 2.7.2 including known issues, bug fixes, ad author: JonDouglas ms.author: jodou ms.date: 11/11/2016 -ms.topic: conceptual +ms.topic: release-notes --- # NuGet 2.7.2 Release Notes @@ -42,4 +42,4 @@ When Xamarin's development tools are installed on a machine, they modify the sup When using hierarchical Nuget.Config files, the repositoryPath key was not being honored for Nuget.Config files closest to the solution root. In Visual Studio 2013, NuGet installs a custom Nuget.Config file at %ProgramData%\NuGet\Config\VisualStudio\12.0\Microsoft.VisualStudio.config in order to add the "Microsoft and .NET" package source. As a result, the work-around for using a custom repositoryPath in a solution was to delete the machine-level Nuget.Config - which also meant removing the "Microsoft and .NET" package source. NuGet 2.7.2 now honors the precedence rules for repositoryPath when using hierarchical Nuget.Config files. ## All Changes -For a full list of work items fixed in NuGet 2.7.2, please view the [NuGet Issue Tracker for this release](https://nuget.codeplex.com/workitem/list/advanced?keyword=&status=All&type=All&priority=All&release=NuGet%202.7.2&assignedTo=All&component=All&sortField=LastUpdatedDate&sortDirection=Descending&page=0&reasonClosed=Fixed). +For a full list of work items fixed in NuGet 2.7.2, please view the ```[NuGet Issue Tracker for this release](https://nuget.codeplex.com/workitem/list/advanced?keyword=&status=All&type=All&priority=All&release=NuGet%202.7.2&assignedTo=All&component=All&sortField=LastUpdatedDate&sortDirection=Descending&page=0&reasonClosed=Fixed)```. diff --git a/docs/release-notes/NuGet-2.7.md b/docs/release-notes/NuGet-2.7.md index 565ff307b..6154bfff3 100644 --- a/docs/release-notes/NuGet-2.7.md +++ b/docs/release-notes/NuGet-2.7.md @@ -4,7 +4,7 @@ description: Release notes for NuGet 2.7 including known issues, bug fixes, adde author: JonDouglas ms.author: jodou ms.date: 11/11/2016 -ms.topic: conceptual +ms.topic: release-notes --- # NuGet 2.7 Release Notes @@ -17,37 +17,37 @@ NuGet 2.7 was released on August 22, 2013. We would like to thank the following external contributors for their significant contributions to NuGet 2.7: -1. [Mike Roth](http://www.codeplex.com/site/users/view/mxrss) ([@mxrss](https://twitter.com/mxrss)) +1. ```[Mike Roth](http://www.codeplex.com/site/users/view/mxrss)``` ([@mxrss](https://twitter.com/mxrss)) - Show License url when listing packages and verbosity is detailed. -2. [Adam Ralph](http://www.codeplex.com/site/users/view/adamralph) ([@adamralph](https://twitter.com/adamralph)) - - [#1956](http://nuget.codeplex.com/workitem/1956) - Add developmentDependency attribute to `packages.config` and use it in pack command to only include runtime packages -3. [Rafael Nicoletti](http://www.codeplex.com/site/users/view/tkrafael) ([@tkrafael](https://twitter.com/tkrafael)) +2. ```[Adam Ralph](http://www.codeplex.com/site/users/view/adamralph)``` ([@adamralph](https://twitter.com/adamralph)) + - ```[#1956](http://nuget.codeplex.com/workitem/1956)``` - Add developmentDependency attribute to `packages.config` and use it in pack command to only include runtime packages +3. ```[Rafael Nicoletti](http://www.codeplex.com/site/users/view/tkrafael)``` ([@tkrafael](https://twitter.com/tkrafael)) - Avoid duplicate Properties key in nuget.exe pack command. -4. [Ben Phegan](http://www.codeplex.com/site/users/view/benphegan) ([@BenPhegan](https://twitter.com/benphegan)) - - [#2610](http://nuget.codeplex.com/workitem/2610) - Increase machine cache size to 200. -5. [Slava Trenogin](http://www.codeplex.com/site/users/view/derigel) ([@derigel](https://twitter.com/derigel)) - - [#3217](http://nuget.codeplex.com/workitem/3217) - Fix NuGet dialog showing updates in the wrong tab +4. ```[Ben Phegan](http://www.codeplex.com/site/users/view/benphegan)``` ([@BenPhegan](https://twitter.com/benphegan)) + - ```[#2610](http://nuget.codeplex.com/workitem/2610)``` - Increase machine cache size to 200. +5. ```[Slava Trenogin](http://www.codeplex.com/site/users/view/derigel)``` ([@derigel](https://twitter.com/derigel)) + - ```[#3217](http://nuget.codeplex.com/workitem/3217)``` - Fix NuGet dialog showing updates in the wrong tab - Fix Project.TargetFramework can be null in ProjectManager - - [#3248](http://nuget.codeplex.com/workitem/3248) - Fix SharedPackageRepository FindPackage/FindPackagesById will fail on non-existent packageId -6. [Kevin Boyle](http://www.codeplex.com/site/users/view/KevinBoyleRG) ([@kevfromireland](https://twitter.com/kevfromireland)) - - [#3234](http://nuget.codeplex.com/workitem/3234) - Enable support for Nomad project -7. [Corin Blaikie](http://www.codeplex.com/site/users/view/corinblaikie) ([@corinblaikie](https://twitter.com/corinblaikie)) - - [#3252](http://nuget.codeplex.com/workitem/3252) - Fix push command fails with exit code 0 when file doesn't exist. -8. [Martin Veselý](http://www.codeplex.com/site/users/view/veselkamartin) - - [#3226](http://nuget.codeplex.com/workitem/3226) - Fix bug with Add-BindingRedirect command when a project references a database project. -9. [Miroslav Bajtos](http://www.codeplex.com/site/users/view/miroslavbajtos) ([@bajtos](https://twitter.com/bajtos)) - - [#2891](http://nuget.codeplex.com/workitem/2891) - Fix bug of nuget.pack parsing wildcard in the 'exclude' attribute incorrectly. -10. [Justin Dearing](http://www.codeplex.com/site/users/view/zippy1981) ([@zippy1981](https://twitter.com/zippy1981)) - - [#3307](http://nuget.codeplex.com/workitem/3307) - Fix bug `NuGet.targets` does not pass $(Platform) to nuget.exe when restoring packages. -11. [Brian Federici](http://www.codeplex.com/site/users/view/benerdin) - - [#3294](http://nuget.codeplex.com/workitem/3294) - Fix bug in nuget.exe package command which would allow adding files with the same name but different casing, eventually causing "Item already exists" exception. -12. [Daniel Cazzulino](http://www.codeplex.com/site/users/view/dcazzulino) ([@kzu](https://twitter.com/kzu)) - - [#2990](http://nuget.codeplex.com/workitem/2990) - Add Version property to NetPortableProfile class. -13. [David Simner](https://www.codeplex.com/site/users/view/DavidSimner) - - [#3460](https://nuget.codeplex.com/workitem/3460) - Fix bug NullReferenceException if requireApiKey = true, but the header X-NUGET-APIKEY isn't present -14. [Michael Friis](https://www.codeplex.com/site/users/view/friism) ([@friism](https://twitter.com/friism)) - - [#3278](https://nuget.codeplex.com/workitem/3278) - Fixes NuGet.Build targets file to so that it works correctly on MonoDevelop -15. [Pranav Krishnamoorthy](https://www.codeplex.com/site/users/view/pranavkm) ([@pranav_km](https://twitter.com/pranav_km)) + - ```[#3248](http://nuget.codeplex.com/workitem/3248)``` - Fix SharedPackageRepository FindPackage/FindPackagesById will fail on non-existent packageId +6. ```[Kevin Boyle](http://www.codeplex.com/site/users/view/KevinBoyleRG)``` ([@kevfromireland](https://twitter.com/kevfromireland)) + - ```[#3234](http://nuget.codeplex.com/workitem/3234)``` - Enable support for Nomad project +7. ```[Corin Blaikie](http://www.codeplex.com/site/users/view/corinblaikie)``` ([@corinblaikie](https://twitter.com/corinblaikie)) + - ```[#3252](http://nuget.codeplex.com/workitem/3252)``` - Fix push command fails with exit code 0 when file doesn't exist. +8. ```[Martin Veselý](http://www.codeplex.com/site/users/view/veselkamartin)``` + - ```[#3226](http://nuget.codeplex.com/workitem/3226)``` - Fix bug with Add-BindingRedirect command when a project references a database project. +9. ```[Miroslav Bajtos](http://www.codeplex.com/site/users/view/miroslavbajtos)``` ([@bajtos](https://twitter.com/bajtos)) + - ```[#2891](http://nuget.codeplex.com/workitem/2891)``` - Fix bug of nuget.pack parsing wildcard in the 'exclude' attribute incorrectly. +10. ```[Justin Dearing](http://www.codeplex.com/site/users/view/zippy1981)``` ([@zippy1981](https://twitter.com/zippy1981)) + - ```[#3307](http://nuget.codeplex.com/workitem/3307)``` - Fix bug `NuGet.targets` does not pass $(Platform) to nuget.exe when restoring packages. +11. ```[Brian Federici](http://www.codeplex.com/site/users/view/benerdin)``` + - ```[#3294](http://nuget.codeplex.com/workitem/3294)``` - Fix bug in nuget.exe package command which would allow adding files with the same name but different casing, eventually causing "Item already exists" exception. +12. ```[Daniel Cazzulino](http://www.codeplex.com/site/users/view/dcazzulino)``` ([@kzu](https://twitter.com/kzu)) + - ```[#2990](http://nuget.codeplex.com/workitem/2990)``` - Add Version property to NetPortableProfile class. +13. ```[David Simner](https://www.codeplex.com/site/users/view/DavidSimner)``` + - ```[#3460](https://nuget.codeplex.com/workitem/3460)``` - Fix bug NullReferenceException if requireApiKey = true, but the header X-NUGET-APIKEY isn't present +14. ```[Michael Friis](https://www.codeplex.com/site/users/view/friism)``` ([@friism](https://twitter.com/friism)) + - ```[#3278](https://nuget.codeplex.com/workitem/3278)``` - Fixes NuGet.Build targets file to so that it works correctly on MonoDevelop +15. ```[Pranav Krishnamoorthy](https://www.codeplex.com/site/users/view/pranavkm)``` ([@pranav_km](https://twitter.com/pranav_km)) - Improve Restore command performance by increasing parallelization ## Notable features in the release @@ -112,14 +112,14 @@ With each of the partners above, they would use their own copy of nuget.exe and #### Known Issues -There were two known issues with nuget.exe restore with the initial 2.7 release, but they were fixed on 9/6/2013 with an update to the [NuGet.CommandLine package](http://www.nuget.org/packages/NuGet.CommandLine/). This update is also available on the [NuGet 2.7 download page](https://nuget.codeplex.com/releases/view/107605) on CodePlex. Running `nuget.exe update -self` will update to the latest release. +There were two known issues with nuget.exe restore with the initial 2.7 release, but they were fixed on 9/6/2013 with an update to the [NuGet.CommandLine package](https://www.nuget.org/packages/NuGet.CommandLine/). This update is also available on the ```[NuGet 2.7 download page](https://nuget.codeplex.com/releases/view/107605)``` on CodePlex. Running `nuget.exe update -self` will update to the latest release. The fixed were: -1. [New package restore doesn't work on Mono when using SLN file](https://nuget.codeplex.com/workitem/3596) -1. [New package restore doesn't work with Wix projects](https://nuget.codeplex.com/workitem/3598) +1. ```[New package restore doesn't work on Mono when using SLN file](https://nuget.codeplex.com/workitem/3596)``` +1. ```[New package restore doesn't work with Wix projects](https://nuget.codeplex.com/workitem/3598)``` -There is also a known issue with the new package restore workflow whereby [Automatic Package Restore does not work for projects under a solution folder](https://nuget.codeplex.com/workitem/3625). This issue was fixed in NuGet 2.7.1. +There is also a known issue with the new package restore workflow whereby ```[Automatic Package Restore does not work for projects under a solution folder](https://nuget.codeplex.com/workitem/3625)```. This issue was fixed in NuGet 2.7.1. ### Project Retargeting and Upgrade Build Errors/Warnings @@ -187,8 +187,8 @@ The new package restore model in 2.7 is implemented by a new VSPackage which is Since we are unsure how many developers are still using NuGet in that version/edition of Visual Studio, we are publishing a separate Visual Studio extension specifically for those users and publishing it on CodePlex (rather than the Visual Studio Extension Gallery). We don't plan to continue to maintain that extension, but if this affects you please let us know by filing an issue on CodePlex. -To download the NuGet Package Manager (for Visual Studio 2010 Express for Windows Phone), visit the [NuGet 2.7 Downloads](https://nuget.codeplex.com/releases/view/107605) page. +To download the NuGet Package Manager (for Visual Studio 2010 Express for Windows Phone), visit the ```[NuGet 2.7 Downloads](https://nuget.codeplex.com/releases/view/107605)``` page. ### Bug Fixes -In addition to these features, this release of NuGet also includes many other bug fixes. There were 97 total issues addressed in the release. For a full list of work items fixed in NuGet 2.7, please view the [NuGet Issue Tracker for this release](https://nuget.codeplex.com/workitem/list/advanced?release=NuGet%202.7&status=all). +In addition to these features, this release of NuGet also includes many other bug fixes. There were 97 total issues addressed in the release. For a full list of work items fixed in NuGet 2.7, please view the ```[NuGet Issue Tracker for this release](https://nuget.codeplex.com/workitem/list/advanced?release=NuGet%202.7&status=all)```. diff --git a/docs/release-notes/NuGet-2.8.1.md b/docs/release-notes/NuGet-2.8.1.md index 3c21a451d..1b9cea406 100644 --- a/docs/release-notes/NuGet-2.8.1.md +++ b/docs/release-notes/NuGet-2.8.1.md @@ -4,7 +4,7 @@ description: Release notes for NuGet 2.8.1 including known issues, bug fixes, ad author: JonDouglas ms.author: jodou ms.date: 11/11/2016 -ms.topic: conceptual +ms.topic: release-notes --- # NuGet 2.8.1 Release Notes @@ -27,7 +27,7 @@ This release updates the NuGet client found in WebMatrix to [NuGet.Core](https:/ For more information about the WebMatrix Extension update, see those specific [release notes](../release-notes/nuget-2.6.1-for-WebMatrix.md). ### Bug Fixes -In addition to these features, this release of NuGet includes other bug fixes. There were 16 total issues addressed in the release. For a full list of the work items fixed in NuGet 2.8.1, please view the [NuGet Issue Tracker for this release](https://nuget.codeplex.com/workitem/list/advanced?keyword=&status=All&type=All&priority=All&release=NuGet%202.8.1&assignedTo=All&component=All&sortField=LastUpdatedDate&sortDirection=Descending&page=0&reasonClosed=All). +In addition to these features, this release of NuGet includes other bug fixes. There were 16 total issues addressed in the release. For a full list of the work items fixed in NuGet 2.8.1, please view the ```[NuGet Issue Tracker for this release](https://nuget.codeplex.com/workitem/list/advanced?keyword=&status=All&type=All&priority=All&release=NuGet%202.8.1&assignedTo=All&component=All&sortField=LastUpdatedDate&sortDirection=Descending&page=0&reasonClosed=All)```. ### Reshipping with Visual Studio "14" CTP In Visual Studio "14" CTP released on June 3rd 2014, NuGet 2.8.1 is shipped in the box. The features it support remain in-par with other 2.8.1 VSIXes such as the one for Visual Studio 2013. diff --git a/docs/release-notes/NuGet-2.8.2.md b/docs/release-notes/NuGet-2.8.2.md index 2f9ddecaf..30fc16840 100644 --- a/docs/release-notes/NuGet-2.8.2.md +++ b/docs/release-notes/NuGet-2.8.2.md @@ -4,7 +4,7 @@ description: Release notes for NuGet 2.8.2 including known issues, bug fixes, ad author: JonDouglas ms.author: jodou ms.date: 11/11/2016 -ms.topic: conceptual +ms.topic: release-notes --- # NuGet 2.8.2 Release Notes @@ -19,13 +19,13 @@ The most notable updates were in the nuget.exe command-line and the NuGet.Server ### Important nuget.exe Bug Fixes -1. [nuget.exe Push fails and keeps retrying](https://nuget.codeplex.com/workitem/4000) -1. [nuget.exe Push does not send Basic Auth credentials correctly](https://nuget.codeplex.com/workitem/4109) -1. [nuget.exe Push won't follow temporary redirect](https://nuget.codeplex.com/workitem/4050) +1. ```[nuget.exe Push fails and keeps retrying](https://nuget.codeplex.com/workitem/4000)``` +1. ```[nuget.exe Push does not send Basic Auth credentials correctly](https://nuget.codeplex.com/workitem/4109)``` +1. ```[nuget.exe Push won't follow temporary redirect](https://nuget.codeplex.com/workitem/4050)``` ### Important NuGet.Server Bug Fix -1. [Wrong value of IsAbsoluteLatestVersion returned by NuGet.Server](https://nuget.codeplex.com/workitem/4147) +1. ```[Wrong value of IsAbsoluteLatestVersion returned by NuGet.Server](https://nuget.codeplex.com/workitem/4147)``` ## Packages Updated @@ -40,4 +40,4 @@ Here's the list of updated packages: 1. [NuGet.VisualStudio](https://www.nuget.org/packages/NuGet.VisualStudio/) (the package, not the extension) ## All Changes -There were 10 issues addressed in the release. For a full list of the work items fixed in NuGet 2.8.2, please view the [NuGet Issue Tracker for this release](https://nuget.codeplex.com/workitem/list/advanced?keyword=&status=All&type=All&priority=All&release=NuGet%202.8.2&assignedTo=All&component=All&sortField=LastUpdatedDate&sortDirection=Descending&page=0&reasonClosed=All). +There were 10 issues addressed in the release. For a full list of the work items fixed in NuGet 2.8.2, please view the ```[NuGet Issue Tracker for this release](https://nuget.codeplex.com/workitem/list/advanced?keyword=&status=All&type=All&priority=All&release=NuGet%202.8.2&assignedTo=All&component=All&sortField=LastUpdatedDate&sortDirection=Descending&page=0&reasonClosed=All)```. diff --git a/docs/release-notes/NuGet-2.8.3.md b/docs/release-notes/NuGet-2.8.3.md index b8a55b515..85476d164 100644 --- a/docs/release-notes/NuGet-2.8.3.md +++ b/docs/release-notes/NuGet-2.8.3.md @@ -4,7 +4,7 @@ description: Release notes for NuGet 2.8.3 including known issues, bug fixes, ad author: JonDouglas ms.author: jodou ms.date: 11/11/2016 -ms.topic: conceptual +ms.topic: release-notes --- # NuGet 2.8.3 Release Notes @@ -13,4 +13,4 @@ ms.topic: conceptual NuGet 2.8.3 was released October 17, 2014. It is a minor update to our 2.8.1 VSIX with some targeted fixes. -In this release, the support for NuGet Package Manager dialog was added for [ASP.NET vNext](http://www.asp.net/vnext), [DevExtreme](http://js.devexpress.com/) and [BizTalk (.btproj)](/biztalk/core/developing-biztalk-server-applications) project types. It also includes reliability bug fixes related to the scenarios of enabling package restore and saving package manager options. +In this release, the support for NuGet Package Manager dialog was added for [ASP.NET vNext](https://www.asp.net/vnext), [DevExtreme](https://js.devexpress.com/) and [BizTalk (.btproj)](/biztalk/core/developing-biztalk-server-applications) project types. It also includes reliability bug fixes related to the scenarios of enabling package restore and saving package manager options. diff --git a/docs/release-notes/NuGet-2.8.5.md b/docs/release-notes/NuGet-2.8.5.md index d034ac0f3..8952af0db 100644 --- a/docs/release-notes/NuGet-2.8.5.md +++ b/docs/release-notes/NuGet-2.8.5.md @@ -4,7 +4,7 @@ description: Release notes for NuGet 2.8.5 including known issues, bug fixes, ad author: JonDouglas ms.author: jodou ms.date: 11/11/2016 -ms.topic: conceptual +ms.topic: release-notes --- # NuGet 2.8.5 Release Notes @@ -22,4 +22,4 @@ In this release, the support for NuGet Package Manager dialog was added for [DNX One bug was fixed that prevented packages from installing into FSharp projects properly: -https://nuget.codeplex.com/workitem/4400 \ No newline at end of file +```https://nuget.codeplex.com/workitem/4400``` diff --git a/docs/release-notes/NuGet-2.8.6.md b/docs/release-notes/NuGet-2.8.6.md index dbe2f5ee2..2d009fd6d 100644 --- a/docs/release-notes/NuGet-2.8.6.md +++ b/docs/release-notes/NuGet-2.8.6.md @@ -4,7 +4,7 @@ description: Release notes for NuGet 2.8.6 including known issues, bug fixes, ad author: JonDouglas ms.author: jodou ms.date: 11/11/2016 -ms.topic: conceptual +ms.topic: release-notes --- # NuGet 2.8.6 Release Notes @@ -20,4 +20,4 @@ In this release, the NuGet Package Manager dialog had support added for: * Introduced the UAP Target Framework Moniker to support Windows 10 Application Development. * NuGet protocol version 3 endpoints * Support for [Nuget.Config](../consume-packages/configuring-nuget-behavior.md) protocolVersion attribute on repository sources. Default value is "2" -* Falling back to remote repository if a required package version is not available in the local cache \ No newline at end of file +* Falling back to remote repository if a required package version is not available in the local cache diff --git a/docs/release-notes/NuGet-2.8.7.md b/docs/release-notes/NuGet-2.8.7.md index cb3dde359..7eba6482a 100644 --- a/docs/release-notes/NuGet-2.8.7.md +++ b/docs/release-notes/NuGet-2.8.7.md @@ -4,7 +4,7 @@ description: Release notes for NuGet 2.8.7 including known issues, bug fixes, ad author: JonDouglas ms.author: jodou ms.date: 11/11/2016 -ms.topic: conceptual +ms.topic: release-notes --- # NuGet 2.8.7 Release Notes @@ -12,4 +12,4 @@ ms.topic: conceptual [NuGet 2.8.6 Release Notes](../release-notes/nuget-2.8.6.md) | [NuGet 2.9-RC Release Notes](../release-notes/nuget-2.9-RC.md) NuGet 2.8.7 was released July 27, 2015 as a patch update to the 2.8.6 VSIX with fix specific to a bug that effected Powershell policy implementation. -[https://github.com/NuGet/Home/issues/974](https://github.com/NuGet/Home/issues/974) \ No newline at end of file +[https://github.com/NuGet/Home/issues/974](https://github.com/NuGet/Home/issues/974) diff --git a/docs/release-notes/NuGet-2.8.md b/docs/release-notes/NuGet-2.8.md index c7c2411df..950ad8ac6 100644 --- a/docs/release-notes/NuGet-2.8.md +++ b/docs/release-notes/NuGet-2.8.md @@ -4,7 +4,7 @@ description: Release notes for NuGet 2.8 including known issues, bug fixes, adde author: JonDouglas ms.author: jodou ms.date: 11/11/2016 -ms.topic: conceptual +ms.topic: release-notes --- # NuGet 2.8 Release Notes @@ -15,23 +15,23 @@ NuGet 2.8 was released on January 29, 2014. ## Acknowledgements -1. [Llewellyn Pritchard](https://www.codeplex.com/site/users/view/leppie) ([@leppie](https://twitter.com/leppie)) - - [#3466](https://nuget.codeplex.com/workitem/3466) - When packing packages, verifying Id of dependency packages. -2. [Maarten Balliauw](https://www.codeplex.com/site/users/view/maartenba) ([@maartenballiauw](https://twitter.com/maartenballiauw)) - - [#2379](https://nuget.codeplex.com/workitem/2379) - Remove the $metadata suffix when persistening feed credentials. -3. [Filip De Vos](https://www.codeplex.com/site/users/view/FilipDeVos) ([@foxtricks](https://twitter.com/foxtricks)) - - [#3538](http://nuget.codeplex.com/workitem/3538) - Support specifying project file for the nuget.exe update command. -4. [Juan Gonzalez](https://www.codeplex.com/site/users/view/jjgonzalez) - - [#3536](http://nuget.codeplex.com/workitem/3536) - Replacement tokens not passed with -IncludeReferencedProjects. -5. [David Poole](https://www.codeplex.com/site/users/view/Sarkie) ([@Sarkie_Dave](https://twitter.com/Sarkie_Dave)) - - [#3677](http://nuget.codeplex.com/workitem/3677) - Fix nuget.push throwing OutOfMemoryException when pushing large package. -6. [Wouter Ouwens](https://www.codeplex.com/site/users/view/Despotes) - - [#3666](http://nuget.codeplex.com/workitem/3666) - Fix incorrect target path when project references another CLI/C++ project. -7. [Adam Ralph](http://www.codeplex.com/site/users/view/adamralph) ([@adamralph](https://twitter.com/adamralph)) - - [#3639](https://nuget.codeplex.com/workitem/3639) - Allow packages to be installed as development dependencies by default -8. [David Fowler](https://www.codeplex.com/site/users/view/dfowler) ([@davidfowl](https://twitter.com/davidfowl)) - - [#3717](https://nuget.codeplex.com/workitem/3717) - Remove implicit upgrades to the latest patch version -9. [Gregory Vandenbrouck](https://www.codeplex.com/site/users/view/vdbg) +1. ```[Llewellyn Pritchard](https://www.codeplex.com/site/users/view/leppie)``` ([@leppie](https://twitter.com/leppie)) + - ```[#3466](https://nuget.codeplex.com/workitem/3466)``` - When packing packages, verifying Id of dependency packages. +2. ```[Maarten Balliauw](https://www.codeplex.com/site/users/view/maartenba)``` ([@maartenballiauw](https://twitter.com/maartenballiauw)) + - ```[#2379](https://nuget.codeplex.com/workitem/2379)``` - Remove the $metadata suffix when persistening feed credentials. +3. ```[Filip De Vos](https://www.codeplex.com/site/users/view/FilipDeVos)``` ([@foxtricks](https://twitter.com/foxtricks)) + - ```[#3538](http://nuget.codeplex.com/workitem/3538)``` - Support specifying project file for the nuget.exe update command. +4. ```[Juan Gonzalez](https://www.codeplex.com/site/users/view/jjgonzalez)``` + - ```[#3536](http://nuget.codeplex.com/workitem/3536)``` - Replacement tokens not passed with -IncludeReferencedProjects. +5. ```[David Poole](https://www.codeplex.com/site/users/view/Sarkie)``` ([@Sarkie_Dave](https://twitter.com/Sarkie_Dave)) + - ```[#3677](http://nuget.codeplex.com/workitem/3677)``` - Fix nuget.push throwing OutOfMemoryException when pushing large package. +6. ```[Wouter Ouwens](https://www.codeplex.com/site/users/view/Despotes)``` + - ```[#3666](http://nuget.codeplex.com/workitem/3666)``` - Fix incorrect target path when project references another CLI/C++ project. +7. ```[Adam Ralph](http://www.codeplex.com/site/users/view/adamralph)``` ([@adamralph](https://twitter.com/adamralph)) + - ```[#3639](https://nuget.codeplex.com/workitem/3639)``` - Allow packages to be installed as development dependencies by default +8. ```[David Fowler](https://www.codeplex.com/site/users/view/dfowler)``` ([@davidfowl](https://twitter.com/davidfowl)) + - ```[#3717](https://nuget.codeplex.com/workitem/3717)``` - Remove implicit upgrades to the latest patch version +9. ```[Gregory Vandenbrouck](https://www.codeplex.com/site/users/view/vdbg)``` - Several bug fixes and improvements for NuGet.Server, the nuget.exe mirror command, and others. - This work was done over several months, with Gregory working with us on the right timing to integrate into master for 2.8. @@ -100,7 +100,7 @@ When developing applications for multiple target platforms, it's common to have ## Fallback to Local Cache -Though NuGet packages are typically consumed from a remote gallery such as [the NuGet gallery](http://www.nuget.org/) using a network connection, there are many scenarios where the client is not connected. Without a network connection, the NuGet client was not able to successfully install packages - even when those packages were already on the client's machine in the local NuGet cache. NuGet 2.8 adds automatic cache fallback to the package manager console. For example, when disconnecting the network adapter and installing jQuery, the console shows the following: +Though NuGet packages are typically consumed from a remote gallery such as [the NuGet gallery](https://www.nuget.org/) using a network connection, there are many scenarios where the client is not connected. Without a network connection, the NuGet client was not able to successfully install packages - even when those packages were already on the client's machine in the local NuGet cache. NuGet 2.8 adds automatic cache fallback to the package manager console. For example, when disconnecting the network adapter and installing jQuery, the console shows the following: ``` PM> Install-Package jquery @@ -131,4 +131,4 @@ This is the NuGet team's first release of the NuGet Package Manager extension fo One of the major bug fixes made was performance improvement in the update-package -reinstall command. -In addition to these features and the aforementioned performance fix, this release of NuGet also includes many other bug fixes. There were 181 total issues addressed in the release. For a full list of the work items fixed in NuGet 2.8, please view the [NuGet Issue Tracker for this release](https://nuget.codeplex.com/workitem/list/advanced?release=NuGet%202.8&status=all). +In addition to these features and the aforementioned performance fix, this release of NuGet also includes many other bug fixes. There were 181 total issues addressed in the release. For a full list of the work items fixed in NuGet 2.8, please view the ```[NuGet Issue Tracker for this release](https://nuget.codeplex.com/workitem/list/advanced?release=NuGet%202.8&status=all)```. diff --git a/docs/release-notes/NuGet-2.9-RC.md b/docs/release-notes/NuGet-2.9-RC.md index 8ba73ad39..a4c2a3ebb 100644 --- a/docs/release-notes/NuGet-2.9-RC.md +++ b/docs/release-notes/NuGet-2.9-RC.md @@ -4,7 +4,7 @@ description: Release notes for NuGet 2.9 RC including known issues, bug fixes, a author: JonDouglas ms.author: jodou ms.date: 11/11/2016 -ms.topic: conceptual +ms.topic: release-notes --- # NuGet 2.9-RC Release Notes diff --git a/docs/release-notes/NuGet-3.0-Beta.md b/docs/release-notes/NuGet-3.0-Beta.md index 7ef229604..0cd6ff14a 100644 --- a/docs/release-notes/NuGet-3.0-Beta.md +++ b/docs/release-notes/NuGet-3.0-Beta.md @@ -4,7 +4,7 @@ description: Release notes for NuGet 3.0 Beta including known issues, bug fixes, author: JonDouglas ms.author: jodou ms.date: 11/11/2016 -ms.topic: conceptual +ms.topic: release-notes --- # NuGet 3.0 Beta Release Notes @@ -13,11 +13,11 @@ ms.topic: conceptual NuGet 3.0 Beta was released on February 23, 2015 for the Visual Studio 2015 CTP 6 release. This release means a lot to our team, as we have a number of architecture and performance improvements to share, and we're excited to start tuning the performance settings on our nuget.org service. -We strongly recommend that you uninstall any prior version of the NuGet Visual Studio 2015 extension before installing this new version. If you have any problems with this version of the extension, we recommend you revert to the [prior version](http://nuget.codeplex.com/downloads/get/909582) for use with Visual Studio 2015 preview. +We strongly recommend that you uninstall any prior version of the NuGet Visual Studio 2015 extension before installing this new version. If you have any problems with this version of the extension, we recommend you revert to the ```[prior version](http://nuget.codeplex.com/downloads/get/909582)``` for use with Visual Studio 2015 preview. ## Visual Studio 2012+ -This NuGet 3.0 Beta is available to install in the Visual Studio 2015 CTP 6 Extension Gallery. We are working to get preview drops out for Visual Studio 2012 and Visual Studio 2013 very soon. We previously shared our intent to [discontinue updates for Visual Studio 2010](http://blog.nuget.org/20141002/visual-studio-2010.html), and we did make that difficult decision. +This NuGet 3.0 Beta is available to install in the Visual Studio 2015 CTP 6 Extension Gallery. We are working to get preview drops out for Visual Studio 2012 and Visual Studio 2013 very soon. We previously shared our intent to [discontinue updates for Visual Studio 2010](https://blog.nuget.org/20141002/visual-studio-2010.html), and we did make that difficult decision. ## New Client/Server API @@ -51,4 +51,4 @@ We have now rearchitected our NuGet clients into several components that are the ## Stay Tuned -Please keep an eye on [our blog](http://blog.nuget.org) for more progress and announcements for NuGet 3.0! +Please keep an eye on [our blog](https://blog.nuget.org) for more progress and announcements for NuGet 3.0! diff --git a/docs/release-notes/NuGet-3.0-Preview.md b/docs/release-notes/NuGet-3.0-Preview.md index 8966e007d..00f990e0f 100644 --- a/docs/release-notes/NuGet-3.0-Preview.md +++ b/docs/release-notes/NuGet-3.0-Preview.md @@ -4,7 +4,7 @@ description: Release notes for NuGet 3.0 Preview including known issues, bug fix author: JonDouglas ms.author: jodou ms.date: 11/11/2016 -ms.topic: conceptual +ms.topic: release-notes --- # NuGet 3.0 Preview Release Notes @@ -15,7 +15,7 @@ NuGet 3.0 Preview was released on November 12, 2014 as part of the Visual Studio ## Visual Studio 2012+ -This NuGet 3.0 Preview is included in Visual Studio 2015 Preview. We are working to get preview drops out for Visual Studio 2012 and Visual Studio 2013 very soon. We previously shared our intent to [discontinue updates for Visual Studio 2010](http://blog.nuget.org/20141002/visual-studio-2010.html), and we did make that difficult decision. +This NuGet 3.0 Preview is included in Visual Studio 2015 Preview. We are working to get preview drops out for Visual Studio 2012 and Visual Studio 2013 very soon. We previously shared our intent to [discontinue updates for Visual Studio 2010](https://blog.nuget.org/20141002/visual-studio-2010.html), and we did make that difficult decision. ## Brand New UI @@ -113,11 +113,11 @@ Despite the investment we're putting into API v3, we've made all of these new fe Between now and 3.0 RTM, we are also working on some fundamental new NuGet features, beyond what you see in the UI. Here's a short list of salient investment areas: -1. We're partnering with the Visual Studio and MSBuild teams to get [NuGet deeper into the platform](http://blog.nuget.org/20141014/in-the-platform.html). -1. We're working to abandon installation-time package conventions and instead apply those conventions at packaging time by introducing a new "authoritative" [package manifest](http://blog.nuget.org/20141023/package-manifests.html). +1. We're partnering with the Visual Studio and MSBuild teams to get [NuGet deeper into the platform](https://blog.nuget.org/20141014/in-the-platform.html). +1. We're working to abandon installation-time package conventions and instead apply those conventions at packaging time by introducing a new "authoritative" [package manifest](https://blog.nuget.org/20141023/package-manifests.html). 1. We're working to refactor the NuGet codebase to make the client and server components reusable in different domains beyond package management in Visual Studio. 1. We're investigating the notion of "private dependencies" where a package can indicate that it has dependencies on other packages for implementation details only, and those dependencies shouldn't be surfaced as top-level dependencies. ## Stay Tuned -Please keep an eye on [our blog](http://blog.nuget.org) for more progress and announcements for NuGet 3.0! \ No newline at end of file +Please keep an eye on [our blog](https://blog.nuget.org) for more progress and announcements for NuGet 3.0! diff --git a/docs/release-notes/NuGet-3.0-RC.md b/docs/release-notes/NuGet-3.0-RC.md index 251214c8e..867f4269b 100644 --- a/docs/release-notes/NuGet-3.0-RC.md +++ b/docs/release-notes/NuGet-3.0-RC.md @@ -4,7 +4,7 @@ description: Release notes for NuGet 3.0 RC including known issues, bug fixes, a author: JonDouglas ms.author: jodou ms.date: 11/11/2016 -ms.topic: conceptual +ms.topic: release-notes --- # NuGet 3.0 RC Release Notes @@ -32,9 +32,9 @@ In order to stabilize the NuGet clients, we resolved many issues as part of this ## GitHub presence overhaul -We've made some changes to our [source code repositories on GitHub](http://github.com/nuget/home). If you have any issues with the NuGet Visual Studio client, the Powershell commands, or the command-line executable you can log those issues and monitor their progress on our [GitHub Home repository issues list](http://github.com/nuget/home/issues). We are tracking issues for the gallery in our [GitHub NuGetGallery repository](http://github.com/nuget/NuGetGallery/issues). +We've made some changes to our [source code repositories on GitHub](https://github.com/nuget/home). If you have any issues with the NuGet Visual Studio client, the Powershell commands, or the command-line executable you can log those issues and monitor their progress on our [GitHub Home repository issues list](https://github.com/nuget/home/issues). We are tracking issues for the gallery in our [GitHub NuGetGallery repository](https://github.com/nuget/NuGetGallery/issues). ## Stay Tuned -Please keep an eye on [our blog](http://blog.nuget.org) for more progress and announcements for NuGet 3.0! \ No newline at end of file +Please keep an eye on [our blog](https://blog.nuget.org) for more progress and announcements for NuGet 3.0! diff --git a/docs/release-notes/NuGet-3.0-RC2.md b/docs/release-notes/NuGet-3.0-RC2.md index 3f89104a1..193ae5190 100644 --- a/docs/release-notes/NuGet-3.0-RC2.md +++ b/docs/release-notes/NuGet-3.0-RC2.md @@ -4,14 +4,14 @@ description: Release notes for NuGet 3.0 RC2 including known issues, bug fixes, author: JonDouglas ms.author: jodou ms.date: 11/11/2016 -ms.topic: conceptual +ms.topic: release-notes --- # NuGet 3.0 RC2 Release Notes [NuGet 3.0 RC Release Notes](../release-notes/nuget-3.0-RC.md) | [NuGet 3.0 Release Notes](../release-notes/nuget-3.0.0.md) -NuGet 3.0 RC2 was released on June 3, 2015 as an interim release available from the Visual Studio 2015 Extension Gallery and [Codeplex](https://nuget.codeplex.com/releases/view/615507). This release has a number of important bug fixes and performance improvements that we felt were important to release before the completed Visual Studio 2015 release. This NuGet extension version is only available for Visual Studio 2015. +NuGet 3.0 RC2 was released on June 3, 2015 as an interim release available from the Visual Studio 2015 Extension Gallery and ```[Codeplex](https://nuget.codeplex.com/releases/view/615507)```. This release has a number of important bug fixes and performance improvements that we felt were important to release before the completed Visual Studio 2015 release. This NuGet extension version is only available for Visual Studio 2015. In total, we closed 158 issues in this release, and you can review the [complete list of issues on GitHub](https://github.com/NuGet/Home/issues?utf8=%E2%9C%93&q=is%3Aclosed+milestone%3A3.0.0-RTM+sort%3Aupdated-asc+updated%3A%3C%3D2015-06-01). @@ -31,4 +31,4 @@ In total, we closed 158 issues in this release, and you can review the [complete * [Improved error logging](https://github.com/NuGet/Home/issues/407) * [Improved powershell error messages when calling Update-Package](https://github.com/NuGet/Home/issues/5) -Download this [update to the NuGet extension](https://nuget.codeplex.com/releases/view/615507) from Codeplex and please keep an eye on [our blog](http://blog.nuget.org) for more progress and announcements for NuGet 3.0! \ No newline at end of file +Download this ```[update to the NuGet extension](https://nuget.codeplex.com/releases/view/615507)``` from Codeplex and please keep an eye on [our blog](https://blog.nuget.org) for more progress and announcements for NuGet 3.0! diff --git a/docs/release-notes/NuGet-3.0.0.md b/docs/release-notes/NuGet-3.0.0.md index 664e02e3c..a404510af 100644 --- a/docs/release-notes/NuGet-3.0.0.md +++ b/docs/release-notes/NuGet-3.0.0.md @@ -4,7 +4,7 @@ description: Release notes for NuGet 3.0.0 including known issues, bug fixes, ad author: JonDouglas ms.author: jodou ms.date: 11/11/2016 -ms.topic: conceptual +ms.topic: release-notes --- # NuGet 3.0 Release Notes @@ -49,4 +49,4 @@ There were a number of known issues delivered with this release, and all of thes * [Multiple Packages can be gathered in parallel](https://github.com/NuGet/Home/issues/713) * [Removed install-package -force command](https://github.com/NuGet/Home/issues/697) -Please keep an eye on [our blog](http://blog.nuget.org) for more progress and announcements as we get ready to deliver support for Windows 10 development. \ No newline at end of file +Please keep an eye on [our blog](https://blog.nuget.org) for more progress and announcements as we get ready to deliver support for Windows 10 development. diff --git a/docs/release-notes/NuGet-3.1.1.md b/docs/release-notes/NuGet-3.1.1.md index 3331410e0..d755e1cd1 100644 --- a/docs/release-notes/NuGet-3.1.1.md +++ b/docs/release-notes/NuGet-3.1.1.md @@ -4,7 +4,7 @@ description: Release notes for NuGet 3.1.1 including known issues, bug fixes, ad author: JonDouglas ms.author: jodou ms.date: 11/11/2016 -ms.topic: conceptual +ms.topic: release-notes --- # NuGet 3.1.1 Release Notes @@ -12,4 +12,4 @@ ms.topic: conceptual [NuGet 3.1 Release Notes](../release-notes/nuget-3.1.md) | [NuGet 3.2-RC Release Notes](../release-notes/nuget-3.2-RC.md) NuGet 3.1.1 was released July 27, 2015 as a patch update to the 3.1 VSIX with fix specific to a bug that effected Powershell policy implementation. -[https://github.com/NuGet/Home/issues/974](https://github.com/NuGet/Home/issues/974) \ No newline at end of file +[https://github.com/NuGet/Home/issues/974](https://github.com/NuGet/Home/issues/974) diff --git a/docs/release-notes/NuGet-3.1.md b/docs/release-notes/NuGet-3.1.md index 6164bae11..db0f53466 100644 --- a/docs/release-notes/NuGet-3.1.md +++ b/docs/release-notes/NuGet-3.1.md @@ -4,7 +4,7 @@ description: Release notes for NuGet 3.1 including known issues, bug fixes, adde author: JonDouglas ms.author: jodou ms.date: 11/11/2016 -ms.topic: conceptual +ms.topic: release-notes --- # NuGet 3.1 Release Notes @@ -48,7 +48,7 @@ There were a number of known issues delivered with this release. ## NuGet Command-line -The NuGet command-line executable was updated and moved to a new distributable location so that historical versions of nuget.exe can continue to be made available. You can download the 3.1 beta version of nuget.exe for Windows at: [http://dist.nuget.org/win-x86-commandline/v3.1.0-beta/nuget.exe](http://dist.nuget.org/win-x86-commandline/v3.1.0-beta/nuget.exe) +The NuGet command-line executable was updated and moved to a new distributable location so that historical versions of nuget.exe can continue to be made available. You can download the 3.1 beta version of nuget.exe for Windows at: [https://dist.nuget.org/win-x86-commandline/v3.1.0-beta/nuget.exe](https://dist.nuget.org/win-x86-commandline/v3.1.0-beta/nuget.exe) The new distributable location resides on the dist.nuget.org host, with a folder structure that follows this template: @@ -66,4 +66,4 @@ The new distributable location resides on the dist.nuget.org host, with a folder 1. Cannot execute pack against a `project.json` file - [928](https://github.com/NuGet/Home/issues/928) 2. Is not supported on Mono - [1059](https://github.com/NuGet/Home/issues/1059) 3. Is not localized - [1058](https://github.com/NuGet/Home/issues/1058), [1057](https://github.com/NuGet/Home/issues/1057) -4. Is not signed, just like the existing http://nuget.org/nuget.exe - [1073](https://github.com/NuGet/Home/issues/1073) +4. Is not signed, just like the existing https://nuget.org/nuget.exe - [1073](https://github.com/NuGet/Home/issues/1073) diff --git a/docs/release-notes/NuGet-3.2-RC.md b/docs/release-notes/NuGet-3.2-RC.md index 5818ef1ca..28f9dd082 100644 --- a/docs/release-notes/NuGet-3.2-RC.md +++ b/docs/release-notes/NuGet-3.2-RC.md @@ -4,7 +4,7 @@ description: Release notes for NuGet 3.2 RC including known issues, bug fixes, a author: JonDouglas ms.author: jodou ms.date: 11/11/2016 -ms.topic: conceptual +ms.topic: release-notes --- # NuGet 3.2 RC Release Notes @@ -111,4 +111,4 @@ A complete list of issues addressed for the Visual Studio extension can be found ## Known Issues -We continue to track issues on our GitHub issues list which can be found at: [http://github.com/nuget/home/issues](http://github.com/nuget/home/issues) \ No newline at end of file +We continue to track issues on our GitHub issues list which can be found at: [https://github.com/nuget/home/issues](https://github.com/nuget/home/issues) diff --git a/docs/release-notes/NuGet-3.2.1.md b/docs/release-notes/NuGet-3.2.1.md index 38d5a4564..543ed8742 100644 --- a/docs/release-notes/NuGet-3.2.1.md +++ b/docs/release-notes/NuGet-3.2.1.md @@ -4,14 +4,14 @@ description: Release notes for NuGet 3.2.1 including known issues, bug fixes, ad author: JonDouglas ms.author: jodou ms.date: 11/11/2016 -ms.topic: conceptual +ms.topic: release-notes --- # NuGet 3.2.1 Release Notes [NuGet 3.2 Release Notes](../release-notes/nuget-3.2.md) | [NuGet 3.3 Release Notes](../release-notes/nuget-3.3.md) -NuGet 3.2.1 for the command-line was released October 12, 2015 with a handful of optimizations and fixes for the 3.2 release and is available from [dist.nuget.org](http://dist.nuget.org/index.html). +NuGet 3.2.1 for the command-line was released October 12, 2015 with a handful of optimizations and fixes for the 3.2 release and is available from [dist.nuget.org](https://dist.nuget.org/index.html). ## Improvements @@ -30,4 +30,4 @@ A complete list of issues addressed for the command-line and Visual Studio exten ## Known Issues -We continue to track issues on our GitHub issues list which can be found at: [http://github.com/nuget/home/issues](http://github.com/nuget/home/issues) \ No newline at end of file +We continue to track issues on our GitHub issues list which can be found at: [https://github.com/nuget/home/issues](https://github.com/nuget/home/issues) diff --git a/docs/release-notes/NuGet-3.2.md b/docs/release-notes/NuGet-3.2.md index 4601f808c..48afecf3f 100644 --- a/docs/release-notes/NuGet-3.2.md +++ b/docs/release-notes/NuGet-3.2.md @@ -4,14 +4,14 @@ description: Release notes for NuGet 3.2 including known issues, bug fixes, adde author: JonDouglas ms.author: jodou ms.date: 11/11/2016 -ms.topic: conceptual +ms.topic: release-notes --- # NuGet 3.2 Release Notes [NuGet 3.2-RC Release Notes](../release-notes/nuget-3.2-RC.md) | [NuGet 3.2.1 Release Notes](../release-notes/nuget-3.2.1.md) -NuGet 3.2 was released September 16, 2015 as a collection of improvements and fixes for the 3.1.1 release and is available from both [dist.nuget.org](http://dist.nuget.org/index.html) and the [Visual Studio Gallery](https://marketplace.visualstudio.com/items?itemName=NuGetTeam.NuGetPackageManagerforVisualStudio2015). +NuGet 3.2 was released September 16, 2015 as a collection of improvements and fixes for the 3.1.1 release and is available from both [dist.nuget.org](https://dist.nuget.org/index.html) and the [Visual Studio Gallery](https://marketplace.visualstudio.com/items?itemName=NuGetTeam.NuGetPackageManagerforVisualStudio2015). ## New Features @@ -109,4 +109,4 @@ A complete list of issues addressed for the Visual Studio extension can be found ## Known Issues -We continue to track issues on our GitHub issues list which can be found at: [http://github.com/nuget/home/issues](http://github.com/nuget/home/issues) \ No newline at end of file +We continue to track issues on our GitHub issues list which can be found at: [https://github.com/nuget/home/issues](https://github.com/nuget/home/issues) diff --git a/docs/release-notes/NuGet-3.3.md b/docs/release-notes/NuGet-3.3.md index c47b4eeff..f9e990a61 100644 --- a/docs/release-notes/NuGet-3.3.md +++ b/docs/release-notes/NuGet-3.3.md @@ -4,7 +4,7 @@ description: Release notes for NuGet 3.3 including known issues, bug fixes, adde author: JonDouglas ms.author: jodou ms.date: 11/11/2016 -ms.topic: conceptual +ms.topic: release-notes --- # NuGet 3.3 Release Notes @@ -32,7 +32,7 @@ NuGet 3.3 was released November 30, 2015 with a significant number of user inter ## New Command-line Features -In this version we introduced the `add` and `init` commands to initialize folder-based repositories as described in the [nuget.exe reference](../reference/nuget-exe-cli-reference.md). Repositories that are constructed and maintained with this folder structure will [deliver significant performance benefits](http://blog.nuget.org/20150922/Accelerate-Package-Source.html) as outlined on our blog. +In this version we introduced the `add` and `init` commands to initialize folder-based repositories as described in the [nuget.exe reference](../reference/nuget-exe-cli-reference.md). Repositories that are constructed and maintained with this folder structure will [deliver significant performance benefits](https://blog.nuget.org/20150922/Accelerate-Package-Source.html) as outlined on our blog. ## ContentFiles @@ -54,4 +54,4 @@ The list of issues fixed in the 3.3 command-line release are recorded in the [3. ## Known Issues -We continue to track issues on our GitHub issues list which can be found at: [http://github.com/nuget/home/issues](http://github.com/nuget/home/issues) \ No newline at end of file +We continue to track issues on our GitHub issues list which can be found at: [https://github.com/nuget/home/issues](https://github.com/nuget/home/issues) diff --git a/docs/release-notes/NuGet-3.4-RC.md b/docs/release-notes/NuGet-3.4-RC.md index de0e9bc03..8e7e10089 100644 --- a/docs/release-notes/NuGet-3.4-RC.md +++ b/docs/release-notes/NuGet-3.4-RC.md @@ -4,7 +4,7 @@ description: Release notes for NuGet 3.4 RC including known issues, bug fixes, a author: JonDouglas ms.author: jodou ms.date: 11/11/2016 -ms.topic: conceptual +ms.topic: release-notes --- # NuGet 3.4-RC Release Notes @@ -43,4 +43,4 @@ The following features are available in this RC, with more planned for the 3.4 f ## Known Issues -We continue to track issues on our GitHub issues list which can be found at: [http://github.com/nuget/home/issues](http://github.com/nuget/home/issues) \ No newline at end of file +We continue to track issues on our GitHub issues list which can be found at: [https://github.com/nuget/home/issues](https://github.com/nuget/home/issues) diff --git a/docs/release-notes/NuGet-3.4.1.md b/docs/release-notes/NuGet-3.4.1.md index f7bef3f6f..2d9ddc85f 100644 --- a/docs/release-notes/NuGet-3.4.1.md +++ b/docs/release-notes/NuGet-3.4.1.md @@ -4,7 +4,7 @@ description: Release notes for NuGet 3.4.1 including known issues, bug fixes, ad author: JonDouglas ms.author: jodou ms.date: 11/11/2016 -ms.topic: conceptual +ms.topic: release-notes --- # NuGet 3.4.1 Release Notes @@ -19,4 +19,4 @@ NuGet 3.4.1 was released March 30, 2016 at the same time as the Visual Studio 20 * Corrected an issue with Visual Studio locating `lucene.net.dll` * All sources should not be the default repository source after a NuGet extension install or update. You can opt-in to this feature from the configuration settings. -We continue to track issues on our GitHub issues list which can be found at: [http://github.com/nuget/home/issues](http://github.com/nuget/home/issues) \ No newline at end of file +We continue to track issues on our GitHub issues list which can be found at: [https://github.com/nuget/home/issues](https://github.com/nuget/home/issues) diff --git a/docs/release-notes/NuGet-3.4.2.md b/docs/release-notes/NuGet-3.4.2.md index f1914888f..ace3e38a3 100644 --- a/docs/release-notes/NuGet-3.4.2.md +++ b/docs/release-notes/NuGet-3.4.2.md @@ -4,7 +4,7 @@ description: Release notes for NuGet 3.4.2 including known issues, bug fixes, ad author: JonDouglas ms.author: jodou ms.date: 11/11/2016 -ms.topic: conceptual +ms.topic: release-notes --- # NuGet 3.4.2 Release Notes @@ -40,4 +40,4 @@ These issues will be fixed early next week before we hit RTM. * Running nuget delete command on a package using the V2 feed will fail. Use V3 feed instead. -For the complete list of fixes and improvements in this release, check out the list of issues [here](https://github.com/NuGet/Home/issues?utf8=%E2%9C%93&q=is%3Aissue+milestone%3A3.4.2++is%3Aclosed+). \ No newline at end of file +For the complete list of fixes and improvements in this release, check out the list of issues [here](https://github.com/NuGet/Home/issues?utf8=%E2%9C%93&q=is%3Aissue+milestone%3A3.4.2++is%3Aclosed+). diff --git a/docs/release-notes/NuGet-3.4.3.md b/docs/release-notes/NuGet-3.4.3.md index b190f78b9..0e1471ab6 100644 --- a/docs/release-notes/NuGet-3.4.3.md +++ b/docs/release-notes/NuGet-3.4.3.md @@ -4,7 +4,7 @@ description: Release notes for NuGet 3.4.3 including known issues, bug fixes, ad author: JonDouglas ms.author: jodou ms.date: 11/11/2016 -ms.topic: conceptual +ms.topic: release-notes --- # NuGet 3.4.3 Release Notes @@ -27,4 +27,4 @@ You can download both the VSIX and nuget.exe [here](https://dist.nuget.org/index * Fixed an issue that caused restore failures in C++/CLI projects with `project.json`. * Some packages (E.g ModernHttpClient) where not being unzipped correctly when you use nuget in mono. This has now been fixed in this release. -For the complete list of fixes and improvements in this release, check out the list of issues [here](https://github.com/NuGet/Home/issues?q=is%3Aissue+milestone%3A3.4.3+is%3Aclosed). \ No newline at end of file +For the complete list of fixes and improvements in this release, check out the list of issues [here](https://github.com/NuGet/Home/issues?q=is%3Aissue+milestone%3A3.4.3+is%3Aclosed). diff --git a/docs/release-notes/NuGet-3.4.4.md b/docs/release-notes/NuGet-3.4.4.md index cd1396dd8..ac831086e 100644 --- a/docs/release-notes/NuGet-3.4.4.md +++ b/docs/release-notes/NuGet-3.4.4.md @@ -4,7 +4,7 @@ description: Release notes for NuGet 3.4.4 including known issues, bug fixes, ad author: JonDouglas ms.author: jodou ms.date: 11/11/2016 -ms.topic: conceptual +ms.topic: release-notes --- # NuGet 3.4.4 Release Notes @@ -32,4 +32,4 @@ You can download both the VSIX and nuget.exe [here](https://dist.nuget.org/index - Updating `NuGet.Core.dll` version to 2.12.0 to fix XML issue [\#594](https://github.com/NuGet/NuGet.Client/pull/594) - Support ./NuGet.CommandLine.XPlat -v \ \ [\#593](https://github.com/NuGet/NuGet.Client/pull/593) - Display error restoring without `project.json` or `packages.config` [\#590](https://github.com/NuGet/NuGet.Client/pull/590) -- Fixing dependency versions when required versions differ [\#559](https://github.com/NuGet/NuGet.Client/pull/559) \ No newline at end of file +- Fixing dependency versions when required versions differ [\#559](https://github.com/NuGet/NuGet.Client/pull/559) diff --git a/docs/release-notes/NuGet-3.4.md b/docs/release-notes/NuGet-3.4.md index 13aa7651e..a9e55c5df 100644 --- a/docs/release-notes/NuGet-3.4.md +++ b/docs/release-notes/NuGet-3.4.md @@ -4,7 +4,7 @@ description: Release notes for NuGet 3.4 including known issues, bug fixes, adde author: JonDouglas ms.author: jodou ms.date: 11/11/2016 -ms.topic: conceptual +ms.topic: release-notes --- # NuGet 3.4 Release Notes @@ -54,11 +54,11 @@ The following features were previously added in the RC and have been updated or * Loading projects that have an init.ps1 script (like EntityFramework) * Publishing web content -* **Workaround:** Ensure that your Windows 10 install has the latest patches applied, expecially the January 2016 (KB 3124263) or a later update. More details are available on [GitHub issue #1638](http://github.com/nuget/home/issues/1638) +* **Workaround:** Ensure that your Windows 10 install has the latest patches applied, expecially the January 2016 (KB 3124263) or a later update. More details are available on [GitHub issue #1638](https://github.com/nuget/home/issues/1638) * **Issue:** NuGet v2 protocol redirects are broken. Custom NuGet repositories that redirect requests to an alternative host do not honor the redirect request. * **Workaround:** To work around this issue, configure the package repository URI in settings to point to the redirected server location. For more information, see [GitHub pull request #387](https://github.com/NuGet/NuGet.Client/pull/387). -We continue to track issues on our GitHub issues list which can be found at: [http://github.com/nuget/home/issues](http://github.com/nuget/home/issues) \ No newline at end of file +We continue to track issues on our GitHub issues list which can be found at: [https://github.com/nuget/home/issues](https://github.com/nuget/home/issues) diff --git a/docs/release-notes/NuGet-3.5-Beta.md b/docs/release-notes/NuGet-3.5-Beta.md index 2a22bf74d..5d69352d7 100644 --- a/docs/release-notes/NuGet-3.5-Beta.md +++ b/docs/release-notes/NuGet-3.5-Beta.md @@ -4,14 +4,14 @@ description: Release notes for NuGet 3.5 Beta including known issues, bug fixes, author: JonDouglas ms.author: jodou ms.date: 11/11/2016 -ms.topic: conceptual +ms.topic: release-notes --- # NuGet 3.5 Beta Release Notes [NuGet 3.4 Release Notes](../release-notes/nuget-3.4.md) | [NuGet 3.5-Beta2 Release Notes](../release-notes/nuget-3.5-Beta2.md) -NuGet 3.5 Beta was released on May 16, 2016 as part of the ASP.NET Core Preview Tooling wave. This release adds support for .NET Core RC2 and ASP.NET Core RC2. For more information about this release please refer to [http://dot.net](http://dot.net). +NuGet 3.5 Beta was released on May 16, 2016 as part of the ASP.NET Core Preview Tooling wave. This release adds support for .NET Core RC2 and ASP.NET Core RC2. For more information about this release please refer to [http://dot.net](https://dot.net). You can download both the VSIX and nuget.exe [here](https://dist.nuget.org/index.html). @@ -23,4 +23,4 @@ NuGet 3.5 Beta is a superset of the changes introduced in the 3.4.3 release. For ## Fixes -* The list of fixes and improvements in this release, is given [here](https://github.com/NuGet/Home/issues?q=is%3Aissue+milestone%3A%223.5+Beta%22+is%3Aclosed). \ No newline at end of file +* The list of fixes and improvements in this release, is given [here](https://github.com/NuGet/Home/issues?q=is%3Aissue+milestone%3A%223.5+Beta%22+is%3Aclosed). diff --git a/docs/release-notes/NuGet-3.5-Beta2.md b/docs/release-notes/NuGet-3.5-Beta2.md index 23b01454d..7cf76b2cb 100644 --- a/docs/release-notes/NuGet-3.5-Beta2.md +++ b/docs/release-notes/NuGet-3.5-Beta2.md @@ -4,7 +4,7 @@ description: Release notes for NuGet 3.5 Beta 2 including known issues, bug fixe author: JonDouglas ms.author: jodou ms.date: 11/11/2016 -ms.topic: conceptual +ms.topic: release-notes --- # NuGet 3.5 Beta2 Release Notes @@ -85,4 +85,4 @@ NuGet 3.5 Beta 2 RTM was released June 27, 2016 for Visual Studio 2013 and nuget * Print out nuget.exe version header in detailed output - [#1887](https://github.com/NuGet/Home/issues/1887) -* NuGet should add support for /runtimes/{rid}/nativeassets/{txm}/ - [#2782](https://github.com/NuGet/Home/issues/2782) \ No newline at end of file +* NuGet should add support for /runtimes/{rid}/nativeassets/{txm}/ - [#2782](https://github.com/NuGet/Home/issues/2782) diff --git a/docs/release-notes/NuGet-3.5-RC.md b/docs/release-notes/NuGet-3.5-RC.md index e7b46f94e..b3bd58ed8 100644 --- a/docs/release-notes/NuGet-3.5-RC.md +++ b/docs/release-notes/NuGet-3.5-RC.md @@ -4,7 +4,7 @@ description: Release notes for NuGet 3.5 RC including known issues, bug fixes, a author: JonDouglas ms.author: jodou ms.date: 11/11/2016 -ms.topic: conceptual +ms.topic: release-notes --- # NuGet 3.5 RC Release Notes diff --git a/docs/release-notes/NuGet-3.5-RTM.md b/docs/release-notes/NuGet-3.5-RTM.md index e9a8ca006..3301d1b2a 100644 --- a/docs/release-notes/NuGet-3.5-RTM.md +++ b/docs/release-notes/NuGet-3.5-RTM.md @@ -4,7 +4,7 @@ description: Release notes for NuGet 3.5 including known issues, bug fixes, adde author: JonDouglas ms.author: jodou ms.date: 11/11/2016 -ms.topic: conceptual +ms.topic: release-notes --- # NuGet 3.5 Release Notes diff --git a/docs/release-notes/NuGet-4.0-RC.md b/docs/release-notes/NuGet-4.0-RC.md index 8deddc15f..cfeb207ad 100644 --- a/docs/release-notes/NuGet-4.0-RC.md +++ b/docs/release-notes/NuGet-4.0-RC.md @@ -4,7 +4,7 @@ description: Release notes for NuGet 4.0 RC including known issues, bug fixes, a author: JonDouglas ms.author: jodou ms.date: 02/03/2017 -ms.topic: conceptual +ms.topic: release-notes ms.reviewer: ananguar --- @@ -12,7 +12,7 @@ ms.reviewer: ananguar [NuGet 3.5 RTM Release Notes](../release-notes/nuget-3.5-RTM.md) -[NuGet 4.0 RC for Visual Studio 2017](http://blog.nuget.org/20161121/introducing-nuget4.0) is focused on adding support for .NET Core scenarios, addressing key customer feedback and improving performance in a variety of scenarios. This release brings several improvements like support for PackageReference, NuGet commands as MSBuild targets, background package restore, and more. +[NuGet 4.0 RC for Visual Studio 2017](https://blog.nuget.org/20161121/introducing-nuget4.0) is focused on adding support for .NET Core scenarios, addressing key customer feedback and improving performance in a variety of scenarios. This release brings several improvements like support for PackageReference, NuGet commands as MSBuild targets, background package restore, and more. ## Bug Fixes diff --git a/docs/release-notes/NuGet-4.0-RTM.md b/docs/release-notes/NuGet-4.0-RTM.md index cea4530b9..7fd345079 100644 --- a/docs/release-notes/NuGet-4.0-RTM.md +++ b/docs/release-notes/NuGet-4.0-RTM.md @@ -4,7 +4,7 @@ description: Release notes for NuGet 4.0 RTM including known issues, bug fixes, author: anangaur ms.author: anangaur ms.date: 03/03/2017 -ms.topic: conceptual +ms.topic: release-notes --- # NuGet 4.0 RTM Release Notes diff --git a/docs/release-notes/NuGet-4.3-RTM.md b/docs/release-notes/NuGet-4.3-RTM.md index aa9e7702b..9700bea1a 100644 --- a/docs/release-notes/NuGet-4.3-RTM.md +++ b/docs/release-notes/NuGet-4.3-RTM.md @@ -4,7 +4,7 @@ description: Release notes for NuGet 4.3 RTM including known issues, bug fixes, author: JonDouglas ms.author: jodou ms.date: 08/14/2017 -ms.topic: conceptual +ms.topic: release-notes ms.reviewer: anangaur --- diff --git a/docs/release-notes/NuGet-4.4-RTM.md b/docs/release-notes/NuGet-4.4-RTM.md index da36710c4..a06c05f27 100644 --- a/docs/release-notes/NuGet-4.4-RTM.md +++ b/docs/release-notes/NuGet-4.4-RTM.md @@ -4,7 +4,7 @@ description: Release notes for NuGet 4.4 RTM including known issues, bug fixes, author: JonDouglas ms.author: jodou ms.date: 08/14/2017 -ms.topic: conceptual +ms.topic: release-notes ms.reviewer: anangaur --- diff --git a/docs/release-notes/NuGet-4.5-RTM.md b/docs/release-notes/NuGet-4.5-RTM.md index 507e183f7..7acc5f0b1 100644 --- a/docs/release-notes/NuGet-4.5-RTM.md +++ b/docs/release-notes/NuGet-4.5-RTM.md @@ -4,7 +4,7 @@ description: Release notes for NuGet 4.5 RTM including known issues, bug fixes, author: anangaur ms.author: anangaur ms.date: 12/4/2017 -ms.topic: conceptual +ms.topic: release-notes --- # NuGet 4.5 Release Notes diff --git a/docs/release-notes/NuGet-4.6-rtm.md b/docs/release-notes/NuGet-4.6-rtm.md index b1e089539..ce8438c4c 100644 --- a/docs/release-notes/NuGet-4.6-rtm.md +++ b/docs/release-notes/NuGet-4.6-rtm.md @@ -4,7 +4,7 @@ description: Release notes for NuGet 4.6.0 including known issues, bug fixes, ad author: anangaur ms.author: anangaur ms.date: 3/7/2018 -ms.topic: conceptual +ms.topic: release-notes --- # NuGet 4.6 Release Notes diff --git a/docs/release-notes/NuGet-4.7-RTM.md b/docs/release-notes/NuGet-4.7-RTM.md index 4a189d084..a43b5ab53 100644 --- a/docs/release-notes/NuGet-4.7-RTM.md +++ b/docs/release-notes/NuGet-4.7-RTM.md @@ -4,7 +4,7 @@ description: Release notes for NuGet 4.7.0 including known issues, bug fixes, ad author: JonDouglas ms.author: jodou ms.date: 5/14/2018 -ms.topic: conceptual +ms.topic: release-notes --- # NuGet 4.7 Release Notes diff --git a/docs/release-notes/NuGet-4.8-RTM.md b/docs/release-notes/NuGet-4.8-RTM.md index 56896037f..1fef31ac9 100644 --- a/docs/release-notes/NuGet-4.8-RTM.md +++ b/docs/release-notes/NuGet-4.8-RTM.md @@ -4,7 +4,7 @@ description: Release notes for NuGet 4.8.1 including known issues, bug fixes, ad author: JonDouglas ms.author: jodou ms.date: 5/14/2018 -ms.topic: conceptual +ms.topic: release-notes --- # NuGet 4.8 Release Notes diff --git a/docs/release-notes/NuGet-4.9-RTM.md b/docs/release-notes/NuGet-4.9-RTM.md index 04951f3ef..fd729e748 100644 --- a/docs/release-notes/NuGet-4.9-RTM.md +++ b/docs/release-notes/NuGet-4.9-RTM.md @@ -4,7 +4,7 @@ description: Release notes for NuGet 4.9 including known issues, bug fixes, new author: JonDouglas ms.author: jodou ms.date: 11/20/2018 -ms.topic: conceptual +ms.topic: release-notes --- # NuGet 4.9 Release Notes diff --git a/docs/release-notes/NuGet-5.0-RTM.md b/docs/release-notes/NuGet-5.0-RTM.md index 6c49464ad..bd75b0597 100644 --- a/docs/release-notes/NuGet-5.0-RTM.md +++ b/docs/release-notes/NuGet-5.0-RTM.md @@ -4,7 +4,7 @@ description: Release notes for NuGet 5.0 including known issues, bug fixes, new author: JonDouglas ms.author: jodou ms.date: 04/02/2019 -ms.topic: conceptual +ms.topic: release-notes --- # NuGet 5.0 Release Notes @@ -167,4 +167,4 @@ Disable the usage of the fallback folder by setting the `RestoreAdditionalProjec `` -Use this with caution as packages that would be restored from the fallback folder will now be downloaded from NuGet.org. \ No newline at end of file +Use this with caution as packages that would be restored from the fallback folder will now be downloaded from NuGet.org. diff --git a/docs/release-notes/NuGet-5.1-RTM.md b/docs/release-notes/NuGet-5.1-RTM.md index b661d0365..1f04bff82 100644 --- a/docs/release-notes/NuGet-5.1-RTM.md +++ b/docs/release-notes/NuGet-5.1-RTM.md @@ -4,7 +4,7 @@ description: Release notes for NuGet 5.1 including new features, bug fixes, and author: JonDouglas ms.author: jodou ms.date: 05/21/2019 -ms.topic: conceptual +ms.topic: release-notes --- # NuGet 5.1 Release Notes diff --git a/docs/release-notes/NuGet-5.10.md b/docs/release-notes/NuGet-5.10.md index d8018de5b..e83d28fa6 100644 --- a/docs/release-notes/NuGet-5.10.md +++ b/docs/release-notes/NuGet-5.10.md @@ -4,7 +4,7 @@ description: Release notes for NuGet 5.10 including new features, bug fixes, and author: zkat ms.author: kmarchan ms.date: 6/11/2021 -ms.topic: conceptual +ms.topic: release-notes --- # NuGet 5.10 Release Notes diff --git a/docs/release-notes/NuGet-5.11.md b/docs/release-notes/NuGet-5.11.md index 48c02be5c..dd8f31249 100644 --- a/docs/release-notes/NuGet-5.11.md +++ b/docs/release-notes/NuGet-5.11.md @@ -4,7 +4,7 @@ description: Release notes for NuGet 5.11 including new features, bug fixes, and author: erdembayar ms.author: eryondon ms.date: 8/10/2021 -ms.topic: conceptual +ms.topic: release-notes --- # NuGet 5.11 Release Notes @@ -16,12 +16,25 @@ NuGet distribution vehicles: | [**5.11.0**](https://nuget.org/downloads) | [Visual Studio 2019 version 16.11](https://visualstudio.microsoft.com/downloads/) | [5.0.400](https://dotnet.microsoft.com/download/dotnet-core/5.0)1 | | [**5.11.2**](https://nuget.org/downloads) | [Visual Studio 2019 version 16.11.16](https://visualstudio.microsoft.com/downloads/) | N/A | | [**5.11.3**](https://nuget.org/downloads) | N/A | N/A | +| [**5.11.5**](https://nuget.org/downloads) | N/A | N/A | +| [**5.11.6**](https://nuget.org/downloads) | N/A | N/A | 1 Installed with Visual Studio 2019 with .NET Core workload > [!NOTE] > Visual Studio 16.11, MSBuild 16.11, and .NET 5.0.400+ requires NuGet.exe 5.11 or later. +## Summary: What's New in 5.11.6 + +* [Security]: Microsoft Security Advisory CVE-2024-0057 | NuGet Client Security Feature bypass Vulnerability - [#12653](https://github.com/NuGet/Home/issues/13241) + +## Summary: What's New in 5.11.5 + +* [Security]: Microsoft Security Advisory CVE-2023-29337 | NuGet Client Remote Code Execution Vulnerability - [#12653](https://github.com/NuGet/Home/issues/12653) + +> [!NOTE] +> There is a behavior breaking change on Linux. The temp folder location, where NuGet stores temporary files during its various operations, has changed from `/tmp/NuGetScratch` to `/tmp/NuGetScratch`. E.g. for user User1, the temp folder will be `/tmp/NuGetScratchUser1`. + ## Summary: What's New in 5.11.3 * [Security]: Microsoft Security Advisory CVE-2022-41032 | .NET Elevation of Privilege Vulnerability - [#12149](https://github.com/NuGet/Home/issues/12149) diff --git a/docs/release-notes/NuGet-5.2-RTM.md b/docs/release-notes/NuGet-5.2-RTM.md index f02714365..a57435a9c 100644 --- a/docs/release-notes/NuGet-5.2-RTM.md +++ b/docs/release-notes/NuGet-5.2-RTM.md @@ -4,7 +4,7 @@ description: Release notes for NuGet 5.2 including new features, bug fixes, and author: JonDouglas ms.author: jodou ms.date: 07/23/2019 -ms.topic: conceptual +ms.topic: release-notes --- # NuGet 5.2 Release Notes diff --git a/docs/release-notes/NuGet-5.3.md b/docs/release-notes/NuGet-5.3.md index 6bbf19858..6559e3454 100644 --- a/docs/release-notes/NuGet-5.3.md +++ b/docs/release-notes/NuGet-5.3.md @@ -4,7 +4,7 @@ description: Release notes for NuGet 5.3 including new features, bug fixes, and author: JonDouglas ms.author: jodou ms.date: 09/06/2019 -ms.topic: conceptual +ms.topic: release-notes --- # NuGet 5.3 Release Notes diff --git a/docs/release-notes/NuGet-5.4.md b/docs/release-notes/NuGet-5.4.md index 7e49fe0e6..9c8251328 100644 --- a/docs/release-notes/NuGet-5.4.md +++ b/docs/release-notes/NuGet-5.4.md @@ -4,7 +4,7 @@ description: Release notes for NuGet 5.4 including new features, bug fixes, and author: JonDouglas ms.author: jodou ms.date: 09/06/2019 -ms.topic: conceptual +ms.topic: release-notes --- # NuGet 5.4 Release Notes diff --git a/docs/release-notes/NuGet-5.5.md b/docs/release-notes/NuGet-5.5.md index 67fdbc22f..8c51128bc 100644 --- a/docs/release-notes/NuGet-5.5.md +++ b/docs/release-notes/NuGet-5.5.md @@ -4,7 +4,7 @@ description: Release notes for NuGet 5.5 including new features, bug fixes, and author: JonDouglas ms.author: jodou ms.date: 03/19/2020 -ms.topic: conceptual +ms.topic: release-notes --- # NuGet 5.5 Release Notes diff --git a/docs/release-notes/NuGet-5.6.md b/docs/release-notes/NuGet-5.6.md index be2dc0ce2..696fb3493 100644 --- a/docs/release-notes/NuGet-5.6.md +++ b/docs/release-notes/NuGet-5.6.md @@ -4,7 +4,7 @@ description: Release notes for NuGet 5.6 including new features, bug fixes, and author: nkolev92 ms.author: nikolev ms.date: 05/19/2020 -ms.topic: conceptual +ms.topic: release-notes --- # NuGet 5.6 Release Notes diff --git a/docs/release-notes/NuGet-5.7.md b/docs/release-notes/NuGet-5.7.md index af334fa98..ee702a83b 100644 --- a/docs/release-notes/NuGet-5.7.md +++ b/docs/release-notes/NuGet-5.7.md @@ -4,7 +4,7 @@ description: Release notes for NuGet 5.7 including new features, bug fixes, and author: nkolev92 ms.author: nikolev ms.date: 8/14/2020 -ms.topic: conceptual +ms.topic: release-notes --- # NuGet 5.7 Release Notes diff --git a/docs/release-notes/NuGet-5.8.md b/docs/release-notes/NuGet-5.8.md index f5ec3c2ae..837149983 100644 --- a/docs/release-notes/NuGet-5.8.md +++ b/docs/release-notes/NuGet-5.8.md @@ -1,10 +1,10 @@ --- title: NuGet 5.8 Release Notes description: Release notes for NuGet 5.8 including new features, bug fixes, and DCRs. -author: dominofire -ms.author: feaguila +author: JonDouglas +ms.author: jodou ms.date: 11/9/2020 -ms.topic: conceptual +ms.topic: release-notes --- # NuGet 5.8 Release Notes diff --git a/docs/release-notes/NuGet-5.9.md b/docs/release-notes/NuGet-5.9.md index 57582f302..f10019cf8 100644 --- a/docs/release-notes/NuGet-5.9.md +++ b/docs/release-notes/NuGet-5.9.md @@ -4,7 +4,7 @@ description: Release notes for NuGet 5.9 including new features, bug fixes, and author: erdembayar ms.author: eryondon ms.date: 3/11/2021 -ms.topic: conceptual +ms.topic: release-notes --- # NuGet 5.9 Release Notes diff --git a/docs/release-notes/NuGet-6.0.md b/docs/release-notes/NuGet-6.0.md index 14a9306fe..5de5d1544 100644 --- a/docs/release-notes/NuGet-6.0.md +++ b/docs/release-notes/NuGet-6.0.md @@ -4,7 +4,7 @@ description: Release notes for NuGet 6.0 including new features, bug fixes, and author: zkat ms.author: kmarchan ms.date: 10/7/2021 -ms.topic: conceptual +ms.topic: release-notes --- # NuGet 6.0 Release Notes @@ -17,9 +17,22 @@ NuGet distribution vehicles: | **6.0.1** | [Visual Studio 2022 version 17.0.2](https://visualstudio.microsoft.com/downloads/) | N/A | | [**6.0.2**](https://nuget.org/downloads) | [Visual Studio 2022 version 17.0.11](https://visualstudio.microsoft.com/downloads/) | [6.0.301](https://dotnet.microsoft.com/download/dotnet-core/6.0)1 | | [**6.0.3**](https://nuget.org/downloads) | [Visual Studio 2022 version 17.0](https://visualstudio.microsoft.com/downloads/) | [6.0.110](https://dotnet.microsoft.com/download/dotnet-core/6.0)1 | +| [**6.0.5**](https://nuget.org/downloads) | N/A | [6.0.118](https://dotnet.microsoft.com/download/dotnet-core/6.0)1 | +| [**6.0.6**](https://nuget.org/downloads) | N/A | [6.0.127](https://dotnet.microsoft.com/download/dotnet-core/6.0)1 | 1 Installed with Visual Studio 2022 with.NET Core workload +## Summary: What's New in 6.0.6 + +* [Security]: Microsoft Security Advisory CVE-2024-0057 | NuGet Client Security Feature bypass Vulnerability - [#12653](https://github.com/NuGet/Home/issues/13241) + +## Summary: What's New in 6.0.5 + +* [Security]: Microsoft Security Advisory CVE-2023-29337 | NuGet Client Remote Code Execution Vulnerability - [#12653](https://github.com/NuGet/Home/issues/12653) + +> [!NOTE] +> There is a behavior breaking change on Linux. The temp folder location, where NuGet stores temporary files during its various operations, has changed from `/tmp/NuGetScratch` to `/tmp/NuGetScratch`. E.g. for user User1, the temp folder will be `/tmp/NuGetScratchUser1`. + ## Summary: What's New in 6.0.3 * [Security]: Microsoft Security Advisory CVE-2022-41032 | .NET Elevation of Privilege Vulnerability - [#12149](https://github.com/NuGet/Home/issues/12149) diff --git a/docs/release-notes/NuGet-6.1.md b/docs/release-notes/NuGet-6.1.md index 242741db9..9ae87e416 100644 --- a/docs/release-notes/NuGet-6.1.md +++ b/docs/release-notes/NuGet-6.1.md @@ -4,7 +4,7 @@ description: Release notes for NuGet 6.1 including new features, bug fixes, and author: zivkan ms.author: zivkan ms.date: 2/15/2022 -ms.topic: conceptual +ms.topic: release-notes --- # NuGet 6.1 Release Notes diff --git a/docs/release-notes/NuGet-6.10.md b/docs/release-notes/NuGet-6.10.md new file mode 100644 index 000000000..cdc222c9d --- /dev/null +++ b/docs/release-notes/NuGet-6.10.md @@ -0,0 +1,214 @@ +--- +title: NuGet 6.10 Release Notes +description: Release notes for NuGet 6.10 including new features, bug fixes, and DCRs. +author: kartheekp-ms +ms.date: 5/13/2024 +ms.topic: release-notes +--- + +# NuGet 6.10 Release Notes + +NuGet distribution vehicles: + +| NuGet version | Available in Visual Studio version | Available in .NET SDK(s) | +|:---|:---|:---| +| [**6.10.2**](https://nuget.org/downloads) | [Visual Studio 2022 version 17.10](https://visualstudio.microsoft.com/downloads/) | [8.0.3xx](https://dotnet.microsoft.com/download/dotnet/8.0)1 | + +1 Installed with Visual Studio 2022 with any .NET workload + +## Summary: What's New in 6.10.2 + +### Issues fixed in this release + +* Revert Enable central package management implicitly when Directory.Packages.props exists - [#11834](https://github.com/NuGet/Home/issues/11834) + +[List of commits in this release](https://github.com/NuGet/NuGet.Client/compare/6.10.1.5...6.10.2.8) + +1 Installed with Visual Studio 2022 with any .NET workload + +## Summary: What's New in 6.10.1 + +### Issues fixed in this release + +* Visual Studio and PMC restore/update fails when multiple packages.config projects in the solution share the same name (An item with the same key has already been added) - [#13465](https://github.com/NuGet/Home/issues/13465) + +* ##[error]The nuget command failed with exit code(1) and error(An item with the same key has already been added. - [#13456](https://github.com/NuGet/Home/issues/13456) + +[List of commits in this release](https://github.com/NuGet/NuGet.Client/compare/6.10.0.97...6.10.1.5) + +## Summary: What's New in 6.10 + +* [Feature]: add dotnet nuget config command - [#12469](https://github.com/NuGet/Home/issues/12469) + +* Warn when vulnerabilities are detected during packages.config restore - [#12307](https://github.com/NuGet/Home/issues/12307) + +* Display a vulnerability info bar when there's vulnerabilities in packages.config based projects. - [#13271](https://github.com/NuGet/Home/issues/13271) + +* [Bug]: VS Credential Provider Incorrectly Setting Value of `isRetry` - [#11210](https://github.com/NuGet/Home/issues/11210) + +* dotnet list package --vulnerable requires constant login to 3rd party nuget feed - [#12456](https://github.com/NuGet/Home/issues/12456) + +### 6.10.0 Known issues + +NuGet.exe 6.10.0 and Visual Studio 17.10.0 may have failures during NuGet operations for projects using packages.config under the following scenarios: + +* Two or more projects in the solution have the same name +* Two or more projects in the solution use the same packages.config file (the project files exist in the same directory) + +These issues have been fixed in NuGet.exe 6.10.1 and Visual Studio 17.10.2. + +Public tracking issues and discussions can be found in the following locations: + +* [Cannot nuget restore after updating visual studio community to 17.10.0. An item with the same key has already been added.](https://developercommunity.visualstudio.com/t/Cannot-nuget-restore-after-updating-visu/10665602) +* [Visual Studio and PMC restore/update fails when multiple packages.config projects in the solution share the same name (An item with the same key has already been added)](https://github.com/NuGet/Home/issues/13465) +* [##[error]The nuget command failed with exit code(1) and error(An item with the same key has already been added.](https://github.com/NuGet/Home/issues/13456) + +### Breaking changes + +* Add nullable annotations to NuGet.Configuration - [#13250](https://github.com/NuGet/Home/issues/13250) + +* [Dotnet Package Search] The search result of the package should be “version” instead of “latestVersion” when executing command “dotnet package search \ --exact-match --format json” - [#13158](https://github.com/NuGet/Home/issues/13158) + +* ResolvedDependencyKey should be struct to reduce memory allocations - [#13138](https://github.com/NuGet/Home/issues/13138) + +* [DCR]: Central Package Management - Respect .props file as a way to opt-in to the feature. - [#11834](https://github.com/NuGet/Home/issues/11834) + +* Remove NuGet.Packaging.Core - [#12495](https://github.com/NuGet/Home/issues/12495) + +### Issues fixed in this release + +* Warn when vulnerabilities are detected during packages.config restore in CLI scenarios. - [#13253](https://github.com/NuGet/Home/issues/13253) + +* Stop using JObject in assets file reading to reduce allocations. [#12715](https://github.com/NuGet/Home/issues/12715) + +* Add event tracing to restore to make it possible to measure performance - [#13274](https://github.com/NuGet/Home/issues/13274) + +* Read auditSources from nuget.config files - [#13211](https://github.com/NuGet/Home/issues/13211) + +* SourceRepository.GetResourceAsync should be cancellable. - [#13234](https://github.com/NuGet/Home/issues/13234) + +* CreateWalkAsync should not be recursive - [#13222](https://github.com/NuGet/Home/issues/13222) + +* ProjectModel.HashObjectWriter.OnFlush is using a SHA512 hash versus a cheaper hash which seems like overkill - [#13214](https://github.com/NuGet/Home/issues/13214) + +* Owner package metadata is an array in JSON but a string in Protocol types - [#13186](https://github.com/NuGet/Home/issues/13186) + +* dotnet package search --verbosity detailed output table too wide - [#13162](https://github.com/NuGet/Home/issues/13162) + +* Calls in SetWarningProperties() have allocation overhead due to multiple enumeration - [#13151](https://github.com/NuGet/Home/issues/13151) + +* Use of ConcurrentStack in object pool implementation creates large amounts of allocations - [#13147](https://github.com/NuGet/Home/issues/13147) + +* IsBestVersion boxes HashSet\ enumerators resulting in lots of allocation overhead during restore. - [#13146](https://github.com/NuGet/Home/issues/13146) + +* Deprecate NuGet.exe list in favor of NuGet.exe search - [#7912](https://github.com/NuGet/Home/issues/7912) + +* [Dotnet Package Search] An unhandled exception is thrown when searching with “--verbosity detailed” and “--format json” - [#13300](https://github.com/NuGet/Home/issues/13300) + +* `dotnet package search` crashes on .NET 9 preview 2 nightly - [#13286](https://github.com/NuGet/Home/issues/13286) + +* Use the StringBuilderPool rather than allocating a new StringBuilder - [#13285](https://github.com/NuGet/Home/issues/13285) + +* Pass in an appropriate size for List\ - [#13284](https://github.com/NuGet/Home/issues/13284) + +* JsonTextWriter allocates a large number strings - [#13283](https://github.com/NuGet/Home/issues/13283) + +* Usage of StringBuilder.Append() allocates when appending an int - [#13282](https://github.com/NuGet/Home/issues/13282) + +* Unnecessary boxing of struct enumerators - [#13281](https://github.com/NuGet/Home/issues/13281) + +* Process objects should be disposed so that the finalizer doesn't run - [#13280](https://github.com/NuGet/Home/issues/13280) + +* Avoid boxing enumerators for collections - [#13279](https://github.com/NuGet/Home/issues/13279) + +* [.NET 9 Preview 3] no-op restore is no longer a no-op - [#13269](https://github.com/NuGet/Home/issues/13269) + +* Reduce allocations in calling IVsProjectAdpater.IsCapabilityMatchAsync - [#13268](https://github.com/NuGet/Home/issues/13268) + +* Consolidate packages.config restore implementations by minimizing discrepancies - [#13233](https://github.com/NuGet/Home/issues/13233) + +* Unroll LINQ usage to trim some allocations in AddMSBuildAssets - [#13223](https://github.com/NuGet/Home/issues/13223) + +* PackageSpecWriter is calling Any on an ICollection\/IList\ instances instead of .Count - [#13213](https://github.com/NuGet/Home/issues/13213) + +* StringBuilder.Append(int) causes unnecessary allocations - [#13207](https://github.com/NuGet/Home/issues/13207) + +* Caching task results can cause all continuations to occur on the same thread - [#13206](https://github.com/NuGet/Home/issues/13206) + +* LibraryDependency creates a collection that is mostly empty - [#13184](https://github.com/NuGet/Home/issues/13184) + +* PackageSpecWriter should write out original string for versions instead of allocating a new one - [#13183](https://github.com/NuGet/Home/issues/13183) + +* SetCentralDependencies is calling OrderBy without specifying comparison defaulting to cultural-sensitive compare - [#13182](https://github.com/NuGet/Home/issues/13182) + +* Search results in json format from dotnet package search should not include fields for which no values are provided - [#13166](https://github.com/NuGet/Home/issues/13166) + +* The search result of the package should be “totalDownloads” instead of “total downloads” when executing command “dotnet package search \ --format json” - [#13165](https://github.com/NuGet/Home/issues/13165) + +* [dotnet package search] the failure to load a serivce index should be an error and not a warning. - [#13163](https://github.com/NuGet/Home/issues/13163) + +* dotnet package search format shows help output in addition to a json file - [#13161](https://github.com/NuGet/Home/issues/13161) + +* Cancelling static graph-based restore does not end the restore process - [#13140](https://github.com/NuGet/Home/issues/13140) + +* Use string.Contains instead of IEnumerable.Contains in VersionRange parsing - [#13124](https://github.com/NuGet/Home/issues/13124) + +* Static graph restore doesn't restore packages.config only solution - [#13109](https://github.com/NuGet/Home/issues/13109) + +* NuGet restore always touched the project.assets.json file even no content is changed when it needs log error messages. - [#13098](https://github.com/NuGet/Home/issues/13098) + +* Audit at restore time must not throw and fail the operation - [#13085](https://github.com/NuGet/Home/issues/13085) + +* Getting "An item with the same key has already been added" error when restoring. - [#13067](https://github.com/NuGet/Home/issues/13067) + +* PM UI Scrolling no longer loads additional packages. - [#13063](https://github.com/NuGet/Home/issues/13063) + +* NuGet restore cache check is no longer using file existence cache - [#13058](https://github.com/NuGet/Home/issues/13058) + +* Adding a reference to an esproj from an ASP.Net project results in a NU1105 error - [#12986](https://github.com/NuGet/Home/issues/12986) + +* RemoteDependencyWalker allocates a lot due to the fact that it's called recursively - [#12748](https://github.com/NuGet/Home/issues/12748) + +* [Bug]: Canceling msbuild restore is slow when invalid/unreachable source configured - [#11813](https://github.com/NuGet/Home/issues/11813) + +* Restore: excessive deep cloning of ProjectSpec - [#9041](https://github.com/NuGet/Home/issues/9041) + +[List of commits in this release](https://github.com/NuGet/NuGet.Client/compare/6.9.1.3...6.10.0.97) + +### Community contributions + +Thank you to all the contributors who helped make this NuGet release awesome! + +* [Erarndt](https://github.com/NuGet/NuGet.Client/pull/5659) + * [5659](https://github.com/NuGet/NuGet.Client/pull/5659) Reduce boxing when enumerating lists + * [5662](https://github.com/NuGet/NuGet.Client/pull/5662) Use StringBuilder.AppendInt() in more places to reduce allocations when appending integers to a StringBuilder + * [5663](https://github.com/NuGet/NuGet.Client/pull/5663) Remove allocations from TextWriter.NewLine implementation + * [5665](https://github.com/NuGet/NuGet.Client/pull/5665) Use pooled StringBuilder + * [5661](https://github.com/NuGet/NuGet.Client/pull/5661) Avoid enumerator boxing in PackageSpecificWarningProperties.AddRangeOfCodes and TransitiveNoWarnUtils.AddToSeen + * [5660](https://github.com/NuGet/NuGet.Client/pull/5660) Ensure that Process objects are disposed when launching authentication plug-ins + * [5664](https://github.com/NuGet/NuGet.Client/pull/5664) Specify list size in TopologicalSortUtility.CalculateRelationships + * [5624](https://github.com/NuGet/NuGet.Client/pull/5624) Switch CreateNodeAsync to an iterative approach + * [5584](https://github.com/NuGet/NuGet.Client/pull/5584) Unroll LINQ usage to trim some allocations in AddMSBuildAssets + * [5574](https://github.com/NuGet/NuGet.Client/pull/5574) Unroll several LINQ calls + * [5593](https://github.com/NuGet/NuGet.Client/pull/5593) Further reduce allocations in CreateGraphNodeAsync + * [5592](https://github.com/NuGet/NuGet.Client/pull/5592) Avoid multiple enumeration when writing Json objects + * [5600](https://github.com/NuGet/NuGet.Client/pull/5600) Avoid intermediate string allocation caused by StringBuilder Append(i… + * [5555](https://github.com/NuGet/NuGet.Client/pull/5555) Unroll Linq in GetFlags + * [5588](https://github.com/NuGet/NuGet.Client/pull/5588) Avoid boxing HashSet Enumerator in IsBestVerion + * [5589](https://github.com/NuGet/NuGet.Client/pull/5589) Update the pool implementation to use a stack with a lock to avoid al… + * [5568](https://github.com/NuGet/NuGet.Client/pull/5568) Change ResolvedDependencyKey to a struct + * [5553](https://github.com/NuGet/NuGet.Client/pull/5553) Avoid some allocations in GetCompatibilityData + * [5554](https://github.com/NuGet/NuGet.Client/pull/5554) Switch from Tuple to ValueTuple for Dictionary keys + * [5552](https://github.com/NuGet/NuGet.Client/pull/5552) Avoid creating the capture class for calls to WithExtension + * [5556](https://github.com/NuGet/NuGet.Client/pull/5556) Switch from ConcurrentDictionary to Dictionary with lock to avoid rep… + * [5551](https://github.com/NuGet/NuGet.Client/pull/5551) Use string.Contains instead of IEnumerable.Contains + * [5550](https://github.com/NuGet/NuGet.Client/pull/5550) Avoid boxing List\ enumerator +* [GenelleM](https://github.com/NuGet/NuGet.Client/pull/5655) + * [5655](https://github.com/NuGet/NuGet.Client/pull/5655) Add 64-bit non crypto hash algo for dgspec uniqueness computation + * [5629](https://github.com/NuGet/NuGet.Client/pull/5629) Replace calls to Any() on ICollection in PackageSpecWriter with Count > 0 Issue #13213 + * [5619](https://github.com/NuGet/NuGet.Client/pull/5619) Reduces some CPU time usage in SetCentralDependencies +* [NikolaMilosavljevic](https://github.com/NuGet/NuGet.Client/pull/5673) + * [5673](https://github.com/NuGet/NuGet.Client/pull/5673) Enable publishing in VMR + * [5625](https://github.com/NuGet/NuGet.Client/pull/5625) Eliminate System.CommandLine prebuilt package +* [brianrob](https://github.com/NuGet/NuGet.Client/pull/5650) + * [5650](https://github.com/NuGet/NuGet.Client/pull/5650) Add Restore Instrumentation diff --git a/docs/release-notes/NuGet-6.11.md b/docs/release-notes/NuGet-6.11.md new file mode 100644 index 000000000..0e74cce77 --- /dev/null +++ b/docs/release-notes/NuGet-6.11.md @@ -0,0 +1,107 @@ +--- +title: NuGet 6.11 Release Notes +description: Release notes for NuGet 6.11 including new features, bug fixes, and DCRs. +author: martinrrm +ms.date: 8/13/2024 +ms.topic: release-notes +--- +# NuGet 6.11 Release Notes + +NuGet distribution vehicles: + +| NuGet version | Available in Visual Studio version | Available in .NET SDK(s) | +|:---|:---|:---| +| [**6.11**](https://nuget.org/downloads) | [Visual Studio 2022 version 17.11](https://visualstudio.microsoft.com/downloads/) | [8.0.4xx](https://dotnet.microsoft.com/download/dotnet/8.0)1 | + +1 Installed with Visual Studio 2022 with any .NET workload + +## Summary: What's New in 6.11.1 + +### Issues fixed in this release + +* Fix "multiple attempts to download the nupkg have failed" - [#13545](https://github.com/NuGet/Home/issues/13545) + +[List of commits in this release](https://github.com/NuGet/NuGet.Client/compare/6.11.0.122...6.11.1.2) + +## Summary: What's New in 6.11 + +* Suppress NuGetAudit warnings for specific advisories for PackageReference projects - [#13679](https://github.com/NuGet/Home/issues/13679) + +* Add `--allow-insecure-connections` option to dotnet SDK - [#13396](https://github.com/NuGet/Home/issues/13396) + +* Swap authors for owners in Visual Studio Package Manager UI - [#12501](https://github.com/NuGet/Home/issues/12501) + +* [Feature]: add dotnet nuget why to dotnet CLI - [#11943](https://github.com/NuGet/Home/issues/11943) + +* NuGet cannot restore from HTTPS sources that have SSL certificate problems - [#4387](https://github.com/NuGet/Home/issues/4387) + +### Breaking changes + +* `MSBuildRestoreUtility.GetRestoreAuditProperties` needs a breaking change to read `NuGetAuditSuppress` items - [#13313](https://github.com/NuGet/Home/issues/13313) + +### Issues fixed in this release + +* IVsNuGetProjectUpdateEvents.ProjectUpdateStarted or ProjectUpdateFinished should only provide a list of files that will get changed. - [#13413](https://github.com/NuGet/Home/issues/13413) + +* `dotnet nuget` commands should not output usage information on all errors - [#13251](https://github.com/NuGet/Home/issues/13251) + +* [DCR]: NuGet causes many ArgumentExceptions to be thrown & caught in VS - [#11535](https://github.com/NuGet/Home/issues/11535) + +* Remove .NET Framework TFM from NuGet.CommandLine.XPlat - [#8452](https://github.com/NuGet/Home/issues/8452) + +* PERF: GetPackageInfo allocates by unnecessarily calling GetNupkgMetadataPath - [#13556](https://github.com/NuGet/Home/issues/13556) + +* 'dotnet nuget why' crashes when using --framework option - [#13547](https://github.com/NuGet/Home/issues/13547) + +* SignatureUtility.GetCertificates in NuGet.Client can skip calling Dispose on error - [#13535](https://github.com/NuGet/Home/issues/13535) + +* 'dotnet nuget why' does not work when a directory is provided for the 'Path' argument - [#13527](https://github.com/NuGet/Home/issues/13527) + +* NuGet IntelliCode Package Suggestions are missing Author in packages list - [#13515](https://github.com/NuGet/Home/issues/13515) + +* Rebuilding in VS causes unnecessary restores - [#13505](https://github.com/NuGet/Home/issues/13505) + +* MSB4181: The "Restore Task" task returned false but did not log an error. - [#13460](https://github.com/NuGet/Home/issues/13460) + +* TaskResultCache incorrectly shares the same lock object for all the keys. - [#13448](https://github.com/NuGet/Home/issues/13448) + +* Calls to CompareTo and Equals should not allocate - [#13442](https://github.com/NuGet/Home/issues/13442) + +* Enable Nullable and throw in KnownOwnerViewModel - [#13425](https://github.com/NuGet/Home/issues/13425) + +* `PackageSourceProvider.UpdatePackageSource` doesn't respect a value from `disableTLSCertificateValidation` attribute - [#13423](https://github.com/NuGet/Home/issues/13423) + +* `PackageSourceProvider.UpdatePackageSource` doesn't respect a value from `AllowInsecureConnection` field - [#13418](https://github.com/NuGet/Home/issues/13418) + +* "nuget install -ExcludeVersion" inaccurate reports "already installed" when trying to install older version - [#13334](https://github.com/NuGet/Home/issues/13334) + +* Vulnerability InfoBar remains visible in the Solution Explorer after closing solution - [#13055](https://github.com/NuGet/Home/issues/13055) + +[List of commits in this release](https://github.com/NuGet/NuGet.Client/compare/6.10.1.5...6.11.0.122) + +### Community contributions + +Thank you to all the contributors who helped make this NuGet release awesome! + +* [seclerp](https://github.com/seclerp) + * [5783](https://github.com/NuGet/NuGet.Client/pull/5783) Fix `PackageSourceProvider.UpdatePackageSource` doesn't respect a value from `DisableTLSCertificateValidation` field + * [5767](https://github.com/NuGet/NuGet.Client/pull/5767) Fix `PackageSourceProvider.UpdatePackageSource` doesn't respect a value from `AllowInsecureConnection` field +* [mmitche](https://github.com/mmitche) + * [5749](https://github.com/NuGet/NuGet.Client/pull/5749) Build NuGet from the VMR + * [5752](https://github.com/NuGet/NuGet.Client/pull/5752) Fixup signing support conditional +* [ToddGrun](https://github.com/ToddGrun) + * [5859](https://github.com/NuGet/NuGet.Client/pull/5859) Reduce allocations in GetPackageInfo by conditionally calling GetNupkgMetadataPath +* [omajid](https://github.com/omajid) + * [5848](https://github.com/NuGet/NuGet.Client/pull/5848) Dispose certificates on failure in SignatureUtility.GetCertificates +* [SimonCropp](https://github.com/SimonCropp) + * [5842](https://github.com/NuGet/NuGet.Client/pull/5842) remove redundant .GetTypeInfo() +* [ryanmolden](https://github.com/ryanmolden) + * [5834](https://github.com/NuGet/NuGet.Client/pull/5834) Eliminate first-chance ArgumentExceptions when querying a legacy project for properties that don't exist via DTE +* [hickford](https://github.com/hickford) + * [5743](https://github.com/NuGet/NuGet.Client/pull/5743) Correct message in the case that a higher version of package is already installed +* [ViktorHofer](https://github.com/ViktorHofer) + * [5764](https://github.com/NuGet/NuGet.Client/pull/5764) Use .NET SDK sourcelink integration +* [NikolaMilosavljevic](https://github.com/NikolaMilosavljevic) + * [5738](https://github.com/NuGet/NuGet.Client/pull/5738) Disable CA2022 errors +* [jv42](https://github.com/jv42) + * [5717](https://github.com/NuGet/NuGet.Client/pull/5717) Fixed NullReferenceException in ResolverComparer diff --git a/docs/release-notes/NuGet-6.12.md b/docs/release-notes/NuGet-6.12.md new file mode 100644 index 000000000..51c3c9702 --- /dev/null +++ b/docs/release-notes/NuGet-6.12.md @@ -0,0 +1,181 @@ +--- +title: NuGet 6.12 Release Notes +description: Release notes for NuGet 6.12 including new features, bug fixes, and DCRs. +author: zivkan +ms.topic: release-notes +--- + +# NuGet 6.12 Release Notes + +> [!NOTE] +> In response to developers' feedback to ensure builds continuity when updating to .NET SDK 9, we have reverted the default value of NuGetAuditMode to `direct` in Visual Studio 17.12.3 and .NET 9.0.101. + +NuGet distribution vehicles: + +| NuGet version | Available in Visual Studio version | Available in .NET SDK(s) | +|:---|:---|:---| +| [**6.12**](https://nuget.org/downloads) | [Visual Studio 2022 version 17.12](https://visualstudio.microsoft.com/downloads/) | [9.0.1xx](https://dotnet.microsoft.com/download/dotnet/9.0)1 | +| [**6.12.4**](https://nuget.org/downloads) | [Visual Studio 2022 version 17.12.8](https://visualstudio.microsoft.com/downloads/) | [9.0.106](https://dotnet.microsoft.com/download/dotnet/9.0)1 | + +1 Installed with Visual Studio 2022 with any .NET workload + +## Known Issues + +* Project and package in the same graph with the same name but different dependencies may lead to incorrect versions of the dependencies of that id [#13888](https://github.com/NuGet/Home/issues/13888) +* VS PM UI shows warning icon about package vulnerability even after upgrade [#13866](https://github.com/NuGet/Home/issues/13866) +* dotnet nuget why reports missing argument, even though it ran [#13908](https://github.com/NuGet/Home/issues/13908) + +## Summary: What's New in 6.12.4 + +NuGet 6.12.4 is available in Visual Studio 17.12.8. + +### Issues fixed in this release + +* Restore should fail more quickly when using http sources - [#14210](https://github.com/NuGet/Home/issues/14210) + +## Summary: What's New in 6.12.3 + +NuGet 6.12.3 is available in Visual Studio 17.12.4. + +### Issues fixed in this release + +* Small Solution PM UI size can cause a System.ArgumentException SolutionView.ListView_SizeChanged - [#13928](https://github.com/NuGet/Home/issues/13928) + +## Summary: What's New in 6.12.1 + +NuGet 6.12.1 is available in Visual Studio 17.12.0 and the .NET 9.0.101 SDK. + +### Issues fixed in this release + +* Deserializing an empty version range in a package dependency fails in .NET SDK 9.0.100-rc.2 [#13869](https://github.com/NuGet/Home/issues/13869) + +## Summary: What's New in 6.12 + +NuGet 6.12.0 is available in the .NET 9.0.100 SDK. + +* Add new graph resolution algorithm for better performance with large graphs - [#13692](https://github.com/NuGet/Home/issues/13692) + +* NuGetAudit raises warnings for vulnerable transitive packages by default when the .NET 9 SDK is installed [#13293](https://github.com/NuGet/Home/issues/13293) + +* Change NuGetAuditMode default from direct to all, raising warnings for vulnerable transitive packages for non-SDK style projects - [#13584](https://github.com/NuGet/Home/issues/13584) + +* Audit security vulnerabilities without adding nuget.org as package source - [#12698](https://github.com/NuGet/Home/issues/12698) + +* Owner profile hyperlinks needed in Details Pane of PM UI - [#13686](https://github.com/NuGet/Home/issues/13686) + +* Deprecate SHA-1 fingerprints usage in NuGet Sign commands in favor of SHA-2 family fingerprints [#13891](https://github.com/NuGet/Home/issues/13891) + +* Bubble-up Known Vulnerability Indicators in Solution Explorer for Transitive Packages - [#13636](https://github.com/NuGet/Home/issues/13636) + +* Enable Transitive Dependencies and vulnerabilities for Solution-level in Visual Studio - [#13216](https://github.com/NuGet/Home/issues/13216) + +### Breaking changes + +* Deprecate http usage: Promote from warning to error - [#13289](https://github.com/NuGet/Home/issues/13289) + +### Issues fixed in this release + +* Enable `dotnet nuget why` on non-SDK style projects - [#13576](https://github.com/NuGet/Home/issues/13576) + +* NuGetAuditSuppress for packages.config - [#13575](https://github.com/NuGet/Home/issues/13575) + +* Roll-out new breaking change process for SDK tools, respect SdkAnalysisLevel - [#13309](https://github.com/NuGet/Home/issues/13309) + +* Add property for toggling the to the previous NuGet resolver: RestoreUseLegacyDependencyResolver - [#13700](https://github.com/NuGet/Home/issues/13700) + +* Reduce allocations in TokenSegment.TryMatch - [#12728](https://github.com/NuGet/Home/issues/12728) + +* Use `SDKAnalysisLevel` in restore "https everywhere: promote from warning to error" - [#13546](https://github.com/NuGet/Home/issues/13546) + +* tweak wording of NU1603 - [#13446](https://github.com/NuGet/Home/issues/13446) + +* Default Package icon shown even when embedded icon file exists on disk - [#13766](https://github.com/NuGet/Home/issues/13766) + +* Navigation telemetry for hyperlinks: License, ReportAbuse, Readme, ProjectUrl - [#13749](https://github.com/NuGet/Home/issues/13749) + +* Navigation telemetry for Owner Profile URLs in PM UI - [#13738](https://github.com/NuGet/Home/issues/13738) + +* PM UI should show transitive path - [#13574](https://github.com/NuGet/Home/issues/13574) + +* NuGetVersion should use a factory to intern parsed versions - [#13532](https://github.com/NuGet/Home/issues/13532) + +* Remove NuGet.Packaging.Core code - [#13385](https://github.com/NuGet/Home/issues/13385) + +* PM UI transitive dependencies should display all transitive dependencies, not just ones brought in through packages directly installed in a project - [#13060](https://github.com/NuGet/Home/issues/13060) + +* Remove deprecated field "owners" from VS UI Details Pane - [#10666](https://github.com/NuGet/Home/issues/10666) + +* "Value cannot be null; Parameter name: source" displays in error list when clicking installed tab in PM UI - [#13801](https://github.com/NuGet/Home/issues/13801) + +* New dependency resolver does not properly handle missing package versions when using CPM - [#13788](https://github.com/NuGet/Home/issues/13788) + +* Saving PackageManagementFormat throws Nullable object must have a value. - [#13773](https://github.com/NuGet/Home/issues/13773) + +* ProjectReference causing PM UI to error with "Value cannot be null. Parameter name: frameworkIdentifier" - [#13737](https://github.com/NuGet/Home/issues/13737) + +* LockFileUtils.CreateLockFileTargetProject allocates a lot - [#13712](https://github.com/NuGet/Home/issues/13712) + +* ConvertToProjectPaths causes extra allocations due to yield usage - [#13677](https://github.com/NuGet/Home/issues/13677) + +* dotnet add package with CPM installs a different version than what gets restored - [#13657](https://github.com/NuGet/Home/issues/13657) + +* `dotnet list package` does not work if project is using central package management system, after upgrading to `.NET 8.0` - [#13632](https://github.com/NuGet/Home/issues/13632) + +* Add a log code NuGetAuditSuppress duplicate items - [#13620](https://github.com/NuGet/Home/issues/13620) + +* Solution Explorer search can be broken by skipped dataflow updates - [#13619](https://github.com/NuGet/Home/issues/13619) + +* Add nullability declarations to ResolverUtility and RemoteWalkContext - [#13617](https://github.com/NuGet/Home/issues/13617) + +* Use of Obsolete X509Certificate2 ctor - [#13612](https://github.com/NuGet/Home/issues/13612) + +* nuget restore warnings can't be suppressed with NoWarn in Visual Studio - [#13571](https://github.com/NuGet/Home/issues/13571) + +* Restore may write nulls to project.assets.json - [#13563](https://github.com/NuGet/Home/issues/13563) + +* VS 17.10 - Error building projects with CPM explicitly enabled if ManagePackageVersionsCentrally is set to false in Directory.Build.props - [#13560](https://github.com/NuGet/Home/issues/13560) + +* PERF: Version and VersionRange allocations are very prevalent in profiles of Roslyn solution load - [#13559](https://github.com/NuGet/Home/issues/13559) + +* PERF: LockFileFormat is filled completely when common callers only need some of the data - [#13558](https://github.com/NuGet/Home/issues/13558) + +* PERF: Unnecessary construction of LockFileItem.Properties dictionary - [#13557](https://github.com/NuGet/Home/issues/13557) + +* Narator does not read the value of `allowInsecureConnections` - [#13555](https://github.com/NuGet/Home/issues/13555) + +* NuGet fails because of invalid characters in User-Agent header - [#13531](https://github.com/NuGet/Home/issues/13531) + +* 'why' and 'config' command does not show up in 'dotnet nuget --help' output - [#13517](https://github.com/NuGet/Home/issues/13517) + +* allocation: nuget.protocol.dll!NuGet.Protocol.HttpCacheUtility+<CreateCacheFileAsync>d__.MoveNext|nuget.protocol.dll!NuGet.Protocol.PackageDependencyGroupConverter.ReadJson - [#13445](https://github.com/NuGet/Home/issues/13445) + +* Reduce allocations in ContentItemCollection - [#12657](https://github.com/NuGet/Home/issues/12657) + +* When a source isn't accessible, service index cannot be read issues suppress the internal message making it difficult to understand the root cause - [#12530](https://github.com/NuGet/Home/issues/12530) + +* [Bug]: Extra space at start of package description in tooltip - [#12105](https://github.com/NuGet/Home/issues/12105) + +* Map branch name from sourcelink to RepositoryBranch for NuGet pack - [#13625](https://github.com/NuGet/Home/issues/13625) + +[List of commits in this release](https://github.com/NuGet/NuGet.Client/compare/6.12.1.1...6.11.1.2) + +### Community contributions + +Thank you to all the contributors who helped make this NuGet release awesome! + +* [akoeplinger](https://github.com/NuGet/NuGet.Client/pull/6005) + * [6005](https://github.com/NuGet/NuGet.Client/pull/6005) Improve build.sh and fixes for building on arm64 macOS + * [5956](https://github.com/NuGet/NuGet.Client/pull/5956) Add System.Formats.Asn1 into Version.Details.xml + * [5911](https://github.com/NuGet/NuGet.Client/pull/5911) Don't use obsolete X509Certificate2 constructor on net9.0 +* [ToddGrun](https://github.com/NuGet/NuGet.Client/pull/5862) + * [5862](https://github.com/NuGet/NuGet.Client/pull/5862) Reduce allocations for version / versionranges + * [5857](https://github.com/NuGet/NuGet.Client/pull/5857) Reduce memory allocations during solution load in VS + * [5861](https://github.com/NuGet/NuGet.Client/pull/5861) Defer LockFileItem.Properties dictionary construction until needed +* [KirillOsenkov](https://github.com/NuGet/NuGet.Client/pull/6008) + * [6008](https://github.com/NuGet/NuGet.Client/pull/6008) Always debug RestoreTask and RestoreEx when environment variable is set +* [vernou](https://github.com/NuGet/NuGet.Client/pull/5982) + * [5982](https://github.com/NuGet/NuGet.Client/pull/5982) Fix restore when a package is installed with a version specified in CPM +* [mthalman](https://github.com/NuGet/NuGet.Client/pull/5959) + * [5959](https://github.com/NuGet/NuGet.Client/pull/5959) Allow override of System.Formats.Asn1 package version +* [MattKotsenas](https://github.com/NuGet/NuGet.Client/pull/5923) + * [5923](https://github.com/NuGet/NuGet.Client/pull/5923) Map SourceBranchName from sourcelink to RepositoryBranch for NuGet pack diff --git a/docs/release-notes/NuGet-6.13.md b/docs/release-notes/NuGet-6.13.md new file mode 100644 index 000000000..1c09115b4 --- /dev/null +++ b/docs/release-notes/NuGet-6.13.md @@ -0,0 +1,136 @@ +--- +title: NuGet 6.13 Release Notes +description: Release notes for NuGet 6.13 including new features, bug fixes, and DCRs. +author: Nigusu-Allehu +ms.author: nyenework +ms.date: 2/4/2025 +ms.topic: release-notes +--- + +# NuGet 6.13 Release Notes + +NuGet distribution vehicles: + +| NuGet version | Available in Visual Studio version | Available in .NET SDK(s) | +|:---|:---|:---| +| [**6.13.0**](https://nuget.org/downloads) | N/A | [9.0.200](https://dotnet.microsoft.com/download/dotnet/9.0)1 | +| [**6.13.1**](https://nuget.org/downloads) | [Visual Studio 2022 version 17.13.0](https://visualstudio.microsoft.com/downloads/) | [9.0.201](https://dotnet.microsoft.com/download/dotnet/9.0)1 | +| [**6.13.2**](https://nuget.org/downloads) | [Visual Studio 2022 version 17.13.2](https://visualstudio.microsoft.com/downloads/) | [9.0.203](https://dotnet.microsoft.com/download/dotnet/9.0)1 | + +1 Installed with Visual Studio 2022 with any .NET workload + +## Summary: What's New in 6.13.2 + +* New restore dependency resolver fails when resolving identical child dependencies - [#14025](https://github.com/NuGet/Home/issues/14025) + +[List of commits in this release](https://github.com/NuGet/NuGet.Client/compare/6.13.1.3...6.13.2.1) + +## Summary: What's New in 6.13.1 + +NuGet 6.13.1 is available in Visual Studio 17.13 and .NET 9.0.201 SDK. + +* Support for new slnx solution format in dotnet nuget why and dotnet list package - [#14034](https://github.com/NuGet/Home/issues/14034) + +[List of commits in this release](https://github.com/NuGet/NuGet.Client/compare/6.13.0.113...6.13.1.3) + +## Summary: What's New in 6.13.0 + +NuGet 6.13.0 is available in the .NET 9.0.200 SDK. + +* Support for credential providers deployed via .NET tools - [#12567](https://github.com/NuGet/Home/issues/12567) + +* Opt-in feature: "Supplied by Platform", which removes packages that are supplied by the .NET platform from the dependency graph. This results in better performance and eliminates false positives for vulnerabilities in transitive dependencies. + +* dotnet nuget why should check RID specific packages - [#13718](https://github.com/NuGet/Home/issues/13718) + +* Allow specifying the msbuild binlog path when invoking static graph restore to avoid modifying the environment - [#10789](https://github.com/NuGet/Home/issues/10789) + +* New Dependency Resolver Fixes + + * New dependency resolver downloads more packages than before - [#13943](https://github.com/NuGet/Home/issues/13943) + + * New dependency resolver does not handle floating versions correctly in some situations - [#13992](https://github.com/NuGet/Home/issues/13992) + + * New dependency resolver erroneously reports NU1605 (downgrade) when using transitive pinning a direct dependency and a downgrade exists in a package graph - [#13938](https://github.com/NuGet/Home/issues/13938) + + * NuGet Restore restoring old versions of transitive dependencies when direct dependency does not have guidelines for user's targeted .NET Framework - [#13934](https://github.com/NuGet/Home/issues/13934) + + * Project and package in the same graph with the same name but different dependencies may lead to incorrect versions of the dependencies of that id - [#13888](https://github.com/NuGet/Home/issues/13888) + +* Package Manager UI in Visual Studio now shows embedded READMEs for NuGet packages, if available - [#12583](https://github.com/NuGet/Home/issues/12583) + +### Issues fixed in this release + +* Detect if restore used NuGetAudit or not for PackageReference projects - [#13778](https://github.com/NuGet/Home/issues/13778) + +* Add indicator for deprecated and vulnerable packages to Package Details tab header. - [#13974](https://github.com/NuGet/Home/issues/13974) + +* Navigation telemetry for 'Clear All NuGet Storage' Command in VS Settings - [#13968](https://github.com/NuGet/Home/issues/13968) + +* Nuget Package Manager for Solution automatically selects transitive dependencies - [#13893](https://github.com/NuGet/Home/issues/13893) + +* Debugging large repos with static graph-based restore is slow - [#13876](https://github.com/NuGet/Home/issues/13876) + +* NuGet Client SDK packages updating to net8.0 - [#13842](https://github.com/NuGet/Home/issues/13842) + +* Promote NU3043 warning to error in .NET 10 - [#13814](https://github.com/NuGet/Home/issues/13814) + +* Setting "Allow format selection on first package install" meaning is unclear - [#14016](https://github.com/NuGet/Home/issues/14016) + +* `dotnet nuget why` reports missing argument, even though it ran - [#13908](https://github.com/NuGet/Home/issues/13908) + +* Spacing adjustments in Details Pane Tabs - [#13880](https://github.com/NuGet/Home/issues/13880) + +* The focus border on the Details Pane Tab content is being truncated - [#13879](https://github.com/NuGet/Home/issues/13879) + +* JAWS is reading the entire contents of the Package Details Tab when first visiting it - [#13878](https://github.com/NuGet/Home/issues/13878) + +* ContentItemCollection.PopulateItemGroups unnecessarily allocates - [#13851](https://github.com/NuGet/Home/issues/13851) + +* Read and write .nupkg.metadata files with System.Text.Json - [#13835](https://github.com/NuGet/Home/issues/13835) + +* NuGet Fails in Containers When HOME Is Not Set - [#13834](https://github.com/NuGet/Home/issues/13834) + +* Signing: key not disposed - [#13823](https://github.com/NuGet/Home/issues/13823) + +* Walk TFMs in parallel when collecting pack outputs - [#13776](https://github.com/NuGet/Home/issues/13776) + +* PERF: NuGet Cloning operations are showing heavily in allocations during VS solution load - [#13647](https://github.com/NuGet/Home/issues/13647) + +* Fetching Vulnerability Resources doesn't respect cancellation - [#13644](https://github.com/NuGet/Home/issues/13644) + +* Wrong order of arguments in logs for centralized package version (string `Info_AddPkgCPM`) - [#13155](https://github.com/NuGet/Home/issues/13155) + +* Satellite assemblies for three-letter languages are not copied from NuGet package - [#12253](https://github.com/NuGet/Home/issues/12253) + +* Nuget pack doesn't support blank <version> in .nuspec even though version is passed on the command line - [#7987](https://github.com/NuGet/Home/issues/7987) + +[List of commits in this release](https://github.com/NuGet/NuGet.Client/compare/6.12.3.1...6.13.1.3) + +### Community contributions + +Thank you to all the contributors who helped make this NuGet release awesome! + +* [SimonCropp](https://github.com/NuGet/NuGet.Client/pull/6185) + * [6185](https://github.com/NuGet/NuGet.Client/pull/6185) reduce memory in ManifestMetadata + * [6168](https://github.com/NuGet/NuGet.Client/pull/6168) remove duplicate dictionary lookups + * [6166](https://github.com/NuGet/NuGet.Client/pull/6166) remove redundant Count() in GlobalPackageFolderRepositories + * [6165](https://github.com/NuGet/NuGet.Client/pull/6165) avoid Any call in GetCommandAttribute + * [6167](https://github.com/NuGet/NuGet.Client/pull/6167) remove redundant casts +* [baronfel](https://github.com/NuGet/NuGet.Client/pull/6124) + * [6124](https://github.com/NuGet/NuGet.Client/pull/6124) Expand Locale parser to support three-character language codes + * [6018](https://github.com/NuGet/NuGet.Client/pull/6018) Update _WalkEachTargetPerFramework to walk TFMs in parallel +* [ToddGrun](https://github.com/NuGet/NuGet.Client/pull/6098) + * [6098](https://github.com/NuGet/NuGet.Client/pull/6098) Modify ContentItemCollection.PopulateItemGroups to use pooling for highly allocated temporary data structures + * [5930](https://github.com/NuGet/NuGet.Client/pull/5930) Attempt to move several data structures to be immutable +* [mthalman](https://github.com/NuGet/NuGet.Client/pull/6212) + * [6212](https://github.com/NuGet/NuGet.Client/pull/6212) Fix formatting in GraphOperations +* [kasperk81](https://github.com/NuGet/NuGet.Client/pull/6072) + * [6072](https://github.com/NuGet/NuGet.Client/pull/6072) add SpecialFolder.UserProfile fallback +* [MichaelSimons](https://github.com/NuGet/NuGet.Client/pull/6102) + * [6102](https://github.com/NuGet/NuGet.Client/pull/6102) Update source-build team references +* [akoeplinger](https://github.com/NuGet/NuGet.Client/pull/6025) + * [6025](https://github.com/NuGet/NuGet.Client/pull/6025) Fix typo in EnhancedHttpRetryHelper.cs +* [jimmylewis](https://github.com/NuGet/NuGet.Client/pull/6027) + * [6027](https://github.com/NuGet/NuGet.Client/pull/6027) Refactor calls to EnsureVisualStudioHost() to a base [TestInitialize] method + diff --git a/docs/release-notes/NuGet-6.14.md b/docs/release-notes/NuGet-6.14.md new file mode 100644 index 000000000..d14104ce5 --- /dev/null +++ b/docs/release-notes/NuGet-6.14.md @@ -0,0 +1,131 @@ +--- +title: NuGet 6.14 Release Notes +description: Release notes for NuGet 6.14 including new features, bug fixes, and DCRs. +author: zivkan +ms.date: 5/6/2025 +ms.topic: release-notes +--- + +# NuGet 6.14 Release Notes + +NuGet distribution vehicles: + +| NuGet version | Available in Visual Studio version | Available in .NET SDK(s) | +|:---|:---|:---| +| [**6.14.0**](https://nuget.org/downloads) | [Visual Studio 2022 version 17.14.0](https://visualstudio.microsoft.com/downloads/) | [9.0.300](https://dotnet.microsoft.com/download/dotnet/9.0)1 | + +1 Installed with Visual Studio 2022 with any .NET workload + +## Summary: What's New in 6.14.0 + +* (preview feature) NuGet onboards to Unified Settings and create General page - [#14040](https://github.com/NuGet/Home/issues/14040) + +* Support for new `slnx` solution format - [#14034](https://github.com/NuGet/Home/issues/14034) + +* dotnet-nuget-push now supports --config-file - [#4879](https://github.com/NuGet/Home/issues/4879) + +* `dotnet list package --vulnerable` should support auditSources - [#13767](https://github.com/NuGet/Home/issues/13767) + +* [DCR]: Focus shifts from Output window to Error List after every package operation, even with no error or warnings - [#11728](https://github.com/NuGet/Home/issues/11728) + +### Issues fixed in this release + +* Event tracing in new dependency resolver - [#14134](https://github.com/NuGet/Home/issues/14134) + +* Support for new slnx format in static graph-based restore - [#14086](https://github.com/NuGet/Home/issues/14086) + +* Add Net90 to FrameworkConstants.CommonFrameworks - [#14067](https://github.com/NuGet/Home/issues/14067) + +* Don't show usage help when dotnet cli command throws unhandled exception - [#14200](https://github.com/NuGet/Home/issues/14200) + +* Multiple callers check for NuGet entries before calling Error List `BringToFrontIfSettingsPermitAsync` - [#14163](https://github.com/NuGet/Home/issues/14163) + +* NuGetAudit should report transitive packages with vulnerabilities when targeting .NET 10 or higher - [#14161](https://github.com/NuGet/Home/issues/14161) + +* Update README preview to render with same font size as Visual Studio - [#14112](https://github.com/NuGet/Home/issues/14112) + +* NU5100 (AssemblyOutsideLibWarning): Why build is allowed but buildTransitive is not? - [#14080](https://github.com/NuGet/Home/issues/14080) + +* Can't copy the text from NuGet package manager gold bar - [#14074](https://github.com/NuGet/Home/issues/14074) + +* NuGet 6.13.2.1 does no longer support prerelease versions - [#14219](https://github.com/NuGet/Home/issues/14219) + +* Badly specified framework leads to an uninformative error - [#14216](https://github.com/NuGet/Home/issues/14216) + +* Restore should fail more quickly when using http sources - [#14210](https://github.com/NuGet/Home/issues/14210) + +* README spins indefinitely if the Readme URI does not result in a readme - [#14201](https://github.com/NuGet/Home/issues/14201) + +* Error in Visual Studio if Path contains directory you do not have permission to view - [#14192](https://github.com/NuGet/Home/issues/14192) + +* list package doesn't work with a solution argument in 9.0.201 - [#14177](https://github.com/NuGet/Home/issues/14177) + +* Focus shifts from Output window to Error List after Clear NuGet Locals command - [#14157](https://github.com/NuGet/Home/issues/14157) + +* NuGet adding a bunch of generally unuseful information to VS activity log - [#14153](https://github.com/NuGet/Home/issues/14153) + +* NuGet authentication plug-in discovery fails when environment variable has trailing semicolon - [#14144](https://github.com/NuGet/Home/issues/14144) + +* nuget.exe fails to find Microsoft.VisualStudio.SolutionPersistence.dll - [#14136](https://github.com/NuGet/Home/issues/14136) + +* NuGet restore writes dgspec too frequently - [#14135](https://github.com/NuGet/Home/issues/14135) + +* dotnet list package does not display resolved versions when AuditSources are used - [#14116](https://github.com/NuGet/Home/issues/14116) + +* The REAMDE tab always shows “Loading README” for the latest version of the package in the detail panel of PM UI - [#14098](https://github.com/NuGet/Home/issues/14098) + +* [Bug Bash] The second time clicking ‘Installed’ tab for a remote source which doesn’t allow for downloading a README shows the README tab - [#14097](https://github.com/NuGet/Home/issues/14097) + +* HttpFileSystemBasedFindPackageByIdResource.ConsumeFlatContainerIndexAsync allocates significantly more than necessary - [#14095](https://github.com/NuGet/Home/issues/14095) + +* UnresolvedMessages.GetMessageAsync is allocating more heavily than necessary - [#14094](https://github.com/NuGet/Home/issues/14094) + +* New dependency resolver does not properly detect a cycle with a transitive dependency with the same name as the root project - [#14052](https://github.com/NuGet/Home/issues/14052) + +* dotnet nuget why does not give an error if only a project path was specified - [#14030](https://github.com/NuGet/Home/issues/14030) + +* Cleanup ServiceProviderExtensions, remove GetFreeThreadedServiceAsync - [#14007](https://github.com/NuGet/Home/issues/14007) + +* Value cannot be null. Parameter name: versionRange when opening the PM UI - [#13933](https://github.com/NuGet/Home/issues/13933) + +* Reenable new algorithm resolution with lock files with .NET 10 SDK - [#13800](https://github.com/NuGet/Home/issues/13800) + +* Report the path when unable to read corrupted .nupkg.metadata - [#13763](https://github.com/NuGet/Home/issues/13763) + +* [Bug Bash] The vulnerability InfoBar disappears in the Solution Explorer window after restoring packages for .NET SDK based project - [#13318](https://github.com/NuGet/Home/issues/13318) + +* Use System.Text.Json to read the cache file in CacheFileFormat - [#13059](https://github.com/NuGet/Home/issues/13059) + +* [Bug]: dotnet nuget push symbols not working as expected - [#11871](https://github.com/NuGet/Home/issues/11871) + +* nuget.exe restore fails when MSBuildPath ends with a slash - [#8634](https://github.com/NuGet/Home/issues/8634) + +* nuget.exe -msbuildpath c:\foo\msbuild.exe gives bad error experience - [#4195](https://github.com/NuGet/Home/issues/4195) + +* Address comments in `Implement Support for NuGet Authentication Plugins as .NET Tools` PR - [#13975](https://github.com/NuGet/Home/issues/13975) + +[List of commits in this release](https://github.com/NuGet/NuGet.Client/compare/6.13.2.1...6.14.0.116) + +### Community contributions + +Thank you to all the contributors who helped make this NuGet release awesome! + +* [ViktorHofer](https://github.com/NuGet/NuGet.Client/pull/6309) + * [6309](https://github.com/NuGet/NuGet.Client/pull/6309) Define MicrosoftVisualStudioSolutionPersistenceVersion property + * [6292](https://github.com/NuGet/NuGet.Client/pull/6292) Upgrade ProtectedData version when building source-only + * [6270](https://github.com/NuGet/NuGet.Client/pull/6270) Update dependencies and remove unused runtime dependencies + * [6261](https://github.com/NuGet/NuGet.Client/pull/6261) React to NuGet package pruning warnings +* [jkoritzinsky](https://github.com/NuGet/NuGet.Client/pull/6306) + * [6306](https://github.com/NuGet/NuGet.Client/pull/6306) Don't publish RID-agnostic nuget packages when we only want RID-specific artifacts + * [6233](https://github.com/NuGet/NuGet.Client/pull/6233) Use the documented Artifact extension point to add artifacts +* [ToddGrun](https://github.com/NuGet/NuGet.Client/pull/6294) + * [6294](https://github.com/NuGet/NuGet.Client/pull/6294) Reduce activity log output from VsSolutionRestoreService.NominateProjectAsync + * [6264](https://github.com/NuGet/NuGet.Client/pull/6264) Reduce allocations under UnresolvedMessages.GetMessageAsync +* [AlexDelepine](https://github.com/NuGet/NuGet.Client/pull/6338) + * [6338](https://github.com/NuGet/NuGet.Client/pull/6338) Update ngen Priorities for VS +* [mmitche](https://github.com/NuGet/NuGet.Client/pull/6305) + * [6305](https://github.com/NuGet/NuGet.Client/pull/6305) Set build number to arcade build revision for VMR builds +* [premun](https://github.com/NuGet/NuGet.Client/pull/6251) + * [6251](https://github.com/NuGet/NuGet.Client/pull/6251) Remove extra spaces in Publishing.props +* [baronfel](https://github.com/NuGet/NuGet.Client/pull/6219) + * [6219](https://github.com/NuGet/NuGet.Client/pull/6219) Use new serializer library to parse solution files diff --git a/docs/release-notes/NuGet-6.2.md b/docs/release-notes/NuGet-6.2.md index 68b06b1ab..dc09706ea 100644 --- a/docs/release-notes/NuGet-6.2.md +++ b/docs/release-notes/NuGet-6.2.md @@ -4,7 +4,7 @@ description: Release notes for NuGet 6.2 including new features, bug fixes, and author: martinrrm ms.author: mruizmares ms.date: 5/9/2022 -ms.topic: conceptual +ms.topic: release-notes --- # NuGet 6.2 Release Notes @@ -16,9 +16,17 @@ NuGet distribution vehicles: | [**6.2.0**](https://nuget.org/downloads) | [Visual Studio 2022 version 17.2](https://visualstudio.microsoft.com/downloads/) | [6.0.300](https://dotnet.microsoft.com/download/dotnet-core/6.0)1 | | [**6.2.1**](https://nuget.org/downloads) | [Visual Studio 2022 version 17.2.4](https://visualstudio.microsoft.com/downloads/) | [6.0.301](https://dotnet.microsoft.com/download/dotnet-core/6.0)1 | | [**6.2.2**](https://nuget.org/downloads) | [Visual Studio 2022 version 17.2](https://visualstudio.microsoft.com/downloads/) | [6.0.305](https://dotnet.microsoft.com/download/dotnet-core/6.0)1 | +| [**6.2.4**](https://nuget.org/downloads) | N/A | [6.0.313](https://dotnet.microsoft.com/download/dotnet-core/6.0)1 | 1 Installed with Visual Studio 2022 with .NET Core workload +## Summary: What's New in 6.2.4 + +* [Security]: Microsoft Security Advisory CVE-2023-29337 | NuGet Client Remote Code Execution Vulnerability - [#12653](https://github.com/NuGet/Home/issues/12653) + +> [!NOTE] +> There is a behavior breaking change on Linux. The temp folder location, where NuGet stores temporary files during its various operations, has changed from `/tmp/NuGetScratch` to `/tmp/NuGetScratch`. E.g. for user User1, the temp folder will be `/tmp/NuGetScratchUser1`. + ## Summary: What's New in 6.2.2 * [Security]: Microsoft Security Advisory CVE 2022-41032 | .NET Elevation of Privilege Vulnerability - [#12149](https://github.com/NuGet/Home/issues/12149) diff --git a/docs/release-notes/NuGet-6.3.md b/docs/release-notes/NuGet-6.3.md index 0f0f80c95..8e9b5fb30 100644 --- a/docs/release-notes/NuGet-6.3.md +++ b/docs/release-notes/NuGet-6.3.md @@ -4,7 +4,7 @@ description: Release notes for NuGet 6.3 including new features, bug fixes, and author: martinrrm ms.author: mruizmares ms.date: 8/2/2022 -ms.topic: conceptual +ms.topic: release-notes --- # NuGet 6.3 Release Notes @@ -13,11 +13,24 @@ NuGet distribution vehicles: | NuGet version | Available in Visual Studio version | Available in .NET SDK(s) | |:---|:---|:---| -| [**6.3**](https://nuget.org/downloads) | [Visual Studio 2022 version 17.3](https://visualstudio.microsoft.com/downloads/) | [6.0.400](https://dotnet.microsoft.com/download/dotnet-core/)1 | -| [**6.3.1**](https://nuget.org/downloads) | [Visual Studio 2022 version 17.3](https://visualstudio.microsoft.com/downloads/) | [6.0.402](https://dotnet.microsoft.com/download/dotnet-core/)1 | +| [**6.3**](https://nuget.org/downloads) | [Visual Studio 2022 version 17.3](https://visualstudio.microsoft.com/downloads/) | [6.0.400](https://dotnet.microsoft.com/download/dotnet-core/6.0)1 | +| [**6.3.1**](https://nuget.org/downloads) | [Visual Studio 2022 version 17.3](https://visualstudio.microsoft.com/downloads/) | [6.0.402](https://dotnet.microsoft.com/download/dotnet-core/6.0)1 | +| [**6.3.3**](https://nuget.org/downloads) | N/A | [6.0.410](https://dotnet.microsoft.com/download/dotnet-core/6.0)1 | +| [**6.3.4**](https://nuget.org/downloads) | N/A | [6.0.419](https://dotnet.microsoft.com/download/dotnet-core/6.0)1 | 1 Installed with Visual Studio 17.3 with.NET Core workload +## Summary: What's New in 6.3.4 + +* [Security]: Microsoft Security Advisory CVE-2024-0057 | NuGet Client Security Feature bypass Vulnerability - [#12653](https://github.com/NuGet/Home/issues/13241) + +## Summary: What's New in 6.3.3 + +* [Security]: Microsoft Security Advisory CVE-2023-29337 | NuGet Client Remote Code Execution Vulnerability - [#12653](https://github.com/NuGet/Home/issues/12653) + +> [!NOTE] +> There is a behavior breaking change on Linux. The temp folder location, where NuGet stores temporary files during its various operations, has changed from `/tmp/NuGetScratch` to `/tmp/NuGetScratch`. E.g. for user User1, the temp folder will be `/tmp/NuGetScratchUser1`. + ## Summary: What's New in 6.3.1 * [Security]: Microsoft Security Advisory CVE-2022-41032 | .NET Elevation of Privilege Vulnerability - [#12149](https://github.com/NuGet/Home/issues/12149) @@ -114,4 +127,4 @@ NuGet distribution vehicles: * Transitive lock files (with wildcard) result in NU1004 - [#8465](https://github.com/NuGet/Home/issues/8465) -* Enhance the experimentation infrastructure in NuGet code to support transitive dependencies - [#10758](https://github.com/NuGet/Home/issues/10758) \ No newline at end of file +* Enhance the experimentation infrastructure in NuGet code to support transitive dependencies - [#10758](https://github.com/NuGet/Home/issues/10758) diff --git a/docs/release-notes/NuGet-6.4.md b/docs/release-notes/NuGet-6.4.md index 509f0b954..ffbcdc7d9 100644 --- a/docs/release-notes/NuGet-6.4.md +++ b/docs/release-notes/NuGet-6.4.md @@ -4,7 +4,7 @@ description: Release notes for NuGet 6.4 including new features, bug fixes, and author: jebriede ms.author: jebriede ms.date: 10/27/2022 -ms.topic: conceptual +ms.topic: release-notes --- # NuGet 6.4 Release Notes @@ -14,9 +14,22 @@ NuGet distribution vehicles: | NuGet version | Available in Visual Studio version | Available in .NET SDK(s) | |:---|:---|:---| | [**6.4**](https://nuget.org/downloads) | [Visual Studio 2022 version 17.4](https://visualstudio.microsoft.com/downloads/) | [7.0.100](https://dotnet.microsoft.com/download/dotnet-core/7.0)1 | +| [**6.4.2**](https://nuget.org/downloads) | N/A | [7.0.107](https://dotnet.microsoft.com/download/dotnet-core/7.0)1 | +| [**6.4.3**](https://nuget.org/downloads) | [Visual Studio 2022 version 17.4](https://visualstudio.microsoft.com/downloads/) | [7.0.116](https://dotnet.microsoft.com/download/dotnet-core/7.0)1 | 1 Installed with Visual Studio 17.4 with .NET Core workload +## Summary: What's New in 6.4.3 + +* [Security]: Microsoft Security Advisory CVE-2024-0057 | NuGet Client Security Feature bypass Vulnerability - [#12653](https://github.com/NuGet/Home/issues/13241) + +## Summary: What's New in 6.4.2 + +* [Security]: Microsoft Security Advisory CVE-2023-29337 | NuGet Client Remote Code Execution Vulnerability - [#12653](https://github.com/NuGet/Home/issues/12653) + +> [!NOTE] +> There is a behavior breaking change on Linux. The temp folder location, where NuGet stores temporary files during its various operations, has changed from `/tmp/NuGetScratch` to `/tmp/NuGetScratch`. E.g. for user User1, the temp folder will be `/tmp/NuGetScratchUser1`. + ## Summary: What's New in 6.4 * Central package management is considered production ready and the preview message has been removed - [#11950](https://github.com/NuGet/Home/issues/11950) diff --git a/docs/release-notes/NuGet-6.5.md b/docs/release-notes/NuGet-6.5.md new file mode 100644 index 000000000..8ee257234 --- /dev/null +++ b/docs/release-notes/NuGet-6.5.md @@ -0,0 +1,127 @@ +--- +title: NuGet 6.5 Release Notes +description: Release notes for NuGet 6.5 including new features, bug fixes, and DCRs. +author: martinrrm +ms.author: mruizmares +ms.date: 2/21/2023 +ms.topic: release-notes +--- + +# NuGet 6.5 Release Notes + +NuGet distribution vehicles: + +| NuGet version | Available in Visual Studio version | Available in .NET SDK(s) | +|:---|:---|:---| +| [**6.5**](https://nuget.org/downloads) | [Visual Studio 2022 version 17.5](https://visualstudio.microsoft.com/downloads/) | [7.0.200](https://dotnet.microsoft.com/download/dotnet-core/7.0)1 | +| [**6.5.1**](https://nuget.org/downloads) | N/A | N/A 1 | + +1 Installed with Visual Studio 2022 with.NET Core workload + +## Summary: What's New in 6.5.1 + +* [Security]: Microsoft Security Advisory CVE-2023-29337 | NuGet Client Remote Code Execution Vulnerability - [#12653](https://github.com/NuGet/Home/issues/12653) + +> [!NOTE] +> There is a behavior breaking change on Linux. The temp folder location, where NuGet stores temporary files during its various operations, has changed from `/tmp/NuGetScratch` to `/tmp/NuGetScratch`. E.g. for user User1, the temp folder will be `/tmp/NuGetScratchUser1`. + +## Summary: What's New in 6.5 + +* Manage packages in the Directory.Packages.props file for CPM projects - [#11890](https://github.com/NuGet/Home/issues/11890) + +* Package Source Mapping UI - Allow the Creation/Removal of package source mappings in the NuGet Options UI - [#11363](https://github.com/NuGet/Home/issues/11363) + +* Package Source Mapping UI - List Package Source Mappings in the NuGet Options UI - [#11362](https://github.com/NuGet/Home/issues/11362) + +* Observe Retry-After delay on HTTP request retry - [#10558](https://github.com/NuGet/Home/issues/10558) + +* Machine readable output for dotnet list package - [#7752](https://github.com/NuGet/Home/issues/7752) + +* Honor WarningsNotAsErrors - [#5375](https://github.com/NuGet/Home/issues/5375) + +* Reload Visual Studio package sources when nuget.config is modified manually - [#1538](https://github.com/NuGet/Home/issues/1538) + +* Restore dependencies for projects listed in a solution filter (.slnf) file - [#10809](https://github.com/NuGet/Home/issues/10809) + +### Issues fixed in this release + +**DCRs:** + +* During MSBuild project SDK resolution, always log errors in the case of failure - [#12312](https://github.com/NuGet/Home/issues/12312) + +* Environment variable `NUGET_CLI_LANGUAGE` to control language of nuget.exe command output - [#12181](https://github.com/NuGet/Home/issues/12181) + +* Make it obvious when a warning is elevated to an error - [#8803](https://github.com/NuGet/Home/issues/8803) + +* Show error when using nuget.exe to pack SDK csproj - [#7778](https://github.com/NuGet/Home/issues/7778) + +**Bugs:** + +* Output version option only applicable for format json option in dotnet list package - [#12293](https://github.com/NuGet/Home/issues/12293) + +* NuGet transitive pinning changes g.props import order, breaking the build - [#12278](https://github.com/NuGet/Home/issues/12278) + +* PrivateAssets for central transitive dependencies should flow regardless whether the parent is a project or a package - [#12276](https://github.com/NuGet/Home/issues/12276) + +* Include flags flow incorrectly to transitively pinned centrally managed dependencies - [#12274](https://github.com/NuGet/Home/issues/12274) + +* Possible race condition in ConfigurationDefaults.Instance.DefaultPackageSources - [#12246](https://github.com/NuGet/Home/issues/12246) + +* NuGet doesn't retry on HTTP 429 responses - [#12214](https://github.com/NuGet/Home/issues/12214) + +* Simplification of Linq Any method for performance improvement - [#12193](https://github.com/NuGet/Home/issues/12193) + +* StackOverflowException in InstallPackagesFromVSExtensionRepository - [#12192](https://github.com/NuGet/Home/issues/12192) + +* Versions_SelectionChanged throws NullReferenceException when changing selected package - [#12184](https://github.com/NuGet/Home/issues/12184) + +* Static graph-based restore fails with a NullReferenceException during SetPlatform negotiation - [#12177](https://github.com/NuGet/Home/issues/12177) + +* Reduce memory allocation while creating empty InnerNodes and ParentNodes for a new GraphNode during restore - [#12157](https://github.com/NuGet/Home/issues/12157) + +* SettingsLoadingContext throws exceptions when a different settings file causes an exception - [#12154](https://github.com/NuGet/Home/issues/12154) + +* Bad NuGet.config causes NuGet-based MSBuild SDK resolver to throw an unhandled exception - [#12152](https://github.com/NuGet/Home/issues/12152) + +* Watermark TextBox font color is incorrect in Add Dialog of Package Source Mapping Options - [#12141](https://github.com/NuGet/Home/issues/12141) + +* VS2022 17.1.2: Dependency between .NET Standard 2.0 and .NET 4.7.1 throws NuGet error System.Memory, Version=4.0.1.1 not found - [#12137](https://github.com/NuGet/Home/issues/12137) + +* Breaking change in .NET 8 - Environment.GetFolderPath returns incorrect path on Unix - [#12127](https://github.com/NuGet/Home/issues/12127) + +* nuget.exe strings from NuGet.Commands are not localized - [#12097](https://github.com/NuGet/Home/issues/12097) + +* Process argument string is too long when publishing in Visual Studio with static graph enabled - [#11968](https://github.com/NuGet/Home/issues/11968) + +* Provide solution for NuGet Error NU1012 - the pack error does not call out the problem files - [#11905](https://github.com/NuGet/Home/issues/11905) + +* Some CLI commands don't respect DOTNET_CLI_UI_LANGUAGE - [#11326](https://github.com/NuGet/Home/issues/11326) + +* Reduce UI thread switching when determining solution folder and if solution is open - [#11090](https://github.com/NuGet/Home/issues/11090) + +* Issue saving settings in Visual Studio - adding a source throws an exception - [#8407](https://github.com/NuGet/Home/issues/8407) + +* PackageDependencyGroup does not implement Equals correctly - [#6478](https://github.com/NuGet/Home/issues/6478) + +[List of commits in this release](https://github.com/NuGet/NuGet.Client/compare/6.5.0.154...6.4.1.21) + +### Community contributions + +Thank you to all the contributors who helped make this NuGet release awesome! + +* [Forgind](https://github.com/Forgind) + * [4970](https://github.com/NuGet/NuGet.Client/pull/4970) Have SDK resolver always log an error when SDK resolution in unsuccessful +* [marcin-krystianc](https://github.com/marcin-krystianc) + * [4952](https://github.com/NuGet/NuGet.Client/pull/4952) PrivateAssets for central transitive dependencies should flow regardless whether the parent node is a project or a package +* [marcin-krystianc](https://github.com/marcin-krystianc) + * [4950](https://github.com/NuGet/NuGet.Client/pull/4950) Fix include flags calculation for transitively pinned centrally managed dependencies +* [drewnoakes](https://github.com/drewnoakes) + * [4891](https://github.com/NuGet/NuGet.Client/pull/4891) Display documents from packages in the dependencies tree +* [kvpt](https://github.com/kvpt) + * [4790](https://github.com/NuGet/NuGet.Client/pull/4790) Add support for restoring slnf file from command line +* [AtariDreams](https://github.com/AtariDreams) + * [4863](https://github.com/NuGet/NuGet.Client/pull/4863) Simplification of Linq Any method +* [davidegiacometti](https://github.com/davidegiacometti) + * [4840](https://github.com/NuGet/NuGet.Client/pull/4840) Refactor PackageDependencyGroup Equals and GetHashCode +* [danjagnow](https://github.com/danjagnow) + * [4843](https://github.com/NuGet/NuGet.Client/pull/4843) Updated NU1012 error message to display item paths diff --git a/docs/release-notes/NuGet-6.6.md b/docs/release-notes/NuGet-6.6.md new file mode 100644 index 000000000..29eb769cf --- /dev/null +++ b/docs/release-notes/NuGet-6.6.md @@ -0,0 +1,87 @@ +--- +title: NuGet 6.6 Release Notes +description: Release notes for NuGet 6.6 including new features, bug fixes, and DCRs. +author: donnie-msft +ms.author: eagoodso +ms.date: 5/1/2023 +ms.topic: release-notes +--- + +# NuGet 6.6 Release Notes + +NuGet distribution vehicles: + +| NuGet version | Available in Visual Studio version | Available in .NET SDK(s) | +|:---|:---|:---| +| [**6.6**](https://nuget.org/downloads) | [Visual Studio 2022 version 17.6](https://visualstudio.microsoft.com/downloads/) | [7.0.300](https://dotnet.microsoft.com/download/dotnet-core/7.0)1 | +| [**6.6.1**](https://nuget.org/downloads) | N/A | [7.0.304](https://dotnet.microsoft.com/download/dotnet-core/7.0)1 | +| [**6.6.2**](https://nuget.org/downloads) | [Visual Studio 2022 version 17.6](https://visualstudio.microsoft.com/downloads/) | [7.0.313](https://dotnet.microsoft.com/download/dotnet-core/7.0)1 | + +1 Installed with Visual Studio 2022 with .NET Core workload + +## Summary: What's New in 6.6.2 + +* [Security]: Microsoft Security Advisory CVE-2024-0057 | NuGet Client Security Feature bypass Vulnerability - [#12653](https://github.com/NuGet/Home/issues/13241) + +## Summary: What's New in 6.6.1 + +* [Security]: Microsoft Security Advisory CVE-2023-29337 | NuGet Client Remote Code Execution Vulnerability - [#12653](https://github.com/NuGet/Home/issues/12653) + +> [!NOTE] +> There is a behavior breaking change on Linux. The temp folder location, where NuGet stores temporary files during its various operations, has changed from `/tmp/NuGetScratch` to `/tmp/NuGetScratch`. E.g. for user User1, the temp folder will be `/tmp/NuGetScratchUser1`. + +## Summary: What's New in 6.6 + +* [Epic]: Central Package Management improvements for 17.6 - [#12413](https://github.com/NuGet/Home/issues/12413) + +### Issues fixed in this release + +**DCRs:** + +* Static graph-based restore should always log an error on failure - [#12372](https://github.com/NuGet/Home/issues/12372) + +**Bugs:** + +* Set CentralPackageVersionOverrideEnabled=false in project with CPM broke project restore - [#12500](https://github.com/NuGet/Home/issues/12500) + +* Static graph-based restore crashes on systems with alternate console encodings - [#12373](https://github.com/NuGet/Home/issues/12373) + +* GlobalPackageReference is not working for legacy-style csproj projects - [#12368](https://github.com/NuGet/Home/issues/12368) + +* WebSite projects opened from IIS fail to install packages - [#12337](https://github.com/NuGet/Home/issues/12337) + +* StackOverflow in SemanticVersion.ToString - [#12330](https://github.com/NuGet/Home/issues/12330) + +* Static graph restore failure when referencing unrestorable project - [#12322](https://github.com/NuGet/Home/issues/12322) + +* CPM opt in detection in VS and commandline is different - [#12285](https://github.com/NuGet/Home/issues/12285) + +* PrivateAssets flow incorrectly to transitively pinned centrally managed dependencies - [#12270](https://github.com/NuGet/Home/issues/12270) + +* Performance regression of NuGet restores in the sdk v7.0.100 due to calculation of "CentralTransitiveDependencyGroups" - [#12269](https://github.com/NuGet/Home/issues/12269) + +* [Bug]: `NuGet.VisualStudio` depends on package not existing on NuGet.org - [#12164](https://github.com/NuGet/Home/issues/12164) + +* [Bug]: Custom kernel breaks nuget - [#11995](https://github.com/NuGet/Home/issues/11995) + +* PackageSource: returns possibly incorrect hash code - [#10276](https://github.com/NuGet/Home/issues/10276) + +[List of commits in this release](https://github.com/NuGet/NuGet.Client/compare/6.6.0.61...6.5.0.160) + +### Community contributions + +Thank you to all the contributors who helped make this NuGet release awesome! + +* [kant2002](https://github.com/kant2002) + * [5103](https://github.com/NuGet/NuGet.Client/pull/5103) Fix project restore when CentralPackageVersionOverrideEnabled=false +* [atamagaii](https://github.com/atamagaii) + * [5078](https://github.com/NuGet/NuGet.Client/pull/5078) Changed english resource MsbuildPathNotExist to correctly describe th… +* [pombredanne](https://github.com/pombredanne) + * [5083](https://github.com/NuGet/NuGet.Client/pull/5083) Fix minor typo +* [NikolaMilosavljevic](https://github.com/NikolaMilosavljevic) + * [5091](https://github.com/NuGet/NuGet.Client/pull/5091) Trim away netframework targets in source-build +* [uweigand](https://github.com/uweigand) + * [5046](https://github.com/NuGet/NuGet.Client/pull/5046) Limit concurrent connections via NUGET_CONCURRENCY_LIMIT +* [marcin-krystianc](https://github.com/marcin-krystianc) + * [4954](https://github.com/NuGet/NuGet.Client/pull/4954) Improved performance of calculation of PrivateAssets for transitively pinned centrally managed dependencies + * [4953](https://github.com/NuGet/NuGet.Client/pull/4953) Effective PrivateAssets of centrally managed transitive dependencies should be an intersection of parent dependencies diff --git a/docs/release-notes/NuGet-6.7.md b/docs/release-notes/NuGet-6.7.md new file mode 100644 index 000000000..ac9bbe4db --- /dev/null +++ b/docs/release-notes/NuGet-6.7.md @@ -0,0 +1,166 @@ +--- +title: NuGet 6.7 Release Notes +description: Release notes for NuGet 6.7 including new features, bug fixes, and DCRs. +author: jeffkl +ms.author: jeffkl +ms.date: 7/31/2023 +ms.topic: release-notes +--- + +# NuGet 6.7 Release Notes + +NuGet distribution vehicles: + +| NuGet version | Available in Visual Studio version | Available in .NET SDK(s) | +|:---|:---|:---| +| [**6.7**](https://nuget.org/downloads) | [Visual Studio 2022 version 17.7](https://visualstudio.microsoft.com/downloads/) | [7.0.400](https://dotnet.microsoft.com/download/dotnet-core/7.0)1 | +| [**6.7.1**](https://nuget.org/downloads) | [Visual Studio 2022 version 17.7](https://visualstudio.microsoft.com/downloads/) | [7.0.406](https://dotnet.microsoft.com/download/dotnet-core/7.0)1 | + +1 Installed with Visual Studio 2022 with.NET Core workload + +## Summary: What's New in 6.7.1 + +* [Security]: Microsoft Security Advisory CVE-2024-0057 | NuGet Client Security Feature bypass Vulnerability - [#12653](https://github.com/NuGet/Home/issues/13241) + +## Summary: What's New in 6.7 + +* Package Source Mapping status for selected package in Details Pane - [#12586](https://github.com/NuGet/Home/issues/12586) + +* Add VulnerabilityInfo APIs into NuGet.Protocol - [#12518](https://github.com/NuGet/Home/issues/12518) + +* Signing: raise actionable message on Linux if verification results in untrusted failure - [#12459](https://github.com/NuGet/Home/issues/12459) + +* [Feature]: Show which package versions are vulnerable in the VS PMUI package details pane version dropdown - [#11127](https://github.com/NuGet/Home/issues/11127) + +### Issues fixed in this release + +**DCRs:** + +* There are no visual indicators for the Package Source Mapping status in details pane - [#12609](https://github.com/NuGet/Home/issues/12609) + +* VS Options shortcut from PMUI for PackageSourceMappings doesn't scroll to or select the Package - [#12608](https://github.com/NuGet/Home/issues/12608) + +* Install/Update buttons are enabled in Details Pane when the PackageSourceMapping is not found - [#12607](https://github.com/NuGet/Home/issues/12607) + +* Add nullable annotations to NuGet.Frameworks - [#12570](https://github.com/NuGet/Home/issues/12570) + +* NuGet should use a different property for the platform version for C++/CLI - [#12521](https://github.com/NuGet/Home/issues/12521) + +* NuGet should use HttpClientHandler.PreAuthentication to reduce HTTP 401's - [#12514](https://github.com/NuGet/Home/issues/12514) + +**Bugs:** + +* Create SingleFileProvider and use it for content files - [#12706](https://github.com/NuGet/Home/issues/12706) + +* Restore task dumps stack because TaskCanceledException should be OperationCanceledException - [#12700](https://github.com/NuGet/Home/issues/12700) + +* Improve nuget.exe restore error message when passing file globs - [#12691](https://github.com/NuGet/Home/issues/12691) + +* NuGet: LockFileUtils.GetLockFileItems boxing enumerator - [#12684](https://github.com/NuGet/Home/issues/12684) + +* Preview Window needs some strings reworded and margins adjusted - [#12681](https://github.com/NuGet/Home/issues/12681) + +* PackageSpecificWarningProperties classes do redundant collection lookups - [#12678](https://github.com/NuGet/Home/issues/12678) + +* Specify SelectionCriteria list capacity correctly - [#12667](https://github.com/NuGet/Home/issues/12667) + +* Avoid value lookup in foreach loop over dictionary's keys - [#12666](https://github.com/NuGet/Home/issues/12666) + +* NuGet: VersionRangeFormatter.GetNormalizedString bypassing StringBuilderCache via use of string.format - [#12664](https://github.com/NuGet/Home/issues/12664) + +* NuGet: LockFileFormat.ReadTargetLibrary using string.split on a simple pattern - [#12663](https://github.com/NuGet/Home/issues/12663) + +* Performance: Don't allocate as many Task instances - [#12659](https://github.com/NuGet/Home/issues/12659) + +* Replace unreliable assembly location code with reliable one - [#12650](https://github.com/NuGet/Home/issues/12650) + +* PackageSpec should use an empty RuntimeGraph instead of a new one - [#12649](https://github.com/NuGet/Home/issues/12649) + +* TargetFrameworkInformation.Clone calls ToDictionary on a type that is already a dictionary, TargetFrameworkInformation.Clone resizes a dictionary it already knows the destination size - [#12648](https://github.com/NuGet/Home/issues/12648) + +* PackageSpecReferenceDependencyProvider.GetLibrary unnecessarily resizes a List<T> that it doesn't even need - [#12647](https://github.com/NuGet/Home/issues/12647) + +* ResolverUtility.FindLibraryCachedAsync should use a struct as lookup - [#12646](https://github.com/NuGet/Home/issues/12646) + +* ContentItemCollection.PopulateItemGroups unnecessarily causing resizes of List<T>, ContentItemCollection.PopulateItemGroups boxing List<T>.Enumerator - [#12645](https://github.com/NuGet/Home/issues/12645) + +* PackageSpec.Clone and LibraryDependency.Clone overwrite collections created by their constructors. - [#12642](https://github.com/NuGet/Home/issues/12642) + +* RestoreOperationLogger.ReportProgressAsync repeatedly requests UI thread time - [#12640](https://github.com/NuGet/Home/issues/12640) + +* Avoid repeated Enum.ToString() in PackageSpecWriter.SetDependencies - [#12638](https://github.com/NuGet/Home/issues/12638) + +* ETW events should use default '/' instead of '_' - [#12631](https://github.com/NuGet/Home/issues/12631) + +* Parsing NuGetVersion causes significant GC pressure - [#12630](https://github.com/NuGet/Home/issues/12630) + +* The vulnerable label doesn’t show in the “version” dropdown box of “Browse” tab when searching for vulnerable packages - [#12623](https://github.com/NuGet/Home/issues/12623) + +* nuget restore fails for solution filters not in same directory as the solution it references. - [#12562](https://github.com/NuGet/Home/issues/12562) + +* VersionRangeFormatter should use StringBuilderPool - [#12551](https://github.com/NuGet/Home/issues/12551) + +* Reduce allocations in VirtualFileInfo.Name - [#12550](https://github.com/NuGet/Home/issues/12550) + +* Reduce allocations when getting hash code of LibraryModel.LibraryRange - [#12549](https://github.com/NuGet/Home/issues/12549) + +* NuGet.Build.Tasks.Console should roll forward to newer runtimes - [#12528](https://github.com/NuGet/Home/issues/12528) + +* SourceRepository.GetResource throws if type is not an exact match - [#12455](https://github.com/NuGet/Home/issues/12455) + +* [Bug]: Disable the option to update version when using VersionOverride in CPM - [#12230](https://github.com/NuGet/Home/issues/12230) + +* [Bug]: dotnet nuget push not detecting apikey for 3rd party symbol server - [#11846](https://github.com/NuGet/Home/issues/11846) + +* X-NuGet-Warning doesn't work when using proxy due to missing ServerWarningLogHandler - [#5004](https://github.com/NuGet/Home/issues/5004) + +[List of commits in this release](https://github.com/NuGet/NuGet.Client/compare/6.7.0.127...6.6.1.2) + +### Community contributions + +Thank you to all the contributors who helped make this NuGet release awesome! + +* [danmoseley](https://github.com/danmoseley) + * [5276](https://github.com/NuGet/NuGet.Client/pull/5276) fix crash on cancel in Restore task +* [oleksandr-didyk](https://github.com/oleksandr-didyk) + * [5196](https://github.com/NuGet/NuGet.Client/pull/5196) add review comment to sb files +* [drewnoakes](https://github.com/drewnoakes) + * [5200](https://github.com/NuGet/NuGet.Client/pull/5200) Reduce allocations in ContentItemCollection +* [Erarndt](https://github.com/Erarndt) + * [5202](https://github.com/NuGet/NuGet.Client/pull/5202) Avoid allocations while parsing NuGetVersion from strings +* [jerhon](https://github.com/jerhon) + * [5197](https://github.com/NuGet/NuGet.Client/pull/5197) Fix issue with solution filters not restoring when in different folder than referenced solution +* [NikolaMilosavljevic](https://github.com/NikolaMilosavljevic) + * [5228](https://github.com/NuGet/NuGet.Client/pull/5228) Add System.Security.Cryptography.Xml dependency +* [DevPaulLiu](https://github.com/DevPaulLiu) + * [5206](https://github.com/NuGet/NuGet.Client/pull/5206) Use default '/' split symbol in ETW events. +* [drewnoakes](https://github.com/drewnoakes) + * [5201](https://github.com/NuGet/NuGet.Client/pull/5201) Reduce allocations in PackageSpecReferenceDependencyProvider +* [drewnoakes](https://github.com/drewnoakes) + * [5199](https://github.com/NuGet/NuGet.Client/pull/5199) Reduce allocations in TargetFrameworkInformation.Clone +* [Erarndt](https://github.com/Erarndt) + * [5217](https://github.com/NuGet/NuGet.Client/pull/5217) Ensure only one logging task is active at a time +* [Erarndt](https://github.com/Erarndt) + * [5219](https://github.com/NuGet/NuGet.Client/pull/5219) Update PackageSpec.Clone and LibraryDependency.Clone to avoid allocations +* [Erarndt](https://github.com/Erarndt) + * [5215](https://github.com/NuGet/NuGet.Client/pull/5215) Add AsString() for LibraryDependencyTarget and LibraryIncludeFlags +* [NikolaMilosavljevic](https://github.com/NikolaMilosavljevic) + * [5207](https://github.com/NuGet/NuGet.Client/pull/5207) Add dependencies for PVP flow +* [NikolaMilosavljevic](https://github.com/NikolaMilosavljevic) + * [5193](https://github.com/NuGet/NuGet.Client/pull/5193) Target net8.0 for source-build +* [mthalman](https://github.com/mthalman) + * [5180](https://github.com/NuGet/NuGet.Client/pull/5180) Exclude WPF projects from source-build +* [NikolaMilosavljevic](https://github.com/NikolaMilosavljevic) + * [5190](https://github.com/NuGet/NuGet.Client/pull/5190) Enable source-build pre-built detection +* [drewnoakes](https://github.com/drewnoakes) + * [5146](https://github.com/NuGet/NuGet.Client/pull/5146) Show diagnostic beneath unresolved package/project reference in Solution Explorer +* [0xced](https://github.com/0xced) + * [5021](https://github.com/NuGet/NuGet.Client/pull/5021) Log warnings from server also when using an http proxy (X-NuGet-Warning) +* [jwfx](https://github.com/jwfx) + * [5122](https://github.com/NuGet/NuGet.Client/pull/5122) Fall back to using API key also for pushing symbol packages if nothing else was specified as parameter or config +* [MichaelSimons](https://github.com/MichaelSimons) + * [5132](https://github.com/NuGet/NuGet.Client/pull/5132) Remove MinimalTargetFrameworksExeSigning from MinimalTargetFrameworksExeSigning in source-build +* [dfederm](https://github.com/dfederm) + * [5125](https://github.com/NuGet/NuGet.Client/pull/5125) Add RollForward to NuGet.Build.Tasks.Console +* [atamagaii](https://github.com/atamagaii) + * [5107](https://github.com/NuGet/NuGet.Client/pull/5107) Add missing RegistrationsBaseUrls to prevent exceptions when loading valid Service Indexes. diff --git a/docs/release-notes/NuGet-6.8.md b/docs/release-notes/NuGet-6.8.md new file mode 100644 index 000000000..bd351673e --- /dev/null +++ b/docs/release-notes/NuGet-6.8.md @@ -0,0 +1,179 @@ +--- +title: NuGet 6.8 Release Notes +description: Release notes for NuGet 6.8 including new features, bug fixes, and DCRs. +author: nkolev92 +ms.author: nikolev +ms.date: 10/30/2023 +ms.topic: release-notes +--- + +# NuGet 6.8 Release Notes + +NuGet distribution vehicles: + +| NuGet version | Available in Visual Studio version | Available in .NET SDK(s) | +|:---|:---|:---| +| [**6.8**](https://nuget.org/downloads) | [Visual Studio 2022 version 17.8](https://visualstudio.microsoft.com/downloads/) | [8.0.100](https://dotnet.microsoft.com/download/dotnet/8.0)1 | +| [**6.8.1**](https://nuget.org/downloads) | [Visual Studio 2022 version 17.8](https://visualstudio.microsoft.com/downloads/) | [8.0.102](https://dotnet.microsoft.com/download/dotnet/8.0)1 | + + +1 Installed with Visual Studio 2022 with any .NET workload + +## Summary: What's New in 6.8.1 + +* [Security]: Microsoft Security Advisory CVE-2024-0057 | NuGet Client Security Feature bypass Vulnerability - [#12653](https://github.com/NuGet/Home/issues/13241) + +## Summary: What's New in 6.8 + +* [NuGetAudit](../concepts/Auditing-Packages.md) - notifications for package vulnerabilities + * Warn when vulnerabilities are detected during PackageReference restore - [#12289](https://github.com/NuGet/Home/issues/12289) + * Show vulnerabilities in transitive packages for PackageReference type projects in PMUI - [#8756](https://github.com/NuGet/Home/issues/8756) + * Show an infobar in Solution Explorer for any detected security vulnerabilities in a project or solution - [#12398](https://github.com/NuGet/Home/issues/12398) + +* Add [`allowInsecureConnections`](../reference/nuget-config-file.md#packagesources) property for package sources in NuGet.config, allowing opt-out of "HTTPs everywhere" warnings - [#12786](https://github.com/NuGet/Home/issues/12786) + +* Create Package Source Mappings during Installation/update through PM UI - [#11366](https://github.com/NuGet/Home/issues/11366) + +* Conditional package updating is respected in Visual Studio [#5420](https://github.com/NuGet/NuGet.Client/pull/5420) + +* Add [protocolVersion argument](../reference/cli-reference/cli-ref-sources.md#options) to nuget source add - [#9170](https://github.com/NuGet/Home/issues/9170) + +* Signed package verification is [enabled by default on Linux in .NET 8 SDK](/dotnet/core/tools/nuget-signed-package-verification#linux) - [#11262](https://github.com/NuGet/Home/issues/11262) + +### Known issues + +* NuGetAuditMode doesn't work for SDK style projects in VS 17.8 - [#13003](https://github.com/NuGet/Home/issues/13003) + +### NuGet SDK breaking changes + +The following is a list of breaking changes in the NuGet SDK. If you are using NuGet tooling, such as Visual Studio or .NET SDK, you are not affected. + +* Remove the NuGetOperationType from NuGet.PackageManagement, use NuGetProjectActionType instead - [#12866](https://github.com/NuGet/Home/issues/12866) + +* Changing PackageVulnerabilityInfo severity from int to enum - [#12781](https://github.com/NuGet/Home/issues/12781) + +* Add nullable annotations to NuGet.Common - [#12775](https://github.com/NuGet/Home/issues/12775) + +* Obsolete Clone methods on immutable types - [#12669](https://github.com/NuGet/Home/issues/12669) + +### Issues fixed in this release + +* NuGetAudit should not warn when no vulnerability data is available - [#12875](https://github.com/NuGet/Home/issues/12875) + +* NuGetAudit: read vulnerability files with System.Text.Json - [#12855](https://github.com/NuGet/Home/issues/12855) + +* `PackageSourceMapping` API doesn't follow best practices for returning lists - [#12794](https://github.com/NuGet/Home/issues/12794) + +* Signing: enable `X509Chain.Build(...)` retry behavior by default - [#12592](https://github.com/NuGet/Home/issues/12592) + +* NuGetAudit should check direct PackageReferences by default - [#12590](https://github.com/NuGet/Home/issues/12590) + +* NuGetAudit should be on by default with the .NET 8 SDK - [#12568](https://github.com/NuGet/Home/issues/12568) + +* Remove "Checking compatibility..." log messages from RestoreTask - [#10383](https://github.com/NuGet/Home/issues/10383) + +* 16.10: remove package source 1.0 service. remove obsolete APIs (in nuget.configuration that we added in 16.8) - [#10015](https://github.com/NuGet/Home/issues/10015) + +* Add more logging to NuGetSdkResolver - [#11445](https://github.com/NuGet/Home/issues/11445) + +* Upgrade Newtonsoft.Json reference to 13.0.3 - [#12858](https://github.com/NuGet/Home/issues/12858) + +* Add an API for checking vulnerability during packages.config restore - [#12852](https://github.com/NuGet/Home/issues/12852) + +* VS Options add/remove package source icons aren't using VS2022 styling - [#12840](https://github.com/NuGet/Home/issues/12840) + +* Package Source Mapping utility always appends package ID - [#12839](https://github.com/NuGet/Home/issues/12839) + +* NuGetSdkResolver loads global.json multiple times during project load - [#12819](https://github.com/NuGet/Home/issues/12819) + +* dotnet list package doesn't list requested versions when using CPM - [#12765](https://github.com/NuGet/Home/issues/12765) + +* Fix case sensitivity of runtime dependency sets during merge - [#12757](https://github.com/NuGet/Home/issues/12757) + +* dotnet list package errors with Object reference not set to an instance of an object - [#12755](https://github.com/NuGet/Home/issues/12755) + +* Improve hashing and equality allocations/performance - [#12746](https://github.com/NuGet/Home/issues/12746) + +* NuGetAudit severity bugs - [#12743](https://github.com/NuGet/Home/issues/12743) + +* Lock contention thread pool issues caused by LoadSettings not passing settingsLoadingContext to LoadSettingsForSpecificConfigs - [#12737](https://github.com/NuGet/Home/issues/12737) + +* NuGetAuditMode all warns about package versions that were upgraded (rejected) - [#12730](https://github.com/NuGet/Home/issues/12730) + +* An error “unable to find metadata of PackageName.1.0.0” occurs when installing package with “packages.config” format - [#12723](https://github.com/NuGet/Home/issues/12723) + +* WalkTreeRejectNodesOfRejectedNodes constantly triggering resizes of its tracker collection - [#12719](https://github.com/NuGet/Home/issues/12719) + +* Reduce RuntimeGraph allocations as it's immutable - [#12717](https://github.com/NuGet/Home/issues/12717) + +* Heavy allocations in NuGet.Commands.RestoreRunner.ExecuteAndCommitAsync|nuget.packaging.dll!NuGet.RuntimeModel.RuntimeDescription - [#12714](https://github.com/NuGet/Home/issues/12714) + +* Heavy allocations in NuGet.Commands.RestoreRunner.ExecuteAndCommitAsync|nuget.versioning.dll!NuGet.Versioning.VersionFormatter.Format - [#12707](https://github.com/NuGet/Home/issues/12707) + +* Remove allocations from PackageSource.Source setter - [#12692](https://github.com/NuGet/Home/issues/12692) + +* ContentItemCollection.FindBestItemGroup boxing enumerator - [#12689](https://github.com/NuGet/Home/issues/12689) + +* FrameworkNameProvider.GetVersionString boxing enumerator - [#12685](https://github.com/NuGet/Home/issues/12685) + +* NuGet.Client allocates many instances of comparers - [#12680](https://github.com/NuGet/Home/issues/12680) + +* GetContentFileFolderRelativeToFramework allocates too much - [#12668](https://github.com/NuGet/Home/issues/12668) + +* Deprecated info will flash for less than one second in the right penal when clicking package “Microsoft.Net.Http” with a non-deprecated version in the package list - [#12661](https://github.com/NuGet/Home/issues/12661) + +* CreateGraphNode has a high number of allocations - [#12641](https://github.com/NuGet/Home/issues/12641) + +* The vulnerable label doesn’t show in the “version” dropdown box of “Browse” tab when searching for vulnerable packages - [#12623](https://github.com/NuGet/Home/issues/12623) + +* NuGet.Commands.LockFileBuilder KeyNotFoundException Exception - [#12464](https://github.com/NuGet/Home/issues/12464) + +* A PackageDownload without a version causes a NullReferenceException - [#12212](https://github.com/NuGet/Home/issues/12212) + +* [Bug]: View License dialog does not display license content - [#12060](https://github.com/NuGet/Home/issues/12060) + + +* [Bug Bash] Only the embedded license content of the latest version can be loaded correctly in PM UI when there are multiple versions in the same package from local feeds - [#10670](https://github.com/NuGet/Home/issues/10670) + +[List of commits in this release](https://github.com/NuGet/NuGet.Client/compare/6.8.0.131...6.7.0.127) + +### Community contributions + +Thank you to all the contributors who helped make this NuGet release awesome! + +* [drewnoakes](https://github.com/NuGet/NuGet.Client/pull/5311) + * [5311](https://github.com/NuGet/NuGet.Client/pull/5311) Null annotate PackageDependencyInfo + * [5310](https://github.com/NuGet/NuGet.Client/pull/5310) Reduce size of LockFileTargetLibrary + * [5304](https://github.com/NuGet/NuGet.Client/pull/5304) Improve hashing and equality allocations/performance + * [5267](https://github.com/NuGet/NuGet.Client/pull/5267) Reduce allocations in NuGet.DependencyResolver.Tracker + * [5232](https://github.com/NuGet/NuGet.Client/pull/5232) Reduce allocations in RuntimeGraph + * [5279](https://github.com/NuGet/NuGet.Client/pull/5279) Reduce allocations in VersionRangeFormatter + * [5248](https://github.com/NuGet/NuGet.Client/pull/5248) Reduce allocations in RuntimeDescription and RuntimeDependencySet + * [5269](https://github.com/NuGet/NuGet.Client/pull/5269) Don't box enumerators in ContentItemCollection + * [5250](https://github.com/NuGet/NuGet.Client/pull/5250) Don't allocate temporaries in FrameworkNameProvider.GetVersionString + * [5271](https://github.com/NuGet/NuGet.Client/pull/5271) Remove allocations from PackageSource.Source setter +* [MichaelSimons](https://github.com/NuGet/NuGet.Client/pull/5418) + * [5418](https://github.com/NuGet/NuGet.Client/pull/5418) Fix source-build CI regression + * [5414](https://github.com/NuGet/NuGet.Client/pull/5414) Remove unnecessary source-build patch +* [mthalman](https://github.com/NuGet/NuGet.Client/pull/5385) + * [5385](https://github.com/NuGet/NuGet.Client/pull/5385) Update Newtonsoft.Json from 13.0.1 to 13.0.3 +* [timheuer](https://github.com/NuGet/NuGet.Client/pull/5375) + * [5375](https://github.com/NuGet/NuGet.Client/pull/5375) Update VS Options add/remove package source icons to VS2022 styling +* [dotnokato](https://github.com/NuGet/NuGet.Client/pull/5002) + * [5002](https://github.com/NuGet/NuGet.Client/pull/5002) CLI: Add -protocolVersion option to nuget sources add/update commands +* [oleksandr-didyk](https://github.com/NuGet/NuGet.Client/pull/5352) + * [5352](https://github.com/NuGet/NuGet.Client/pull/5352) allow empty sb intermediate +* [drolevar](https://github.com/NuGet/NuGet.Client/pull/5346) + * [5346](https://github.com/NuGet/NuGet.Client/pull/5346) Add .vdproj to the exclusion list +* [Greybird](https://github.com/NuGet/NuGet.Client/pull/5335) + * [5335](https://github.com/NuGet/NuGet.Client/pull/5335) Remove projects from list package output +* [NikolaMilosavljevic](https://github.com/NuGet/NuGet.Client/pull/5322) + * [5322](https://github.com/NuGet/NuGet.Client/pull/5322) Fix incorrect package version property for System.Security.Cryptograp… +* [vishavpandhi](https://github.com/NuGet/NuGet.Client/pull/5283) + * [5283](https://github.com/NuGet/NuGet.Client/pull/5283) [DartLab B2B feature] dropname for base VS should be retrieved using the baseline. +* [v-chayan](https://github.com/NuGet/NuGet.Client/pull/5278) + * [5278](https://github.com/NuGet/NuGet.Client/pull/5278) Remove redundant SourceBuildTrimNetFrameworkTargets property +* [marcin-krystianc](https://github.com/NuGet/NuGet.Client/pull/5293) + * [5293](https://github.com/NuGet/NuGet.Client/pull/5293) DetectAndMarkAmbiguousCentralTransitiveDependencies should be exhaustive and deterministic +* [Erarndt](https://github.com/NuGet/NuGet.Client/pull/5218) + * [5218](https://github.com/NuGet/NuGet.Client/pull/5218) Reduce some allocations in CreateGraphNode. diff --git a/docs/release-notes/NuGet-6.9.md b/docs/release-notes/NuGet-6.9.md new file mode 100644 index 000000000..4870ba3d2 --- /dev/null +++ b/docs/release-notes/NuGet-6.9.md @@ -0,0 +1,112 @@ +--- +title: NuGet 6.9 Release Notes +description: Release notes for NuGet 6.9 including new features, bug fixes, and DCRs. +author: jgonz120 +ms.author: jongonza +ms.date: 2/1/2024 +ms.topic: release-notes +--- + +# NuGet 6.9 Release Notes + +NuGet distribution vehicles: + +| NuGet version | Available in Visual Studio version | Available in .NET SDK(s) | +|:---|:---|:---| +| [**6.9.1**](https://nuget.org/downloads) | [Visual Studio 2022 version 17.9](https://visualstudio.microsoft.com/downloads/) | [8.0.200](https://dotnet.microsoft.com/download/dotnet/8.0)1 | + +1 Installed with Visual Studio 2022 with any .NET workload + +## Summary: What's New in 6.9.1 + +* Support for dotnet search command (equivalent to nuget.exe list, later search) - [#6060](https://github.com/NuGet/Home/issues/6060) [#5138](https://github.com/NuGet/Home/issues/5138) + +* PM UI multi targeting experience is incomplete - support for updating and uninstalling conditional package versions - [#4681](https://github.com/NuGet/Home/issues/4681) + +* [Security]: Microsoft Security Advisory CVE-2024-0057 | NuGet Client Security Feature bypass Vulnerability - [#12653](https://github.com/NuGet/Home/issues/13241) + +### Breaking changes + +* Add nullable annotations to NuGet.LibraryModel - [#12889](https://github.com/NuGet/Home/issues/12889) + +### Issues fixed in this release + +* NuGetAudit should not download vulnerabilities database when project does not use any packages - [#13073](https://github.com/NuGet/Home/issues/13073) + +* Static graph-based restore should not enumerate every item's metadata - [#13049](https://github.com/NuGet/Home/issues/13049) + +* Migrate NuGet.CommandLine.XPlat package search to use System.CommandLine - [#13031](https://github.com/NuGet/Home/issues/13031) + +* Add `--format`, `--verbosity` , `configfile` options to `dotnet package search` - [#12978](https://github.com/NuGet/Home/issues/12978) + +* Set NuGetAudit defaults in MSBuild - [#12960](https://github.com/NuGet/Home/issues/12960) + +* RestoreTask: Control whether to embed files in the binlog - [#12957](https://github.com/NuGet/Home/issues/12957) + +* Create NU Error Code for Package Source Mapping & GPF conflicts - [#12953](https://github.com/NuGet/Home/issues/12953) + +* [DCR]: Allow floating versions with Central Package Management (CPM) - [#10432](https://github.com/NuGet/Home/issues/10432) + +* Static Graph restore won't warn for invalid projects - [#9300](https://github.com/NuGet/Home/issues/9300) + +* Rename no-cache to no-http-cache - [#9180](https://github.com/NuGet/Home/issues/9180) + +* VS Package Manager Console should close Text View - [#13104](https://github.com/NuGet/Home/issues/13104) + +* Vulnerability indicator shows up on dependent project if parent project has transitive vulnerabilities - [#13068](https://github.com/NuGet/Home/issues/13068) + +* Conditional updating when *all* packages are conditioned is broken - [#13034](https://github.com/NuGet/Home/issues/13034) + +* Perf issue in AssetsFileDependenciesDataSource - [#13019](https://github.com/NuGet/Home/issues/13019) + +* The `NuGetPackageSearchService.GetDeprecationMetadataAsync` in `NuGet.PackageManagement.VisualStudio` is dead code - [#13007](https://github.com/NuGet/Home/issues/13007) + +* Vulnerabilities filter shows incorrectly on “Brower” tab when the default tab was “Browse” instead of “Installed” for the previous opening of solution PM UI - [#12974](https://github.com/NuGet/Home/issues/12974) + +* HTTP 401 after some time in VS - [#12961](https://github.com/NuGet/Home/issues/12961) + +* [NuGet.Versioning] SemanticVersion.HasMetadata should indicate that Metadata is not null when true - [#12949](https://github.com/NuGet/Home/issues/12949) + +* TelemetryUtility.ToJsonArrayOfTimingsInSeconds returns incorrect json array on locales having comma as decimal separator - [#12915](https://github.com/NuGet/Home/issues/12915) + +* Static graph-based restore does not respect Interactive option when loading projects - [#12907](https://github.com/NuGet/Home/issues/12907) + +* Vulnerabilities InfoBar link to `Manage NuGet Packages` is truncated - [#12835](https://github.com/NuGet/Home/issues/12835) + +* NuGet.Build.Tasks caches CredentialProvider device flow timeout. - [#12540](https://github.com/NuGet/Home/issues/12540) + +* "error: Sequence contains no matching element" when listing outdated packages - [#12256](https://github.com/NuGet/Home/issues/12256) + +* [Bug]: Process argument string is too long when publishing in Visual Studio with static graph enabled - [#11968](https://github.com/NuGet/Home/issues/11968) + +* [Bug]: PM UI cannot uninstall packages in multitargeting projects - [#11914](https://github.com/NuGet/Home/issues/11914) + +* When a package is installed in the global packages folder, add details about the package location - [#11447](https://github.com/NuGet/Home/issues/11447) + +* NuGet should handle duplicate nomination data better. - [#8749](https://github.com/NuGet/Home/issues/8749) + +[List of commits in this release](https://github.com/NuGet/NuGet.Client/compare/6.9.0.74...6.8.0.131) + +### Community contributions + +Thank you to all the contributors who helped make this NuGet release awesome! + +* [KirillOsenkov](https://github.com/KirillOsenkov) + * Control embedding Restore files in binlog - [5494](https://github.com/NuGet/NuGet.Client/pull/5494) + * Don't log task inputs and outputs when binary logger is enabled - [5498](https://github.com/NuGet/NuGet.Client/pull/5498) +* [Erarndt](https://github.com/Erarndt) + * Unroll Linq usage in FilterDependencyProvidersForLibrary - [5535](https://github.com/NuGet/NuGet.Client/pull/5535) + * Reduce allocations in calls to CreateGraphNode() - [5531](https://github.com/NuGet/NuGet.Client/pull/5531) +* [dotnokato](https://github.com/dotnokato) + * Fix tests failing when run on systems with non-English language/locale settings - [5442](https://github.com/NuGet/NuGet.Client/pull/5442) + * Fix incorrect json array returned for locales with comma as decimal separator in TelemetryUtility.ToJsonArrayOfTimingsInSeconds - [5441](https://github.com/NuGet/NuGet.Client/pull/5441) +* [ellahathaway](https://github.com/ellahathaway) + * Shorten source-build inner clone paths - [5543](https://github.com/NuGet/NuGet.Client/pull/5543) +* [jasonmalinowski](https://github.com/jasonmalinowski) + * Output a more debuggable message if a single value isn't specified - [5533](https://github.com/NuGet/NuGet.Client/pull/5533) +* [mthalman](https://github.com/mthalman) + * Target net9.0 for .NET source build - [5511](https://github.com/NuGet/NuGet.Client/pull/5511) +* [NikolaMilosavljevic](https://github.com/NikolaMilosavljevic) + * Eliminate obsolete API warnings/errors in product source-build - [5496](https://github.com/NuGet/NuGet.Client/pull/5496) +* [amis92](https://github.com/amis92) + * Add MemberNotNullWhen to SemanticVersion.HasMetadata - [5465](https://github.com/NuGet/NuGet.Client/pull/5465) diff --git a/docs/release-notes/NuGet-7.0.md b/docs/release-notes/NuGet-7.0.md new file mode 100644 index 000000000..0de1486cc --- /dev/null +++ b/docs/release-notes/NuGet-7.0.md @@ -0,0 +1,312 @@ +--- +title: NuGet 7.0 Release Notes +description: Release notes for NuGet 7.0 including new features, bug fixes, and DCRs. +author: donnie-msft +ms.author: eagoodso +ms.date: 10/29/2025 +ms.topic: release-notes +--- + +# NuGet 7.0 Release Notes + +NuGet distribution vehicles: + +| NuGet version | Available in Visual Studio version | Available in .NET SDK(s) | +| :---|:---|:---| +| [**7.0.0**](https://nuget.org/downloads) | [Visual Studio 2026 version 18.0.0](https://visualstudio.microsoft.com/downloads/) | [10.0.100](https://dotnet.microsoft.com/download/dotnet/10.0)1 | + +1 Installed with Visual Studio 2026 with any .NET workload + +## Summary: What's New in 7.0.0 + +* Projects that target .NET 10 warn for vulnerabilities in transitive packages by defaulting to NuGetAuditMode=all [#14161](https://github.com/nuget/home/issues/14161) + +* [Package pruning](../consume-packages/Package-References-in-Project-Files.md#prunepackagereference) is enabled for all projects targeting .NET 10 [#14345](https://github.com/NuGet/Home/issues/14345) + +* Created the [NuGet Model Context Protocol (MCP) Server](../concepts/NuGet-MCP-Server.md), supported by .NET 10 SDK or later. +NuGet's MCP is pre-installed in Visual Studio 2026, and installable in VS 17.14 and VS Code. +The server is published on nuget.org as the [NuGet.Mcp.Server](https://www.nuget.org/packages/NuGet.Mcp.Server#readme-body-tab) package. + +* Enable packing legacy PackageReference projects without the need for a package - [#14046](https://github.com/NuGet/Home/issues/14046) + +* Deprecate SHA-1 usage in .NET 10 - [#13814](https://github.com/NuGet/Home/issues/13814) + +* Details pane reflects Vulnerability Data from Audit Sources - [#14554](https://github.com/NuGet/Home/issues/14554) + +* NuGet AuditSources support in the Package Manager UI - [#13954](https://github.com/NuGet/Home/issues/13954) + +* Migrate NuGet's settings to the new Visual Studio Options window + + * Migrate "Package sources" settings in Visual Studio Options - [#14233](https://github.com/NuGet/Home/issues/14233) + + * Migrate "Package Source Mapping" settings in Visual Studio Options - [#14234](https://github.com/NuGet/Home/issues/14234) + +* dotnet update package --vulnerable (Audit fix) - [#13372](https://github.com/NuGet/Home/issues/13372) + +### Breaking changes + +* Add package ID validation during restore - [#14407](https://github.com/NuGet/Home/issues/14407) + +* Project.json is no longer supported in 7.0. Visual Studio 2026 automatically migrated project.json projects to PackageReference + +* Package pruning will lead to a one-time diff in packages lock file - [#14272](https://github.com/NuGet/Home/issues/14272) + +* Pruning privatizes a direct references by apply PrivateAssets=all and IncludeAssets=none - [#14196](https://github.com/NuGet/Home/issues/14196) + +* Raise an error for SHA-1 fingerprints usage in NuGet.exe sign, mssign commands - [#13962](https://github.com/NuGet/Home/issues/13962) + +* Show an error when a non https source is used in a resource in a service index - [#13364](https://github.com/NuGet/Home/issues/13364) + +#### SDK Breaking changes + +* Project.json deprecation + * Remove project.json pack - [#7931](https://github.com/NuGet/Home/issues/7931) + + * Remove project.json support - [#7199](https://github.com/NuGet/Home/issues/7199) + + * Remove PackageSpec.Dependencies - [#14446](https://github.com/NuGet/Home/issues/14446) + + * Clean up Package Spec redudant APIs - [#6231](https://github.com/NuGet/Home/issues/6231) + +* Unused NuGet VS Extensibility APIs removed - [#14403](https://github.com/NuGet/Home/issues/14403) + +* Remove all unused APIs marked as obsolete in NuGet.Frameworks, NuGet.Protocol, NuGet.Commands & NuGet.PackageManagement - [#14395](https://github.com/NuGet/Home/issues/14395) + +* Remove obsolete APIs from NuGet.Common, NuGet.Configuration, NuGet.LibraryModel, NuGet.Packaging and NuGet.ProjectModel - [#14393](https://github.com/NuGet/Home/issues/14393) + +* Block and remove code for unused restore implementations such as `Standalone`. - [#14184](https://github.com/NuGet/Home/issues/14184) + +* Remove `DotnetToolReference` restore - [#14183](https://github.com/NuGet/Home/issues/14183) + +### Issues fixed in this release + +#### NuGet SDK fixes + +* Don't use reflection based deserialization in NuGet.Protocol - [#14470](https://github.com/NuGet/Home/issues/14470) + +* JsonSerializerIsReflectionDisabled on update to Nuget.Protocols 6.13.1 in apps with JsonSerializerIsReflectionEnabledByDefault set to false - [#14111](https://github.com/NuGet/Home/issues/14111) + +#### .NET CLI + +* Enable CanShowDialog for .NET core Authentication Plugins - [#14010](https://github.com/NuGet/Home/issues/14010) + +* "dotnet package update" modifies wrong project file (csproj) - [#14585](https://github.com/NuGet/Home/issues/14585) + +* dotnet nuget verify should output package content hash - [#14384](https://github.com/NuGet/Home/issues/14384) + +* dotnet package update should support --verbosity - [#14319](https://github.com/NuGet/Home/issues/14319) + +* dotnet package update should support CPM and VersionOverride - [#14318](https://github.com/NuGet/Home/issues/14318) + +* dotnet package update should support multiple packages - [#14308](https://github.com/NuGet/Home/issues/14308) + +* dotnet package update should support package source mapping - [#14307](https://github.com/NuGet/Home/issues/14307) + +* dotnet package update to a specific version - [#14306](https://github.com/NuGet/Home/issues/14306) + +* dotnet package update initial version - [#14305](https://github.com/NuGet/Home/issues/14305) + +* [Bug Bash][Unstable] An error “Attempted to divide by zero.” occurs when executing command “dotnet list [ProjectPath] package --vulnerable” - [#14122](https://github.com/NuGet/Home/issues/14122) + +* [Feature]: dotnet list [project | solution] package does not work with solution filters - [#11789](https://github.com/NuGet/Home/issues/11789) + +#### Package Manager UI in Visual Studio + +* Convert Search Control to Fluent UI - [#14469](https://github.com/NuGet/Home/issues/14469) + +* Use Fluent TextBox for Project PM UI Installed Version - [#14466](https://github.com/NuGet/Home/issues/14466) + +* [Bug Bash] There is a tiny gap in the version drop-down list of PM UI - [#11990](https://github.com/NuGet/Home/issues/11990) + +* [Bug Bash] The dropdown list of PM UI doesn’t distinguish the background color between selected-item and hover-on item - [#10977](https://github.com/NuGet/Home/issues/10977) + +* [Bug Bash] Pressing the page-down button on the keyboard when focusing on ‘Version’ drop-down box with Tab key makes the box empty - [#13605](https://github.com/NuGet/Home/issues/13605) + +* Dead Code: ActionsAndVersions View - [#14464](https://github.com/NuGet/Home/issues/14464) + +#### Visual Studio options + +* Decommission Legacy VS Options NuGet Settings - [#14398](https://github.com/NuGet/Home/issues/14398) + +* When adding an http source in the options dialog, have the user click on a checkbox to more explicitly agree to AllowInsecureConnections being added - [#14377](https://github.com/NuGet/Home/issues/14377) + +* Error needed in Package Sources settings for HTTP source without AllowInsecureConnections - [#14367](https://github.com/NuGet/Home/issues/14367) + +* Improve validation of NuGet's settings in Visual Studio Options - [#14359](https://github.com/NuGet/Home/issues/14359) + +* Show validation errors on NuGet options pages while typing - [#14358](https://github.com/NuGet/Home/issues/14358) + +* [Bug Bash] [Unstable] The first removing of a source mapping from the ‘Package Source Mappings’ list in ‘Package Source Mapping’ dialog doesn’t work - [#13520](https://github.com/NuGet/Home/issues/13520) + +* [Localization] The table title ‘Package Source Mapping’ in the ‘Options->NuGet Package Manager->Package Source Mapping’ page was not localized - [#14550](https://github.com/NuGet/Home/issues/14550) + +* [Bug Bash] The offline package source cannot be enabled after disabling it from the ‘Machine-wide package sources’ source list previously in the ‘Options->NuGet Package Manager->Package Sources’ window - [#13434](https://github.com/NuGet/Home/issues/13434) + +* [Bug Bash] The “source” column of the “Add New Package Source Mapping” dialog doesn’t have the minimum width set which makes it can be dragged out of sight - [#13355](https://github.com/NuGet/Home/issues/13355) + +* [Bug Bash] The first reopening of Options dialog should bring back the default package source "Microsoft Visual Studio Offline Packages" in "package sources" list when all the sources were deleted previously - [#13278](https://github.com/NuGet/Home/issues/13278) + +* [Bug Bash] Newly added package source mapping shouldn’t be case-sensitive in “Option->NuGet Package Manager->Package Source Mapping” window - [#13210](https://github.com/NuGet/Home/issues/13210) + +* [Bug Bash] New added package source mapping will lost after switching back to the "Package Source Mapping" tab from other tab in “Option->NuGet Package Manager” window - [#13150](https://github.com/NuGet/Home/issues/13150) + +* [Bug Bash] The “Remove” button should be disable when no package source mapping is selected in the “Package Source Mappings” list - [#13115](https://github.com/NuGet/Home/issues/13115) + +* [CSY] Duplicated hotkeys show in “Options->NuGet Package Manager->Package Sources” dialog - [#7822](https://github.com/NuGet/Home/issues/7822) + +* VS NuGet PMUI - Machine-wide package sources area should be vertically resize-able as well - [#7560](https://github.com/NuGet/Home/issues/7560) + +* [Bug Bash] There will be a duplicated package source when modifying the name of source “Microsoft Visual Studio Offline Packages” - [#13057](https://github.com/NuGet/Home/issues/13057) + +* [Bug Bash] The “Options->NuGet Package Manager->Package Sources” page is disabled after checking or unchecking the checkbox “Enabled” of any one of the package sources having duplicated sources - [#14499](https://github.com/NuGet/Home/issues/14499) + +* Have to manually select pre-populated text on Add Package Source dialog - [#14450](https://github.com/NuGet/Home/issues/14450) + +* VS should not delete Package Source attributes when Name is updated - [#14370](https://github.com/NuGet/Home/issues/14370) + +#### Package Pruning + +* Warning rollout for PrunePackageReference - [#14126](https://github.com/NuGet/Home/issues/14126) + +* Missing audit warnings from "nuget install" when nuget.org is not a package source - [#14096](https://github.com/NuGet/Home/issues/14096) + +* It's not possible to push to HTTP sources specified via command line - [#14047](https://github.com/NuGet/Home/issues/14047) + +* Package pruning is enabled for all projects targeting .NET 10 including multi-targeted ones - [#14345](https://github.com/NuGet/Home/issues/14345) + +* Move pruning enabled frameworks to the NuGet.targets - [#14424](https://github.com/NuGet/Home/issues/14424) + +* Change _RestorePackagePruningDefault to RestorePackagePruningDefault - [#14511](https://github.com/NuGet/Home/issues/14511) + +#### Restore + +* dotnet restore/Visual Studio conflicting with .esproj + Nx project.json - [#13512](https://github.com/NuGet/Home/issues/13512) + +* Improve NU1004 when pruning is used with locked mode - [#14075](https://github.com/NuGet/Home/issues/14075) + +* Consider not writing NuGetToolVersion to generated MSBuild props files on Restore - [#14355](https://github.com/NuGet/Home/issues/14355) + +* NuGet Restore fails if SQL Server Management Studio 21 is installed - [#14349](https://github.com/NuGet/Home/issues/14349) + +* Remove NUGET_EXPERIMENTAL_USE_NJ_FOR_FILE_PARSING - [#14257](https://github.com/NuGet/Home/issues/14257) + +* Remove RestoreTargetGraph.Name as it's redundant with restoreTargetGraph.TargetGraphName being the widely used version - [#14529](https://github.com/NuGet/Home/issues/14529) + +* Remove RestoreArgs.LockFileVersion as it's functionality unused - [#14524](https://github.com/NuGet/Home/issues/14524) + +* Remove NUGET_BULK_RESTORE_COORDINATION and NUGET_SOLUTION_CACHE_INITIALIZATION fallbacks - [#14502](https://github.com/NuGet/Home/issues/14502) + +#### Dependency resolver + +* New dependency resolver does not properly handle floating prerelease versions - [#13833](https://github.com/NuGet/Home/issues/13833) + +* Reenable new algorithm resolution with lock files - [#13800](https://github.com/NuGet/Home/issues/13800) + +#### Other + +* Stop ilmerging pack - [#13079](https://github.com/NuGet/Home/issues/13079) + +* Make NuGet.Client's Build.ps1 more friendly to GitHub Copilot in VSCode - [#14453](https://github.com/NuGet/Home/issues/14453) + +* Generate identical [Content_Types].xml on repeated builds - [#14357](https://github.com/NuGet/Home/issues/14357) + +* pack legacy csproj: include pack targets and tasks in VS build tools - [#14520](https://github.com/NuGet/Home/issues/14520) + +* VS crashes when the only project in the solution is a project.json project - [#14553](https://github.com/NuGet/Home/issues/14553) + +* review exception handling - [#14440](https://github.com/NuGet/Home/issues/14440) + +* Improve perf by avoiding redundant dictionary lookups - [#14432](https://github.com/NuGet/Home/issues/14432) + +* LockFileLibrary does not need to be mutable - [#14385](https://github.com/NuGet/Home/issues/14385) + +[List of commits in this release](https://github.com/NuGet/NuGet.Client/compare/6.14.1.1...7.0.0.289) + +### Community contributions + +Thank you to all the contributors who helped make this NuGet release awesome! + +* [SimonCropp](https://github.com/NuGet/NuGet.Client/pull/6720) + * [6720](https://github.com/NuGet/NuGet.Client/pull/6720) remove redundant default constructors + * [6610](https://github.com/NuGet/NuGet.Client/pull/6610) add "does not have a min version" to messages in GetNupkgInfo + * [6581](https://github.com/NuGet/NuGet.Client/pull/6581) remove redundant dictionary lookups in MarkTransitiveOrigin + * [6596](https://github.com/NuGet/NuGet.Client/pull/6596) enable nullability in PackageItemViewModelTests + * [6634](https://github.com/NuGet/NuGet.Client/pull/6634) remove IFrameworkTargetable + * [6616](https://github.com/NuGet/NuGet.Client/pull/6616) avoid redundant version parsing in PluginFindPackageByIdResource + * [6595](https://github.com/NuGet/NuGet.Client/pull/6595) enable nullability in ReadmePreviewViewModelTests + * [6587](https://github.com/NuGet/NuGet.Client/pull/6587) remove redundant dictionary lookup in ProcessUnrankedEntries + * [6598](https://github.com/NuGet/NuGet.Client/pull/6598) enable nullability in EmbeddedResourcesCapabilityTests + * [6577](https://github.com/NuGet/NuGet.Client/pull/6577) use fields instead of private properties + * [6622](https://github.com/NuGet/NuGet.Client/pull/6622) remove un-used list in GetPackagesToBeReinstalled + * [6589](https://github.com/NuGet/NuGet.Client/pull/6589) redundant null check for projectManagerService.GetMetadataAsync return value + * [6605](https://github.com/NuGet/NuGet.Client/pull/6605) enable nullable in VSRestoreSettingsUtilityTests + * [6575](https://github.com/NuGet/NuGet.Client/pull/6575) remove redundant dictionary lookup in CredentialServiceAdapter.GetCredentials + * [6601](https://github.com/NuGet/NuGet.Client/pull/6601) enable nullabe in NuGetInstallCommandTest + * [6593](https://github.com/NuGet/NuGet.Client/pull/6593) enable nullable in IProjectContextInfoExtensionsTests + * [6614](https://github.com/NuGet/NuGet.Client/pull/6614) remove redundant lists in DependencyGraphFileRequestProvider + * [6625](https://github.com/NuGet/NuGet.Client/pull/6625) remove un-used variables in PackageExtractor + * [6609](https://github.com/NuGet/NuGet.Client/pull/6609) fix nullability in UnresolvedMessages + * [6608](https://github.com/NuGet/NuGet.Client/pull/6608) remove un-used contextForGather + * [6628](https://github.com/NuGet/NuGet.Client/pull/6628) remove redundant enumeration in CredentialsItem + * [6617](https://github.com/NuGet/NuGet.Client/pull/6617) remove toolItems list instance in MSBuildRestoreUtility + * [6599](https://github.com/NuGet/NuGet.Client/pull/6599) fix parameter nullability in Constructor_SetReportAbuseUrl_Initialize… + * [6604](https://github.com/NuGet/NuGet.Client/pull/6604) enable nullable in LegacyPackageReferenceProjectTests + * [6631](https://github.com/NuGet/NuGet.Client/pull/6631) remove DependencyGraphSpecRequestProvider.CollectReferences + * [6635](https://github.com/NuGet/NuGet.Client/pull/6635) remove EnvDteProjectExtensions.PathComparer + * [6623](https://github.com/NuGet/NuGet.Client/pull/6623) remove redundant GetManifestResourceNames in ManifestSchemaUtility + * [6619](https://github.com/NuGet/NuGet.Client/pull/6619) remove unused packageID variable + * [6620](https://github.com/NuGet/NuGet.Client/pull/6620) remove un-used variables in PackageManagerControl + * [6640](https://github.com/NuGet/NuGet.Client/pull/6640) remove redundant exception handling + * [6637](https://github.com/NuGet/NuGet.Client/pull/6637) remove PackageManagerControl.AddMigratorBar + * [6629](https://github.com/NuGet/NuGet.Client/pull/6629) remove un-used HashSet instance in ResolverMetadataClient + * [6602](https://github.com/NuGet/NuGet.Client/pull/6602) enable nullable in MSBuildUtilityTest + * [6641](https://github.com/NuGet/NuGet.Client/pull/6641) remove redundant null condition in UpdateCommand.ExecuteCommandAsync + * [6683](https://github.com/NuGet/NuGet.Client/pull/6683) remove redundant string alloc in GetTempFilePath + * [6626](https://github.com/NuGet/NuGet.Client/pull/6626) remove un-used variables in SignedPackageArchiveIOUtility + * [6574](https://github.com/NuGet/NuGet.Client/pull/6574) remove redundant dictionary lookup in CreatePackageSourceMappingDictionary + * [6594](https://github.com/NuGet/NuGet.Client/pull/6594) enable nullability in InfiniteScrollListTests + * [6682](https://github.com/NuGet/NuGet.Client/pull/6682) Use async delay in SafeReadAsync + * [6600](https://github.com/NuGet/NuGet.Client/pull/6600) enable nullable in NuGetUpdateCommandTests + * [6606](https://github.com/NuGet/NuGet.Client/pull/6606) enable nullable in VSNominationUtilitiesTests + * [6613](https://github.com/NuGet/NuGet.Client/pull/6613) remove redundant type variable in GetExternalProject + * [6611](https://github.com/NuGet/NuGet.Client/pull/6611) remove un-used solutionService instances + * [6643](https://github.com/NuGet/NuGet.Client/pull/6643) remove MsBuildUtility.GetMsBuildPathInPathVar + * [6632](https://github.com/NuGet/NuGet.Client/pull/6632) remove PackageSpecFactory.GetTargetFrameworkStrings + * [6573](https://github.com/NuGet/NuGet.Client/pull/6573) avoid some allocation in ProjectFactory.ProcessDependencies + * [6588](https://github.com/NuGet/NuGet.Client/pull/6588) remove dictionary lookups from GetPreviewResultsAsync + * [6597](https://github.com/NuGet/NuGet.Client/pull/6597) fix nullability in PackageModelCreationTestHelper + * [6612](https://github.com/NuGet/NuGet.Client/pull/6612) remove un-used list instances in NuGetPackageManager + * [6591](https://github.com/NuGet/NuGet.Client/pull/6591) enable nullable in PackageSourceValidatorTests + * [6603](https://github.com/NuGet/NuGet.Client/pull/6603) fix nullability in IVsProjectBuildProperties + * [6636](https://github.com/NuGet/NuGet.Client/pull/6636) remove _project* fields from PackageReferenceProject + * [6630](https://github.com/NuGet/NuGet.Client/pull/6630) remove un-used identity instance in LocalV3FindPackageByIdResource + * [6618](https://github.com/NuGet/NuGet.Client/pull/6618) remove LoggerAdapter instance in NuGetPackageManager + * [6621](https://github.com/NuGet/NuGet.Client/pull/6621) remove un-used projectsByUniqueName in SolutionUpToDateChecker + * [6624](https://github.com/NuGet/NuGet.Client/pull/6624) remove un-used variables in PackageBuilder + * [6633](https://github.com/NuGet/NuGet.Client/pull/6633) remove JsonPackageSpecReader DelimitedStringSeparators and VersionSeparators + * [6642](https://github.com/NuGet/NuGet.Client/pull/6642) use cast instead of as and null check in CommandLineParser.AssignValue + * [6615](https://github.com/NuGet/NuGet.Client/pull/6615) remove redundant list in GetPluginAsync + * [6627](https://github.com/NuGet/NuGet.Client/pull/6627) remove un-used GetDirectoryName in MisplacedAssemblyOutsideLibRule + * [6578](https://github.com/NuGet/NuGet.Client/pull/6578) remove redundant dictionary lookup in PrunePackageTree.PruneDowngrades + * [6576](https://github.com/NuGet/NuGet.Client/pull/6576) remove redundant dictionary lookup in RecommenderPackageFeed +* [baronfel](https://github.com/NuGet/NuGet.Client/pull/6554) + * [6554](https://github.com/NuGet/NuGet.Client/pull/6554) Fix NuGet->SDK Codeflow + * [6514](https://github.com/NuGet/NuGet.Client/pull/6514) Pin and stabilize the `NuGetToolVersion` property in the generated NuGet props files during restore. +* [omajid](https://github.com/NuGet/NuGet.Client/pull/6500) + * [6500](https://github.com/NuGet/NuGet.Client/pull/6500) Ensure stable order of entries in Content_Types.xml + * [6507](https://github.com/NuGet/NuGet.Client/pull/6507) Support building on Linux when full signing is not available +* [AlexDelepine](https://github.com/NuGet/NuGet.Client/pull/6793) + * [6793](https://github.com/NuGet/NuGet.Client/pull/6793) Update Ngen Priorities for VS +* [hickford](https://github.com/NuGet/NuGet.Client/pull/6475) + * [6475](https://github.com/NuGet/NuGet.Client/pull/6475) Populate audit sources consistently +* [nohwnd](https://github.com/NuGet/NuGet.Client/pull/6735) + * [6735](https://github.com/NuGet/NuGet.Client/pull/6735) Disable loading profile in utility powershell.exe calls +* [mmitche](https://github.com/NuGet/NuGet.Client/pull/6539) + * [6539](https://github.com/NuGet/NuGet.Client/pull/6539) Move NuGet to xliff-tasks +* [dkurepa](https://github.com/NuGet/NuGet.Client/pull/6644) + * [6644](https://github.com/NuGet/NuGet.Client/pull/6644) Add Version.Details.props +* [bdukes](https://github.com/NuGet/NuGet.Client/pull/6530) + * [6530](https://github.com/NuGet/NuGet.Client/pull/6530) Fix `nuget.exe` restore finding MSBuild from SSMS instead of Visual Studio +* [ToddGrun](https://github.com/NuGet/NuGet.Client/pull/6519) + * [6519](https://github.com/NuGet/NuGet.Client/pull/6519) Make LockFileLibrary immutable for performance and sanity reasons + \ No newline at end of file diff --git a/docs/resources/NuGet-FAQ.yml b/docs/resources/NuGet-FAQ.yml index 7c4bee0ba..07bb046b1 100644 --- a/docs/resources/NuGet-FAQ.yml +++ b/docs/resources/NuGet-FAQ.yml @@ -5,7 +5,7 @@ metadata: author: shishirx34 ms.author: shishirh ms.date: 01/31/2022 - ms.topic: conceptual + ms.topic: faq title: NuGet frequently-asked questions summary: | @@ -23,11 +23,9 @@ sections: - question: | Does NuGet support Mono? answer: | - The command-line tool, `nuget.exe`, builds and runs under Mono 3.2+ and can create packages in Mono. - - Although `nuget.exe` works fully on Windows, there are known issues on Linux and OS X. Refer to [Mono issues](https://github.com/NuGet/Home/issues?utf8=%E2%9C%93&q=is%3Aissue+is%3Aopen+mono) on GitHub. - - A [graphical client](https://github.com/mrward/monodevelop-nuget-addin) is available as an add-in for MonoDevelop. + The command-line tool, `nuget.exe`, builds and runs typically under Windows. NuGet can run on Unix operating systems using `mono`, but it is not officially supported by [NuGet's Support Policy](https://devblogs.microsoft.com/nuget/announcing-nuget-exe-and-nuget-client-sdk-packages-support-policy-keeping-you-informed-and-secure/). + + [Mono has transferred ownership to Wine and is no longer maintained by Microsoft](https://github.com/mono/mono/issues/21796). - question: | How can I determine what a package contains and whether it's stable and useful for my application? @@ -58,7 +56,7 @@ sections: answer: | NuGet generally works for .NET languages and is designed to bring .NET libraries into a project. Because it also supports MSBuild and Visual Studio automation in some project types, it also supports other projects and languages to various degrees. - The most recent version of NuGet supports C#, Visual Basic, F#, WiX, and C++. + The most recent version of NuGet supports C#, Visual Basic, F#, WiX, C++, and Q#. - question: | What project templates are supported by NuGet? @@ -181,3 +179,12 @@ sections: If the `target` has been modified manually, NuGet might not be able to detect that it needs removed when migrating. If your project is `PackageReference` and you still have this target in project file, it should be safe to remove. + + - question: | + There is no README in Visual Studio NuGet Package Manager for the selected package. + answer: | + If you see the message "There is no README available for the selected package version" in Visual Studio NuGet Package Manager, that means that the selected version of the NuGet package does not have an embedded README file. + - If this is not the latest version of the package, consider checking the latest version. + - If the latest version doesn't have the README file embedded either, and you are not the maintainer of this package, consider filing an issue or contacting the maintainer to request a README. + - If you are the maintainer of the package, here is the guide on [how to embed the README in your package](https://aka.ms/nuget/readme). Please note that if you have added the README file on NuGet.org but didn't embed it in your package, the README will not be shown in Visual Studio. + diff --git a/docs/resources/check-project-format.md b/docs/resources/check-project-format.md index 03e7ce594..b7ed7d665 100644 --- a/docs/resources/check-project-format.md +++ b/docs/resources/check-project-format.md @@ -4,7 +4,7 @@ description: Describes how to identity your project format author: mikejo5000 ms.author: mikejo ms.date: 07/09/2019 -ms.topic: conceptual +ms.topic: article --- # Identify the project format @@ -15,10 +15,10 @@ Whether your project is SDK-style or not depends on the method used to create th | Project               | Default project format | CLI tool          | Notes | |:------------- |:-------------|:-----|:-----| -| .NET Standard | SDK-style | [dotnet CLI](../install-nuget-client-tools.md#dotnetexe-cli) | Projects created prior to Visual Studio 2017 are non-SDK-style. Use `nuget.exe` CLI. | -| .NET Core | SDK-style | [dotnet CLI](../install-nuget-client-tools.md#dotnetexe-cli) | Projects created prior to Visual Studio 2017 are non-SDK-style. Use `nuget.exe` CLI. | -| .NET Framework | Non-SDK-style | [nuget.exe CLI](../install-nuget-client-tools.md#nugetexe-cli) | .NET Framework projects created using other methods may be SDK-style projects. For these, use [dotnet CLI](../install-nuget-client-tools.md#dotnetexe-cli) instead. | -| [Migrated](../consume-packages/migrate-packages-config-to-package-reference.md) .NET project | Non-SDK-style| To create packages, use [msbuild -t:pack](../consume-packages/migrate-packages-config-to-package-reference.md#create-a-package-after-migration) to create packages. | To create packages, `msbuild -t:pack` is recommended. Otherwise, use the [dotnet CLI](../install-nuget-client-tools.md#dotnetexe-cli). Migrated projects are not SDK-style projects. | +| .NET Standard | SDK-style | [dotnet SDK](../install-nuget-client-tools.md#dotnet-sdk) | Projects created prior to Visual Studio 2017 are non-SDK-style. Use `nuget.exe` CLI. | +| .NET Core | SDK-style | [dotnet SDK](../install-nuget-client-tools.md#dotnet-sdk) | Projects created prior to Visual Studio 2017 are non-SDK-style. Use `nuget.exe` CLI. | +| .NET Framework | Non-SDK-style | [nuget.exe CLI](../install-nuget-client-tools.md#nugetexe-cli) | .NET Framework projects created using other methods may be SDK-style projects. For these, use [dotnet SDK](../install-nuget-client-tools.md#dotnet-sdk) instead. | +| [Migrated](../consume-packages/migrate-packages-config-to-package-reference.md) .NET project | Non-SDK-style| To create packages, use [msbuild -t:pack](../consume-packages/migrate-packages-config-to-package-reference.md#create-a-package-after-migration) to create packages. | To create packages, `msbuild -t:pack` is recommended. Otherwise, use the [dotnet SDK](../install-nuget-client-tools.md#dotnet-sdk). Migrated projects are not SDK-style projects. | ## Check the project format diff --git a/docs/visual-studio-extensibility/Visual-Studio-Templates.md b/docs/visual-studio-extensibility/Visual-Studio-Templates.md index 6e12d412e..aa1cf0484 100644 --- a/docs/visual-studio-extensibility/Visual-Studio-Templates.md +++ b/docs/visual-studio-extensibility/Visual-Studio-Templates.md @@ -4,7 +4,7 @@ description: Instructions for including NuGet packages as part of Visual Studio author: JonDouglas ms.author: jodou ms.date: 01/03/2018 -ms.topic: conceptual +ms.topic: article --- # Packages in Visual Studio templates diff --git a/docs/visual-studio-extensibility/nuget-api-in-visual-studio.md b/docs/visual-studio-extensibility/nuget-api-in-visual-studio.md index d114a29ec..e49186605 100644 --- a/docs/visual-studio-extensibility/nuget-api-in-visual-studio.md +++ b/docs/visual-studio-extensibility/nuget-api-in-visual-studio.md @@ -19,6 +19,15 @@ NuGet's product follows Visual Studio's version, but is 11.0 versions behind. Fo Starting from Visual Studio 17.1, NuGet's Visual Studio extensibility API packages match the version of Visual Studio that the APIs are targeting. For example, NuGet.VisualStudio and NuGet.VisualStudio.Contracts package version 17.1.0 should be used when your extension targets Visual Studio 17.1 and higher. In Visual Studio 17.0 and earlier, NuGet's package versions are the same as NuGet's product version. For example, if your extension targets Visual Studio 2022 version 17.0, you should use version 6.0 of NuGet's Visual Studio extensibility packages. +## NuGet Client SDK in Visual Studio Extensions + +Only the APIs in `NuGet.VisualStudio` and `NuGet.VisualStudio.Contracts` are supported in Visual Studio extensions. +NuGet provides binding redirects for these assemblies, so these assemblies do not need to be included in your extension. + +Using NuGet Client SDK packages, for example `NuGet.Protocol`, is not supported in Visual Studio extensions. +NuGet does not provide binding redirects for these assemblies. +See [the NuGet Client SDK support policy](../reference/NuGet-Client-SDK.md#support-policy) for more information. + ## Services List ### Brokered Services @@ -29,7 +38,7 @@ These services are available in the package [NuGet.VisualStudio.Contracts](https ### MEF Services -From NuGet 6.0, all of these APIs are available in the package [NuGet.VisualStudio](https://nuget.org/packages/NuGet.VisualStudio/). In NuGet 5.11 and earlier, the APIs in the namespace `NuGet.VisualStudio` are available in the package [NuGet.VisualStudio](https://nuget.org/packages.NuGet.VisualStudio/), and APIs in the namespace `NuGet.SolutionRestoreManager` are available in the package [NuGet.SolutionRestoreManager.Interop](https://www.nuget.org/packages/NuGet.SolutionRestoreManager.Interop/). +From NuGet 6.0, all of these APIs are available in the package [NuGet.VisualStudio](https://www.nuget.org/packages/NuGet.VisualStudio/). In NuGet 5.11 and earlier, the APIs in the namespace `NuGet.VisualStudio` are available in the package [NuGet.VisualStudio](https://www.nuget.org/packages/NuGet.VisualStudio/), and APIs in the namespace `NuGet.SolutionRestoreManager` are available in the package [NuGet.SolutionRestoreManager.Interop](https://www.nuget.org/packages/NuGet.SolutionRestoreManager.Interop/). #### NuGet.VisualStudio @@ -40,13 +49,11 @@ From NuGet 6.0, all of these APIs are available in the package [NuGet.VisualStud - [`IVsFrameworkCompatibility3`](#ivsframeworkcompatibility3-interface) Contains methods to discover frameworks and compatibility between frameworks. (5.8+) - [`IVsFrameworkParser`](#ivsframeworkparser-interface) An interface for dealing with the conversion between strings and [FrameworkName](/dotnet/api/system.runtime.versioning.frameworkname) (4.0+) - [`IVsFrameworkParser2`](#ivsframeworkparser2-interface) An interface to parse .NET Framework strings. See [NuGet-IVsFrameworkParser](https://aka.ms/NuGet-IVsFrameworkParser). (5.8+) -- [`IVsGlobalPackagesInitScriptExecutor`](#ivsglobalpackagesinitscriptexecutor-interface) Execute powershell scripts from package(s) in a solution (4.0+) - [`IVsPackageInstaller`](#ivspackageinstaller-interface): Methods to install NuGet packages into projects. (3.3+) - [`IVsPackageInstaller2](#ivspackageinstaller2-interface) Contains method to install latest version of a single package into a project within the current solution. - [`IVsPackageInstallerEvents`](#ivspackageinstallerevents-interface): Events for package install/uninstall. (3.3+) - [`IVsPackageInstallerProjectEvents`](#ivspackageinstallerprojectevents-interface): Batch events for package install/uninstall. (3.3+) - [`IVsPackageInstallerServices`](#ivspackageinstallerservices-interface): Methods to retrieve installed packages in the current solution and to check whether a given package is installed in a project. (3.3+) -- [`IVsPackageManagerProvider`](#ivspackagemanagerprovider-interface): Methods to provide alternative Package Manager suggestions for a NuGet package. (3.3 - 5.11) - [`IVsPackageRestorer`](#ivspackagerestorer-interface): Methods to restore packages installed in a project. (3.3+) - [`IVsPackageSourceProvider`](#ivspackagesourceprovider-interface): Methods to retrieve a list of NuGet package sources. (3.3+) - [`IVsPackageUninstaller`](#ivspackageuninstaller-interface): Methods to uninstall NuGet packages from projects. (3.3+) @@ -66,6 +73,7 @@ These interfaces are designed for project systems to interact with NuGet, allowi - [`IVsSolutionRestoreService2`](#ivssolutionrestoreservice2-interface) (4.3+) - [`IVsSolutionRestoreService3`](#ivssolutionrestoreservice3-interface) (5.1+) - [`IVsSolutionRestoreService4`](#ivssolutionrestoreservice4-interface) (6.0+) +- [`IVsSolutionRestoreService5`](#ivssolutionrestoreservice5-interface) (6.11+) - [`IVsSolutionRestoreStatusProvider`](#ivssolutionrestorestatusprovider-interface) (6.0+) ## Using NuGet Services @@ -405,31 +413,6 @@ public interface IRegistryKey } ``` -## IVsGlobalPackagesInitScriptExecutor interface - -```cs - /// - /// Execute powershell scripts from package(s) in a solution - /// - /// Intended for internal use only. - public interface IVsGlobalPackagesInitScriptExecutor - { - /// - /// Executes the init script of the given package if available. - /// 1) If the init.ps1 script has already been executed by the powershell host, it will not be executed again. - /// True is returned. - /// 2) If the package is found in the global packages folder it will be used. - /// If not, it will return false and do nothing. - /// 3) Also, note if other scripts are executing while this call was made, it will wait for them to complete. - /// - /// Id of the package whose init.ps1 will be executed. - /// Version of the package whose init.ps1 will be executed. - /// Returns true if the script was executed or has been executed already. - /// This method throws if the init.ps1 being executed throws. - Task ExecuteInitScriptAsync(string packageId, string packageVersion); - } -``` - ## IVsPackageInstaller interface ```cs @@ -801,53 +784,6 @@ public interface IRegistryKey } ``` -## IVsPackageManagerProvider interface - -This interface was primarily used by the ASP.NET team, to suggest that Javascript and CSS packages like `jQuery` and `bootstrap` are installed with Bower instead of NuGet. Since they removed that functionality From Visual Studio, NuGet has obsolete this interface, and it will no longer be used by the Package Manager UI in Visual Studio 2022 (version 17.0) and later. - -```cs - /// - /// Interface allowing integration of alternate package manager suggestion for a NuGet package. - /// For example jQuery may appear on Bower and npm, - /// it might be more appropriate to install a package from them for certain projects. - /// - [Obsolete] - public interface IVsPackageManagerProvider - { - /// - /// Localized display package manager name. - /// - string PackageManagerName { get; } - - /// - /// Package manager unique id. - /// - string PackageManagerId { get; } - - /// - /// The tool tip description for the package - /// - string Description { get; } - - /// - /// Check if a recommendation should be surfaced for an alternate package manager. - /// This code should not rely on slow network calls, and should return rapidly. - /// - /// Current package id - /// Unique project name for finding the project through VS dte - /// Cancellation Token - /// return true if need to direct to integrated package manager for this package - Task CheckForPackageAsync(string packageId, string projectName, CancellationToken token); - - /// - /// This Action should take the user to the other package manager. - /// - /// Current package id - /// Unique project name for finding the project through VS dte - void GoToPackage(string packageId, string projectName); - } -``` - ## IVsPackageRestorer interface ```cs @@ -1240,6 +1176,7 @@ This interface was primarily used by the ASP.NET team, to suggest that Javascrip /// Thrown if is not the path of a project file. /// Thrown if is null. /// Thrown if is cancelled. + [Obsolete("Use IVsSolutionRestoreService5 instead")] Task NominateProjectAsync(string projectUniqueName, IVsProjectRestoreInfo projectRestoreInfo, CancellationToken token); } ``` @@ -1306,6 +1243,7 @@ This interface was primarily used by the ASP.NET team, to suggest that Javascrip /// Thrown if is not the path of a project file. /// Thrown if is null. /// Thrown if is cancelled. + [Obsolete("Use IVsSolutionRestoreService5 instead")] Task NominateProjectAsync(string projectUniqueName, IVsProjectRestoreInfo2 projectRestoreInfo, CancellationToken token); } ``` @@ -1333,6 +1271,36 @@ This interface was primarily used by the ASP.NET team, to suggest that Javascrip } ``` +## IVsSolutionRestoreService5 interface + +```cs + /// + /// Represents a package restore service API for integration with a project system. + /// Implemented by NuGet. + /// + public interface IVsSolutionRestoreService5 : IVsSolutionRestoreService4 + { + /// + /// An entry point used by CPS to indicate given project needs to be restored. + /// + /// + /// The full path to the project file. In the VS SDK's IVsSolution, this is also known as the unique name. + /// + /// Metadata needed for restoring the project. + /// Cancellation token. + /// + /// Returns a restore task corresponding to the nominated project request. + /// NuGet will batch restore requests so it's possible the same restore task will be returned for multiple projects. + /// When the requested restore operation for the given project completes the task will indicate operation success or failure. + /// + /// Thrown if is not the path of a project file, + /// or if has some basic validation errors. + /// Thrown if is . + /// Thrown if is cancelled. + Task NominateProjectAsync(string projectUniqueName, IVsProjectRestoreInfo3 projectRestoreInfo, CancellationToken token); + } +``` + ## IVsProjectRestoreInfoSource interface ```cs diff --git a/docs/what-is-nuget.md b/docs/what-is-nuget.md index b66de09cb..5c0537b68 100644 --- a/docs/what-is-nuget.md +++ b/docs/what-is-nuget.md @@ -106,9 +106,7 @@ Take a moment to browse the table of contents for this documentation, and you se ## Related video -> [!Video https://learn.microsoft.com/shows/NuGet-101/What-is-NuGet-1-of-5/player] - -Find more NuGet videos on [Channel 9](/shows/NuGet-101/) and [YouTube](https://www.youtube.com/playlist?list=PLdo4fOcmZ0oVLvfkFk8O9h6v2Dcdh2bh_). +Find NuGet videos on [Channel 9](/shows/NuGet-101/) and [YouTube](https://www.youtube.com/playlist?list=PLdo4fOcmZ0oVLvfkFk8O9h6v2Dcdh2bh_). ## Comments, contributions, and issues diff --git a/global.json b/global.json new file mode 100644 index 000000000..d894f924e --- /dev/null +++ b/global.json @@ -0,0 +1,5 @@ +{ + "msbuild-sdks": { + "Microsoft.Build.NoTargets" : "3.7.134" + } +} \ No newline at end of file