diff --git a/docs.sln b/docs.sln new file mode 100644 index 000000000..a90cea1da --- /dev/null +++ b/docs.sln @@ -0,0 +1,38 @@ + +Microsoft Visual Studio Solution File, Format Version 12.00 +# Visual Studio Version 18 +VisualStudioVersion = 18.3.11122.13 +MinimumVisualStudioVersion = 10.0.40219.1 +Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "docs", "docs\docs.csproj", "{718966AB-D840-C99F-BC8C-757012BE68AA}" +EndProject +Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "Solution Items", "Solution Items", "{C2962E4E-20FC-4C00-858E-D0C62611CBFB}" + ProjectSection(SolutionItems) = preProject + .gitignore = .gitignore + .openpublishing.publish.config.json = .openpublishing.publish.config.json + .openpublishing.redirection.json = .openpublishing.redirection.json + CONTRIBUTING.md = CONTRIBUTING.md + global.json = global.json + LICENSE = LICENSE + LICENSE-CODE = LICENSE-CODE + README.md = README.md + ThirdPartyNotices = ThirdPartyNotices + EndProjectSection +EndProject +Global + GlobalSection(SolutionConfigurationPlatforms) = preSolution + Debug|Any CPU = Debug|Any CPU + Release|Any CPU = Release|Any CPU + EndGlobalSection + GlobalSection(ProjectConfigurationPlatforms) = postSolution + {718966AB-D840-C99F-BC8C-757012BE68AA}.Debug|Any CPU.ActiveCfg = Debug|Any CPU + {718966AB-D840-C99F-BC8C-757012BE68AA}.Debug|Any CPU.Build.0 = Debug|Any CPU + {718966AB-D840-C99F-BC8C-757012BE68AA}.Release|Any CPU.ActiveCfg = Release|Any CPU + {718966AB-D840-C99F-BC8C-757012BE68AA}.Release|Any CPU.Build.0 = Release|Any CPU + EndGlobalSection + GlobalSection(SolutionProperties) = preSolution + HideSolutionNode = FALSE + EndGlobalSection + GlobalSection(ExtensibilityGlobals) = postSolution + SolutionGuid = {C4A337AF-69A4-496C-97FF-300C3489A718} + EndGlobalSection +EndGlobal diff --git a/docs/TOC.md b/docs/TOC.md index 0cf22d01f..a49bb6178 100644 --- a/docs/TOC.md +++ b/docs/TOC.md @@ -18,6 +18,7 @@ ### [Package Manager Console (PowerShell)](consume-packages/install-use-packages-powershell.md) ## Configure NuGet ### [Visual Studio options](consume-packages/nuget-visual-studio-options.md) +### [NuGet HTTPS Everywhere](consume-packages/nuget-https-everywhere.md) ### Package restore options #### [Restore packages](consume-packages/package-restore.md) #### [Troubleshooting](consume-packages/package-restore-troubleshooting.md) diff --git a/docs/concepts/Auditing-Packages.md b/docs/concepts/Auditing-Packages.md index 9ba52e166..72d185b5a 100644 --- a/docs/concepts/Auditing-Packages.md +++ b/docs/concepts/Auditing-Packages.md @@ -16,8 +16,6 @@ This involves identifying vulnerabilities, evaluating risks, and making recommen The audit can include a review of the packages themselves, as well as any dependencies and their associated risks. The goal of the audit is to identify and mitigate any security vulnerabilities that could be exploited by attackers, such as code injection or cross-site scripting attacks. -We also have a [blog post](https://devblogs.microsoft.com/nuget/nugetaudit-2-0-elevating-security-and-trust-in-package-management/) which discusses our recommended method for taking action when a package with a known vulnerability is found to be used by your project, and tools to help get more information. - ### Feature availability | NuGet | .NET SDK | Visual Studio | Feature | @@ -79,11 +77,29 @@ Note that the [V2 protocol is deprecated](../nuget-org/overview-nuget-org.md#api | -------------------------------------------------------------------------------------------- | ------------------------------------------------------------------ | | [NuGet 6.12, .NET 9.0.100 SDK, and Visual Studio 2022 17.12](../release-notes/NuGet-6.12.md) | Restore | | [NuGet 6.14, .NET 9.0.300 SDK](../release-notes/NuGet-6.14.md) | `dotnet package list --vulnerable` | -| Not yet supported | NuGet AuditSources support in the Visual Studio Package Manager UI | +| [NuGet 7.0 and Visual Studio 2026](../release-notes/NuGet-7.0.md) | NuGet AuditSources support in the Visual Studio Package Manager UI | + +### Warning codes + +| Warning Code | Reason | +|--------------|----------| +| [NU1900](../reference/errors-and-warnings/NU1900.md) | Error communicating with package source, while getting vulnerability information. | +| [NU1901](../reference/errors-and-warnings/NU1901-NU1904.md) | Package with low severity detected | +| [NU1902](../reference/errors-and-warnings/NU1901-NU1904.md) | Package with moderate severity detected | +| [NU1903](../reference/errors-and-warnings/NU1901-NU1904.md) | Package with high severity detected | +| [NU1904](../reference/errors-and-warnings/NU1901-NU1904.md) | Package with critical severity detected | +| [NU1905](../reference/errors-and-warnings/NU1905.md) | An audit source does not provide a vulnerability database | + +You can customize your build to treat these warnings as errors to [treat warnings as errors, or treat warnings not as errors](/dotnet/csharp/language-reference/compiler-options/errors-warnings#warningsaserrors-and-warningsnotaserrors). +For example, if you're already using `` to treat all (C#, NuGet, MSBuild, etc) warnings as errors, you can use `$(WarningsNotAsErrors);NU1901;NU1902;NU1903;NU1904` to prevent vulnerabilities discovered in the future from breaking your build. +Alternatively, if you want to keep low and moderate vulnerabilities as warnings, but treat high and critical vulnerabilities as errors, and you're not using `TreatWarningsAsErrors`, you can use `$(WarningsAsErrors);NU1903;NU1904`. + +> [!NOTE] +> MSBuild properties for message severity such as `NoWarn` and `TreatWarningsAsErrors` are not supported for packages.config projects. #### Excluding advisories -You can choose to exclude specific advisories from the audit report by adding a new `NuGetAuditSuppress` MSBuild item for each advisory. +You can exclude advisories by adding a new `NuGetAuditSuppress` MSBuild item for each advisory. Define a `NuGetAuditSuppress` item with the `Include=` metadata set to the advisory URL you wish to suppress. ```xml @@ -97,23 +113,121 @@ Similar to the other NuGet audit configuration properties, `NuGetAuditSuppress` `NuGetAuditSuppress` is available for PackageReference projects starting from [NuGet 6.11, Visual Studio 17.11, and the .NET 8.0.400 SDK](../release-notes/NuGet-6.11.md). It is available for packages.config from [Visual Studio 17.12 and NuGet 6.12](../release-notes/NuGet-6.12.md). -### Warning codes +##### When to exclude advisories -| Warning Code | Reason | -|--------------|----------| -| [NU1900](../reference/errors-and-warnings/NU1900.md) | Error communicating with package source, while getting vulnerability information. | -| [NU1901](../reference/errors-and-warnings/NU1901-NU1904.md) | Package with low severity detected | -| [NU1902](../reference/errors-and-warnings/NU1901-NU1904.md) | Package with moderate severity detected | -| [NU1903](../reference/errors-and-warnings/NU1901-NU1904.md) | Package with high severity detected | -| [NU1904](../reference/errors-and-warnings/NU1901-NU1904.md) | Package with critical severity detected | -| [NU1905](../reference/errors-and-warnings/NU1905.md) | An audit source does not provide a vulnerability database | +In scenarios where you have analyzed a specific advisory and have determined that it either does not apply to your scenario, or you are comfortable with the risks it imposes, you can choose to exclude specific advisories from the audit report. +Note that this would completely suppress the advisories, even for packages that share the advisory that may not be part of your project. +`NuGetAuditSuppress` should be considered a last resort for managing advisories. -You can customize your build to treat these warnings as errors to [treat warnings as errors, or treat warnings not as errors](/dotnet/csharp/language-reference/compiler-options/errors-warnings#warningsaserrors-and-warningsnotaserrors). -For example, if you're already using `` to treat all (C#, NuGet, MSBuild, etc) warnings as errors, you can use `$(WarningsNotAsErrors);NU1901;NU1902;NU1903;NU1904` to prevent vulnerabilities discovered in the future from breaking your build. -Alternatively, if you want to keep low and moderate vulnerabilities as warnings, but treat high and critical vulnerabilities as errors, and you're not using `TreatWarningsAsErrors`, you can use `$(WarningsAsErrors);NU1903;NU1904`. +## Actions when packages with known vulnerabilities are reported -> [!NOTE] -> MSBuild properties for message severity such as `NoWarn` and `TreatWarningsAsErrors` are not supported for packages.config projects. +Getting a warning about packages with known vulnerabilities is only part of the process. +Once discovered, action needs to be taken to remove the potential vulnerability from your solution. + +The easiest case is when a package you reference directly has the known vulnerability. +In this situation, update the package version to one that fixes the vulnerability. + +Package vulnerabilities may be reported in both direct and transitive package references. +The action you take to resolve may be different because of that. + +### Security vulnerabilities found with updates + +If security vulnerabilities are found and updates are available for the package, you can do one of the following: + +- Edit the `.csproj` or other package version location (`Directory.Packages.props`) with a newer version containing a security fix. +- Use the NuGet package manager user interface in Visual Studio to update the individual package. +- Run the `dotnet package update --vulnerable` command to update all vulnerable packages in a project to the first version without known vulnerabilities. +- Run the `dotnet package update` or `dotnet package add` commands with the respective package ID to update to the latest version. Use [`dotnet add package` when using .NET 9 or earlier](/dotnet/core/whats-new/dotnet-10/sdk#more-consistent-command-order). +- Use the NuGet Model Context Protocol (MCP) server that has the ability to update packages in your project to versions that resolve known vulnerabilities. +See [Fixing package vulnerabilities](NuGet-MCP-Server.md#fixing-package-vulnerabilities) for more information. + +#### Transitive Packages + +Often a vulnerability will be in a transitive dependency. +Our recommendation is to prefer updates to packages "closest" to your direct references. +Though, there's nothing wrong with just upgrading the package with known vulnerability either. + +For example, say your project references package A. +Package A has a dependency on package B, which in turn has a dependency on package C. +In this example, we'll consider that package C version 1.0.0 has a known vulnerability, fixed in version 2.0.0. +Our recommendation is to first try upgrading package A. +If that doesn't resolve the audit warning, then try upgrading package B. +If that doesn't resolve the audit warning, then upgrade C directly. +To aid with this, you'll [need to find the transitive package path](#finding-the-transitive-package-path). + +In summary, if a known vulnerability exists in a top-level package's transitive dependencies, you have these options: + +- Check if the top-level package contains an update that does not have a transitive vulnerability and update that instead. +- Update the closest package to your direct references that does not reference a vulnerability. +- Add the fixed package version as a direct package reference. **Note:** Be sure to remove this reference when a new package version update becomes available and be sure to maintain the defined attributes for the expected behavior. +- Use [Central Package Management with the transitive pinning functionality](../consume-packages/Central-Package-Management.md#transitive-pinning). + Note that if you pack your project into your own package to share with others, [CPM with transitive pinning will cause packages to become dependencies](../consume-packages/Central-Package-Management.md#transitive-pinning-and-pack), even if your project doesn't directly call APIs on that package. +- [Suppress the advisory](#excluding-advisories) until it can be addressed. +- File an issue in the top-level package's tracker to request an update. + +##### Finding the transitive package path + +There are several ways to find the package path. +Which method you prefer depends on what tools you normally use during your development. + +###### dotnet nuget why + +On the command line, you can use the [`dotnet nuget why` command](/dotnet/core/tools/dotnet-nuget-why) to understand why transitive packages are being included in your project's package graph. + +![dotnet nuget why example](media/dotnet-nuget-why-1.png) + +###### Visual Studio Solution Explorer + +SDK style projects also provide the full package graph under the project's Dependency node. +It's also searchable! +Expand search options and enable “search external files”. + +![Visual Studio Solution Explorer Search Options](media/vs-solution-explorer-search-options-1.png) + +Search the package name, and it will show you all instances under each project's Dependencies node. + +![Visual Studio Solution Explorer Search Results](media/vs-solution-explorer-search-results-1.png) + +###### Visual Studio NuGet Package Manager UI + +When you look at the Installed tab in Visual Studio's package manager UI, when the project uses PackageReference for package management, it will show both direct and transitive packages. +Currently, this only happens when you manage packages for a project, not for the solution. + +If you mouse hover over a package in the package list, the tooltip will include the name of one direct package that has caused that transitive package to be included in the project. + +![Visual Studio Package Manager UI tooltip](media/pm-ui-transitive-tooltip-1.png) + +### Security vulnerabilities found with no updates + +In the case that a known vulnerability exists in a package without a security fix, you can do the following. + +- Check for any mitigating factors outlined in the advisory report. +- Use a suggested package if the package is marked deprecated or is abandoned. +- If the package is open source, consider contributing a fix. +- Open an issue in the package's issue tracker. + +#### Check for mitigating factors + +Review the security advisor for any mitigating factors that may allow you to continue using the package with the vulnerability. +The vulnerability may only exist when the code is used on a specific framework, operating system, or a special function is called. + +#### Use a suggested package + +In the case that a security advisory is reported for the package you're using and the package is marked deprecated or seems abandoned, consider using any suggested alternate package the package author has declared or a package comprising of similar functionality that is maintained. + +#### Contribute a fix + +If a fix does not exist for the security advisory, you may want to suggest changes that addresses the vulnerability in a pull request on package's open source repository or contact the author through the `Contact owners` section on the NuGet.org package detail page. + +#### Open an issue + +If you do not want to fix the vulnerability or are unable to update or replace the package, open an issue in the package's issue tracker or preferred contact method. +On NuGet.org, you can navigate to the package details page and click `Report package` which will guide you to get in contact with the author. + +### No security vulnerabilities found + +If no security vulnerabilities are found, this means that packages with known vulnerabilities were not found in your package graph at the present moment of time you checked. +Since the advisory database can be updated at any time, we recommend regularly checking your `dotnet restore` output and ensuring the same in your continuous integration process. ## Running NuGet Audit in CI @@ -177,68 +291,5 @@ Viewing [MSBuild's metaproj](/visualstudio/msbuild/how-to-build-specific-targets ## `dotnet list package --vulnerable` -Once a project is successfully restored, [`dotnet list package`](/dotnet/core/tools/dotnet-list-package) has a `--vulnerable` argument to filter the packages based on which packages have known vulnerabilities. +[`dotnet list package`](/dotnet/core/tools/dotnet-list-package) has a `--vulnerable` argument to filter the packages based on which packages have known vulnerabilities. Note that `--include-transitive` is not default, so should be included. - -## Actions when packages with known vulnerabilities are reported - -We also have a [blog post](https://devblogs.microsoft.com/nuget/nugetaudit-2-0-elevating-security-and-trust-in-package-management/) which discusses our recommended method for taking action when a package with a known vulnerability is found to be used by your project, and tools to help get more information. - -### Security vulnerabilities found with updates - -If security vulnerabilities are found and updates are available for the package, you can either: - -- Edit the `.csproj` or other package version location (`Directory.Packages.props`) with a newer version containing a security fix. -- Use the NuGet package manager user interface in Visual Studio to update the individual package. -- Run the `dotnet package update --vulnerable` command to update all vulnerable packages in a project to the first version without known vulnerabilities. -- Run the `dotnet package update` or `dotnet package add` commands with the respective package ID to update to the latest version. Use [`dotnet add package` when using .NET 9 or earlier](/dotnet/core/whats-new/dotnet-10/sdk#more-consistent-command-order). - -#### Transitive Packages - -If a known vulnerability exists in a top-level package's transitive dependencies, you have these options: - -- Add the fixed package version as a direct package reference. **Note:** Be sure to remove this reference when a new package version update becomes available and be sure to maintain the defined attributes for the expected behavior. -- Use [Central Package Management with the transitive pinning functionality](../consume-packages/Central-Package-Management.md#transitive-pinning). -- [Suppress the advisory](#excluding-advisories) until it can be addressed. -- File an issue in the top-level package's tracker to request an update. - -### Use Copilot to update packages -NuGet has released a Model Context Protocol (MCP) server that has the ability to update packages in your project to versions that resolve known vulnerabilities. -See [Fixing package vulnerabilities](NuGet-MCP-Server.md#fixing-package-vulnerabilities) for more information. - -### Security vulnerabilities found with no updates - -In the case that a known vulnerability exists in a package without a security fix, you can do the following. - -- Check for any mitigating factors outlined in the advisory report. -- Use a suggested package if the package is marked deprecated or is abandoned. -- If the package is open source, consider contributing a fix. -- Open an issue in the package's issue tracker. - -#### Check for mitigating factors - -Review the security advisor for any mitigating factors that may allow you to continue using the package with the vulnerability. -The vulnerability may only exist when the code is used on a specific framework, operating system, or a special function is called. - -#### Use a suggested package - -In the case that a security advisory is reported for the package you're using and the package is marked deprecated or seems abandoned, consider using any suggested alternate package the package author has declared or a package comprising of similar functionality that is maintained. - -#### Contribute a fix - -If a fix does not exist for the security advisory, you may want to suggest changes that addresses the vulnerability in a pull request on package's open source repository or contact the author through the `Contact owners` section on the NuGet.org package detail page. - -#### Open an issue - -If you do not want to fix the vulnerability or are unable to update or replace the package, open an issue in the package's issue tracker or preferred contact method. -On NuGet.org, you can navigate to the package details page and click `Report package` which will guide you to get in contact with the author. - -### No security vulnerabilities found - -If no security vulnerabilities are found, this means that packages with known vulnerabilities were not found in your package graph at the present moment of time you checked. -Since the advisory database can be updated at any time, we recommend regularly checking your `dotnet restore` output and ensuring the same in your continuous integration process. - -## Summary - -Security auditing features are crucial for maintaining the security and integrity of software projects. -These features provide you with an additional layer of protection against security vulnerabilities and ensures that you can use open source packages with confidence. diff --git a/docs/concepts/NuGet-MCP-Server.md b/docs/concepts/NuGet-MCP-Server.md index 9a51f1d89..ccbd97e63 100644 --- a/docs/concepts/NuGet-MCP-Server.md +++ b/docs/concepts/NuGet-MCP-Server.md @@ -73,6 +73,84 @@ To verify that the MCP server is working correctly, open the GitHub Copilot Chat Then click the Tools icon in the bottom toolbar to bring up the Tools menu. You should see the MCP server named "nuget" in the list of available servers. +## Getting started in GitHub Copilot Agent + +You can also configure the MCP Server to work with GitHub Copilot as a Coding Agent in your repositories. +Ensure that you configured your repository to use [GitHub Copilot Coding Agents](https://github.com/settings/copilot/coding_agent). + +Browse to your repository and click the Settings tab. +Expand the Copilot section and click on Coding Agents. + +![GitHub Copilot coding agent settings](./media/github-copilot-agent-settings.png) + +Scroll down to the **Model Context Protocol (MCP)** section and add the following JSON snippet to your `mcpServers` configuration: + +```json +{ + "mcpServers": { + "NuGet": { + "type": "local", + "command": "dnx", + "args": ["NuGet.Mcp.Server", "--yes"], + "tools": ["*"], + "env": {} + } + } +} +``` + +This will make all of NuGet's MCP server tools available. If you want specific tools, you can list them in the `"tools"` parameter array. + +Finally, click the **Save MCP configuration** button to save your changes. + +Now that the NuGet MCP is configured, you will also need to create a GitHub Actions workflow to install .NET 10 Preview 6 or higher so that the `dnx` command is available to run the MCP server. +You can do this by creating the following workflow file in your repository at + +`.github/workflows/copilot-setup-steps.yml` + +The contents of this workflow file should be as follows: + +```yml +name: "Copilot Setup Steps" + +# Automatically run the setup steps when they are changed to allow for easy validation, and +# allow manual testing through the repository's "Actions" tab +on: + workflow_dispatch: + push: + paths: + - .github/workflows/copilot-setup-steps.yml + pull_request: + paths: + - .github/workflows/copilot-setup-steps.yml + +jobs: + # The job MUST be called `copilot-setup-steps` or it will not be picked up by Copilot. + copilot-setup-steps: + runs-on: ubuntu-latest + + # Set the permissions to the lowest permissions possible needed for your steps. + # Copilot will be given its own token for its operations. + permissions: + # If you want to clone the repository as part of your setup steps, for example to install dependencies, you'll need the `contents: read` permission. If you don't clone the repository in your setup steps, Copilot will do this for you automatically after the steps complete. + contents: read + + # You can define any steps you want, and they will run before the agent starts. + # If you do not check out your code, Copilot will do this for you. + steps: + - name: Install .NET 10.x + uses: actions/setup-dotnet@v5 + with: + dotnet-version: | + 10.x + dotnet-quality: preview + + - name: dotnet --info + run: dotnet --info +``` + +This will ensure that the `dnx` command is available to run the NuGet MCP server when GitHub Copilot runs as a coding agent in your repository. + ## Fixing package vulnerabilities The NuGet MCP server can help you identify and fix package vulnerabilities in your project. diff --git a/docs/concepts/media/dotnet-nuget-why-1.png b/docs/concepts/media/dotnet-nuget-why-1.png new file mode 100644 index 000000000..b8422c44e Binary files /dev/null and b/docs/concepts/media/dotnet-nuget-why-1.png differ diff --git a/docs/concepts/media/github-copilot-agent-settings.png b/docs/concepts/media/github-copilot-agent-settings.png new file mode 100644 index 000000000..2b998ee35 Binary files /dev/null and b/docs/concepts/media/github-copilot-agent-settings.png differ diff --git a/docs/concepts/media/pm-ui-transitive-tooltip-1.png b/docs/concepts/media/pm-ui-transitive-tooltip-1.png new file mode 100644 index 000000000..d83e6bced Binary files /dev/null and b/docs/concepts/media/pm-ui-transitive-tooltip-1.png differ diff --git a/docs/concepts/media/vs-solution-explorer-search-options-1.png b/docs/concepts/media/vs-solution-explorer-search-options-1.png new file mode 100644 index 000000000..870c39a8a Binary files /dev/null and b/docs/concepts/media/vs-solution-explorer-search-options-1.png differ diff --git a/docs/concepts/media/vs-solution-explorer-search-results-1.png b/docs/concepts/media/vs-solution-explorer-search-results-1.png new file mode 100644 index 000000000..00e30fedd Binary files /dev/null and b/docs/concepts/media/vs-solution-explorer-search-results-1.png differ diff --git a/docs/consume-packages/nuget-https-everywhere.md b/docs/consume-packages/nuget-https-everywhere.md new file mode 100644 index 000000000..47c97e01d --- /dev/null +++ b/docs/consume-packages/nuget-https-everywhere.md @@ -0,0 +1,97 @@ +--- +title: NuGet HTTPS Everywhere +description: Learn why NuGet enforces HTTPS connections for package sources, what errors like NU1302 mean, and how to safely allow HTTP feeds when necessary. +author: Nigusu-Allehu +ms.author: nyenework +ms.date: 10/28/2025 +ms.topic: conceptual +ai-usage: ai-generated +--- + +# NuGet HTTPS Everywhere + +NuGet requires all package sources to use **HTTPS** instead of **HTTP**. +This enforcement protects the software supply chain by preventing tampering and interception during package restore and related operations. +NuGet enforces this requirement by producing an error and stopping the operation when an HTTP source is used. + +## Understanding the HTTP Error + +This error occurs when one or more package sources in your configuration use an **HTTP** URL instead of **HTTPS**. + +In earlier NuGet versions, this scenario produced a **warning** ([`NU1803`](../reference/errors-and-warnings/nu1803.md)). +Beginning with [**NuGet 6.12**](../release-notes/NuGet-6.12.md) and later, it now results in an **error** unless the use of HTTP sources is explicitly permitted. + +### Recommended Resolution + +Before allowing HTTP connections, confirm whether your package source supports HTTPS. +If it does, update the feed URL to use the secure protocol: + +```xml + +``` + +Switching to HTTPS ensures end-to-end encryption and is the recommended and more secure approach. + +### Allowing Insecure HTTP Feeds (Opt-Out) + +If HTTPS is not available and you operate in a trusted or isolated environment, you can explicitly allow HTTP sources. + +#### Option 1: Set allowInsecureConnections in your `NuGet.Config` + +* **Use Visual Studio** + + Enable or disable allowing insecure HTTP connections with the [Package Sources settings](/nuget/consume-packages/nuget-visual-studio-options#allow-insecure-connections) under the Visual Studio options > **NuGet Package Manager**. + +* **Edit `NuGet.Config` manually** + + Add the `allowInsecureConnections="true"` attribute to the affected source: + + ```xml + + + + + + + ``` + +#### Option 2: Use the Command-Line Parameter + +For commands that support it, include the following flag to temporarily permit HTTP connections: + +For **dotnet** commands: + +```bash +--allow-insecure-connections +``` + +For **NuGet.exe** commands, use: + +```powershell +-AllowInsecureConnections +``` + +#### Commands that support opt-out options + +| Tool | Commands | Support for Allow Insecure Connection | +| -------------- | ------------------------- | ------------------------------------- | +| **nuget.exe** | `push` | NuGet **7.0** | +| **dotnet CLI** | `dotnet nuget push` | .NET **10.0.1xx** and newer | +| **dotnet CLI** | `dotnet nuget add source` | .NET **9.0.1xx** and newer | + +## HTTPS Enforcement Rollout Across Tools + +NuGet’s HTTPS enforcement was introduced gradually across releases. +The following table summarizes the progression from [**warnings (NU1803)**](../reference/errors-and-warnings/nu1803.md) to [**errors (NU1302)**](../reference/errors-and-warnings/nu1302.md). + +| Versions Affected | Behavior | +| ----------------------------------------------------- | --------------------------------------------------------------------- | +| [NuGet.exe 6.3](../release-notes/NuGet-6.3.md)+, Visual Studio 17.3+, .NET 6.0.100+ | ⚠️ **Warning (NU1803)** – HTTP sources allowed but discouraged | +| [NuGet.exe 6.12](../release-notes/NuGet-6.12.md)+, Visual Studio 17.12+, .NET 9.0.100+ | ❌ **Error (NU1302)** – HTTP sources blocked unless explicitly allowed| + +## See Also + +* [NU1302](../reference/errors-and-warnings/nu1302.md) +* [NU1803](../reference/errors-and-warnings/nu1803.md) +* [NuGet.Config Reference](../reference/nuget-config-file.md#packagesources) +* [NuGet Visual Studio Options](../consume-packages/nuget-visual-studio-options.md) diff --git a/docs/create-packages/Sign-a-Package.md b/docs/create-packages/Sign-a-Package.md index 098353fe7..4b3cb5692 100644 --- a/docs/create-packages/Sign-a-Package.md +++ b/docs/create-packages/Sign-a-Package.md @@ -29,6 +29,8 @@ You can use self-issued certificates for testing purposes. However, packages sig ## Export the certificate file +* If your certificate is stored in a hardware token, you should not export the certificate. Instead, specify the SHA-2 family certificate fingerprints (thumbprint) by using the option `--certificate-fingerprint ` (replacing `--certificate-path `) + * You can export an existing certificate to a binary DER format by using the Certificate Export Wizard. ![Certificate Export Wizard](../reference/media/CertificateExportWizard.png) diff --git a/docs/docs.csproj b/docs/docs.csproj new file mode 100644 index 000000000..e63c1c5b9 --- /dev/null +++ b/docs/docs.csproj @@ -0,0 +1,5 @@ + + + net472 + + \ No newline at end of file diff --git a/docs/reference/errors-and-warnings/NU1302.md b/docs/reference/errors-and-warnings/NU1302.md index 8bbecf34e..2dd3803d8 100644 --- a/docs/reference/errors-and-warnings/NU1302.md +++ b/docs/reference/errors-and-warnings/NU1302.md @@ -10,6 +10,8 @@ f1_keywords: # NuGet Error NU1302 +## Scenario 1 + > You are running the 'restore' operation with an 'HTTP' source: myHttpSource. NuGet requires HTTPS sources. To use an HTTP source, you must explicitly set 'allowInsecureConnections' to true in your NuGet.Config file. Please refer to https://aka.ms/nuget-https-everywhere for more information. ### Issue @@ -53,3 +55,34 @@ Here's how it functions: > [!WARNING] > Changing SdkAnalysisLevel has other side-effects. Refer to the [`SdkAnalysisLevel`](/dotnet/core/project-sdk/msbuild-props#sdkanalysislevel) for a summary of the full scope of .NET SDK features affected. + +## Scenario 2 + +> You are using a NuGet source 'https://contoso/v3/index.json' that contains an 'HTTP' service index resource endpoint: 'http://contoso/v3-flatcontainer/contoso/index.json'. This is insecure and not recommended. To allow HTTP resources, you must explicitly set 'allowInsecureConnections' to true in your NuGet.Config file. For more information, visit https://aka.ms/nuget-https-everywhere. + +### Issue + +A configured package source uses **HTTPS**, but one of its resources (indicated in the error message) uses **HTTP**. + +NuGet requires that all sources and their resources use HTTPS. +If you want to continue using this source despite its HTTP resource, you must set the `allowInsecureConnections` flag to true in your NuGet.config file. + +To learn more about package sources and resource endpoints, take a look at the [NuGet Server API](../../api/overview). + +#### Option 1: Update the Source to Use HTTPS + +Whenever possible, switch to a package source that provides only HTTPS resources. This is the recommended and most secure option. + +#### Option 2: Allow Insecure Connections (If Necessary) + +If you must use the source, explicitly allow insecure connections by adding the `allowInsecureConnections` flag in the `NuGet.Config`: + +For information about managing the setting in Visual Studio, see [NuGet Options in Visual Studio](../../consume-packages/nuget-visual-studio-options.md#allow-insecure-connections) + +```xml + + + + + +``` diff --git a/docs/reference/errors-and-warnings/NU1901-NU1904.md b/docs/reference/errors-and-warnings/NU1901-NU1904.md index f55154558..4fb538434 100644 --- a/docs/reference/errors-and-warnings/NU1901-NU1904.md +++ b/docs/reference/errors-and-warnings/NU1901-NU1904.md @@ -33,7 +33,7 @@ For more information, see [the documentation on auditing packages](../../concept ### Solution -We have [a blog post](https://devblogs.microsoft.com/nuget/nugetaudit-2-0-elevating-security-and-trust-in-package-management/) with more discussion about our recommended actions when your project uses a package with a known vulnerability, and tools that can help. +We have [documentation on upgrading vulnerable packages](../../concepts/Auditing-Packages.md#actions-when-packages-with-known-vulnerabilities-are-reported) that goes in more detail about our recommended actions when your project uses a package with a known vulnerability, and tools that can help. Upgrading to a newer version of the package is likely to resolve the warning. If your project does not reference the package directly (it's a transitive package), [`dotnet nuget why`](/dotnet/core/tools/dotnet-nuget-why) can be used to understand which package caused it to be included in your project. diff --git a/docs/release-notes/Index.md b/docs/release-notes/Index.md index 638732d93..745e8f4db 100644 --- a/docs/release-notes/Index.md +++ b/docs/release-notes/Index.md @@ -1,8 +1,8 @@ --- title: Release Notes description: Index of NuGet release notes and known issues for all versions. -author: anangaur -ms.author: anangaur +author: donnie-msft +ms.author: eagoodso ms.date: 05/25/2022 ms.topic: release-notes --- @@ -11,7 +11,11 @@ ms.topic: release-notes [Known Issues](../release-notes/known-issues.md) -[Nuget 6.13](../release-notes/NuGet-6.13.md) +[NuGet 7.0](../release-notes/NuGet-7.0.md) + +[NuGet 6.14](../release-notes/NuGet-6.14.md) + +[NuGet 6.13](../release-notes/NuGet-6.13.md) [NuGet 6.12](../release-notes/NuGet-6.12.md) diff --git a/docs/release-notes/NuGet-7.0.md b/docs/release-notes/NuGet-7.0.md index 0582d19aa..0de1486cc 100644 --- a/docs/release-notes/NuGet-7.0.md +++ b/docs/release-notes/NuGet-7.0.md @@ -1,26 +1,312 @@ --- title: NuGet 7.0 Release Notes description: Release notes for NuGet 7.0 including new features, bug fixes, and DCRs. -author: zivkan +author: donnie-msft +ms.author: eagoodso +ms.date: 10/29/2025 ms.topic: release-notes --- -# NuGet 7.0 Release Notes - +# NuGet 7.0 Release Notes NuGet distribution vehicles: | NuGet version | Available in Visual Studio version | Available in .NET SDK(s) | -|:---|:---|:---| -| [**7.0**](https://nuget.org/downloads) | TBD | TBD | +| :---|:---|:---| +| [**7.0.0**](https://nuget.org/downloads) | [Visual Studio 2026 version 18.0.0](https://visualstudio.microsoft.com/downloads/) | [10.0.100](https://dotnet.microsoft.com/download/dotnet/10.0)1 | + +1 Installed with Visual Studio 2026 with any .NET workload + +## Summary: What's New in 7.0.0 + +* Projects that target .NET 10 warn for vulnerabilities in transitive packages by defaulting to NuGetAuditMode=all [#14161](https://github.com/nuget/home/issues/14161) + +* [Package pruning](../consume-packages/Package-References-in-Project-Files.md#prunepackagereference) is enabled for all projects targeting .NET 10 [#14345](https://github.com/NuGet/Home/issues/14345) + +* Created the [NuGet Model Context Protocol (MCP) Server](../concepts/NuGet-MCP-Server.md), supported by .NET 10 SDK or later. +NuGet's MCP is pre-installed in Visual Studio 2026, and installable in VS 17.14 and VS Code. +The server is published on nuget.org as the [NuGet.Mcp.Server](https://www.nuget.org/packages/NuGet.Mcp.Server#readme-body-tab) package. + +* Enable packing legacy PackageReference projects without the need for a package - [#14046](https://github.com/NuGet/Home/issues/14046) + +* Deprecate SHA-1 usage in .NET 10 - [#13814](https://github.com/NuGet/Home/issues/13814) + +* Details pane reflects Vulnerability Data from Audit Sources - [#14554](https://github.com/NuGet/Home/issues/14554) + +* NuGet AuditSources support in the Package Manager UI - [#13954](https://github.com/NuGet/Home/issues/13954) + +* Migrate NuGet's settings to the new Visual Studio Options window + + * Migrate "Package sources" settings in Visual Studio Options - [#14233](https://github.com/NuGet/Home/issues/14233) + + * Migrate "Package Source Mapping" settings in Visual Studio Options - [#14234](https://github.com/NuGet/Home/issues/14234) + +* dotnet update package --vulnerable (Audit fix) - [#13372](https://github.com/NuGet/Home/issues/13372) + +### Breaking changes + +* Add package ID validation during restore - [#14407](https://github.com/NuGet/Home/issues/14407) + +* Project.json is no longer supported in 7.0. Visual Studio 2026 automatically migrated project.json projects to PackageReference + +* Package pruning will lead to a one-time diff in packages lock file - [#14272](https://github.com/NuGet/Home/issues/14272) + +* Pruning privatizes a direct references by apply PrivateAssets=all and IncludeAssets=none - [#14196](https://github.com/NuGet/Home/issues/14196) + +* Raise an error for SHA-1 fingerprints usage in NuGet.exe sign, mssign commands - [#13962](https://github.com/NuGet/Home/issues/13962) + +* Show an error when a non https source is used in a resource in a service index - [#13364](https://github.com/NuGet/Home/issues/13364) + +#### SDK Breaking changes + +* Project.json deprecation + * Remove project.json pack - [#7931](https://github.com/NuGet/Home/issues/7931) + + * Remove project.json support - [#7199](https://github.com/NuGet/Home/issues/7199) + + * Remove PackageSpec.Dependencies - [#14446](https://github.com/NuGet/Home/issues/14446) + + * Clean up Package Spec redudant APIs - [#6231](https://github.com/NuGet/Home/issues/6231) + +* Unused NuGet VS Extensibility APIs removed - [#14403](https://github.com/NuGet/Home/issues/14403) + +* Remove all unused APIs marked as obsolete in NuGet.Frameworks, NuGet.Protocol, NuGet.Commands & NuGet.PackageManagement - [#14395](https://github.com/NuGet/Home/issues/14395) + +* Remove obsolete APIs from NuGet.Common, NuGet.Configuration, NuGet.LibraryModel, NuGet.Packaging and NuGet.ProjectModel - [#14393](https://github.com/NuGet/Home/issues/14393) + +* Block and remove code for unused restore implementations such as `Standalone`. - [#14184](https://github.com/NuGet/Home/issues/14184) + +* Remove `DotnetToolReference` restore - [#14183](https://github.com/NuGet/Home/issues/14183) + +### Issues fixed in this release + +#### NuGet SDK fixes + +* Don't use reflection based deserialization in NuGet.Protocol - [#14470](https://github.com/NuGet/Home/issues/14470) + +* JsonSerializerIsReflectionDisabled on update to Nuget.Protocols 6.13.1 in apps with JsonSerializerIsReflectionEnabledByDefault set to false - [#14111](https://github.com/NuGet/Home/issues/14111) + +#### .NET CLI + +* Enable CanShowDialog for .NET core Authentication Plugins - [#14010](https://github.com/NuGet/Home/issues/14010) + +* "dotnet package update" modifies wrong project file (csproj) - [#14585](https://github.com/NuGet/Home/issues/14585) + +* dotnet nuget verify should output package content hash - [#14384](https://github.com/NuGet/Home/issues/14384) + +* dotnet package update should support --verbosity - [#14319](https://github.com/NuGet/Home/issues/14319) + +* dotnet package update should support CPM and VersionOverride - [#14318](https://github.com/NuGet/Home/issues/14318) + +* dotnet package update should support multiple packages - [#14308](https://github.com/NuGet/Home/issues/14308) + +* dotnet package update should support package source mapping - [#14307](https://github.com/NuGet/Home/issues/14307) + +* dotnet package update to a specific version - [#14306](https://github.com/NuGet/Home/issues/14306) + +* dotnet package update initial version - [#14305](https://github.com/NuGet/Home/issues/14305) + +* [Bug Bash][Unstable] An error “Attempted to divide by zero.” occurs when executing command “dotnet list [ProjectPath] package --vulnerable” - [#14122](https://github.com/NuGet/Home/issues/14122) + +* [Feature]: dotnet list [project | solution] package does not work with solution filters - [#11789](https://github.com/NuGet/Home/issues/11789) + +#### Package Manager UI in Visual Studio + +* Convert Search Control to Fluent UI - [#14469](https://github.com/NuGet/Home/issues/14469) + +* Use Fluent TextBox for Project PM UI Installed Version - [#14466](https://github.com/NuGet/Home/issues/14466) + +* [Bug Bash] There is a tiny gap in the version drop-down list of PM UI - [#11990](https://github.com/NuGet/Home/issues/11990) + +* [Bug Bash] The dropdown list of PM UI doesn’t distinguish the background color between selected-item and hover-on item - [#10977](https://github.com/NuGet/Home/issues/10977) + +* [Bug Bash] Pressing the page-down button on the keyboard when focusing on ‘Version’ drop-down box with Tab key makes the box empty - [#13605](https://github.com/NuGet/Home/issues/13605) + +* Dead Code: ActionsAndVersions View - [#14464](https://github.com/NuGet/Home/issues/14464) + +#### Visual Studio options + +* Decommission Legacy VS Options NuGet Settings - [#14398](https://github.com/NuGet/Home/issues/14398) + +* When adding an http source in the options dialog, have the user click on a checkbox to more explicitly agree to AllowInsecureConnections being added - [#14377](https://github.com/NuGet/Home/issues/14377) + +* Error needed in Package Sources settings for HTTP source without AllowInsecureConnections - [#14367](https://github.com/NuGet/Home/issues/14367) + +* Improve validation of NuGet's settings in Visual Studio Options - [#14359](https://github.com/NuGet/Home/issues/14359) + +* Show validation errors on NuGet options pages while typing - [#14358](https://github.com/NuGet/Home/issues/14358) + +* [Bug Bash] [Unstable] The first removing of a source mapping from the ‘Package Source Mappings’ list in ‘Package Source Mapping’ dialog doesn’t work - [#13520](https://github.com/NuGet/Home/issues/13520) + +* [Localization] The table title ‘Package Source Mapping’ in the ‘Options->NuGet Package Manager->Package Source Mapping’ page was not localized - [#14550](https://github.com/NuGet/Home/issues/14550) + +* [Bug Bash] The offline package source cannot be enabled after disabling it from the ‘Machine-wide package sources’ source list previously in the ‘Options->NuGet Package Manager->Package Sources’ window - [#13434](https://github.com/NuGet/Home/issues/13434) + +* [Bug Bash] The “source” column of the “Add New Package Source Mapping” dialog doesn’t have the minimum width set which makes it can be dragged out of sight - [#13355](https://github.com/NuGet/Home/issues/13355) + +* [Bug Bash] The first reopening of Options dialog should bring back the default package source "Microsoft Visual Studio Offline Packages" in "package sources" list when all the sources were deleted previously - [#13278](https://github.com/NuGet/Home/issues/13278) + +* [Bug Bash] Newly added package source mapping shouldn’t be case-sensitive in “Option->NuGet Package Manager->Package Source Mapping” window - [#13210](https://github.com/NuGet/Home/issues/13210) + +* [Bug Bash] New added package source mapping will lost after switching back to the "Package Source Mapping" tab from other tab in “Option->NuGet Package Manager” window - [#13150](https://github.com/NuGet/Home/issues/13150) + +* [Bug Bash] The “Remove” button should be disable when no package source mapping is selected in the “Package Source Mappings” list - [#13115](https://github.com/NuGet/Home/issues/13115) + +* [CSY] Duplicated hotkeys show in “Options->NuGet Package Manager->Package Sources” dialog - [#7822](https://github.com/NuGet/Home/issues/7822) + +* VS NuGet PMUI - Machine-wide package sources area should be vertically resize-able as well - [#7560](https://github.com/NuGet/Home/issues/7560) + +* [Bug Bash] There will be a duplicated package source when modifying the name of source “Microsoft Visual Studio Offline Packages” - [#13057](https://github.com/NuGet/Home/issues/13057) + +* [Bug Bash] The “Options->NuGet Package Manager->Package Sources” page is disabled after checking or unchecking the checkbox “Enabled” of any one of the package sources having duplicated sources - [#14499](https://github.com/NuGet/Home/issues/14499) + +* Have to manually select pre-populated text on Add Package Source dialog - [#14450](https://github.com/NuGet/Home/issues/14450) + +* VS should not delete Package Source attributes when Name is updated - [#14370](https://github.com/NuGet/Home/issues/14370) + +#### Package Pruning + +* Warning rollout for PrunePackageReference - [#14126](https://github.com/NuGet/Home/issues/14126) + +* Missing audit warnings from "nuget install" when nuget.org is not a package source - [#14096](https://github.com/NuGet/Home/issues/14096) + +* It's not possible to push to HTTP sources specified via command line - [#14047](https://github.com/NuGet/Home/issues/14047) + +* Package pruning is enabled for all projects targeting .NET 10 including multi-targeted ones - [#14345](https://github.com/NuGet/Home/issues/14345) + +* Move pruning enabled frameworks to the NuGet.targets - [#14424](https://github.com/NuGet/Home/issues/14424) + +* Change _RestorePackagePruningDefault to RestorePackagePruningDefault - [#14511](https://github.com/NuGet/Home/issues/14511) + +#### Restore + +* dotnet restore/Visual Studio conflicting with .esproj + Nx project.json - [#13512](https://github.com/NuGet/Home/issues/13512) + +* Improve NU1004 when pruning is used with locked mode - [#14075](https://github.com/NuGet/Home/issues/14075) + +* Consider not writing NuGetToolVersion to generated MSBuild props files on Restore - [#14355](https://github.com/NuGet/Home/issues/14355) + +* NuGet Restore fails if SQL Server Management Studio 21 is installed - [#14349](https://github.com/NuGet/Home/issues/14349) + +* Remove NUGET_EXPERIMENTAL_USE_NJ_FOR_FILE_PARSING - [#14257](https://github.com/NuGet/Home/issues/14257) + +* Remove RestoreTargetGraph.Name as it's redundant with restoreTargetGraph.TargetGraphName being the widely used version - [#14529](https://github.com/NuGet/Home/issues/14529) + +* Remove RestoreArgs.LockFileVersion as it's functionality unused - [#14524](https://github.com/NuGet/Home/issues/14524) + +* Remove NUGET_BULK_RESTORE_COORDINATION and NUGET_SOLUTION_CACHE_INITIALIZATION fallbacks - [#14502](https://github.com/NuGet/Home/issues/14502) + +#### Dependency resolver + +* New dependency resolver does not properly handle floating prerelease versions - [#13833](https://github.com/NuGet/Home/issues/13833) + +* Reenable new algorithm resolution with lock files - [#13800](https://github.com/NuGet/Home/issues/13800) + +#### Other + +* Stop ilmerging pack - [#13079](https://github.com/NuGet/Home/issues/13079) + +* Make NuGet.Client's Build.ps1 more friendly to GitHub Copilot in VSCode - [#14453](https://github.com/NuGet/Home/issues/14453) + +* Generate identical [Content_Types].xml on repeated builds - [#14357](https://github.com/NuGet/Home/issues/14357) + +* pack legacy csproj: include pack targets and tasks in VS build tools - [#14520](https://github.com/NuGet/Home/issues/14520) + +* VS crashes when the only project in the solution is a project.json project - [#14553](https://github.com/NuGet/Home/issues/14553) + +* review exception handling - [#14440](https://github.com/NuGet/Home/issues/14440) + +* Improve perf by avoiding redundant dictionary lookups - [#14432](https://github.com/NuGet/Home/issues/14432) + +* LockFileLibrary does not need to be mutable - [#14385](https://github.com/NuGet/Home/issues/14385) + +[List of commits in this release](https://github.com/NuGet/NuGet.Client/compare/6.14.1.1...7.0.0.289) + +### Community contributions -## Not yet released +Thank you to all the contributors who helped make this NuGet release awesome! -This version of NuGet is in preview and these release notes will be updated when it is released. +* [SimonCropp](https://github.com/NuGet/NuGet.Client/pull/6720) + * [6720](https://github.com/NuGet/NuGet.Client/pull/6720) remove redundant default constructors + * [6610](https://github.com/NuGet/NuGet.Client/pull/6610) add "does not have a min version" to messages in GetNupkgInfo + * [6581](https://github.com/NuGet/NuGet.Client/pull/6581) remove redundant dictionary lookups in MarkTransitiveOrigin + * [6596](https://github.com/NuGet/NuGet.Client/pull/6596) enable nullability in PackageItemViewModelTests + * [6634](https://github.com/NuGet/NuGet.Client/pull/6634) remove IFrameworkTargetable + * [6616](https://github.com/NuGet/NuGet.Client/pull/6616) avoid redundant version parsing in PluginFindPackageByIdResource + * [6595](https://github.com/NuGet/NuGet.Client/pull/6595) enable nullability in ReadmePreviewViewModelTests + * [6587](https://github.com/NuGet/NuGet.Client/pull/6587) remove redundant dictionary lookup in ProcessUnrankedEntries + * [6598](https://github.com/NuGet/NuGet.Client/pull/6598) enable nullability in EmbeddedResourcesCapabilityTests + * [6577](https://github.com/NuGet/NuGet.Client/pull/6577) use fields instead of private properties + * [6622](https://github.com/NuGet/NuGet.Client/pull/6622) remove un-used list in GetPackagesToBeReinstalled + * [6589](https://github.com/NuGet/NuGet.Client/pull/6589) redundant null check for projectManagerService.GetMetadataAsync return value + * [6605](https://github.com/NuGet/NuGet.Client/pull/6605) enable nullable in VSRestoreSettingsUtilityTests + * [6575](https://github.com/NuGet/NuGet.Client/pull/6575) remove redundant dictionary lookup in CredentialServiceAdapter.GetCredentials + * [6601](https://github.com/NuGet/NuGet.Client/pull/6601) enable nullabe in NuGetInstallCommandTest + * [6593](https://github.com/NuGet/NuGet.Client/pull/6593) enable nullable in IProjectContextInfoExtensionsTests + * [6614](https://github.com/NuGet/NuGet.Client/pull/6614) remove redundant lists in DependencyGraphFileRequestProvider + * [6625](https://github.com/NuGet/NuGet.Client/pull/6625) remove un-used variables in PackageExtractor + * [6609](https://github.com/NuGet/NuGet.Client/pull/6609) fix nullability in UnresolvedMessages + * [6608](https://github.com/NuGet/NuGet.Client/pull/6608) remove un-used contextForGather + * [6628](https://github.com/NuGet/NuGet.Client/pull/6628) remove redundant enumeration in CredentialsItem + * [6617](https://github.com/NuGet/NuGet.Client/pull/6617) remove toolItems list instance in MSBuildRestoreUtility + * [6599](https://github.com/NuGet/NuGet.Client/pull/6599) fix parameter nullability in Constructor_SetReportAbuseUrl_Initialize… + * [6604](https://github.com/NuGet/NuGet.Client/pull/6604) enable nullable in LegacyPackageReferenceProjectTests + * [6631](https://github.com/NuGet/NuGet.Client/pull/6631) remove DependencyGraphSpecRequestProvider.CollectReferences + * [6635](https://github.com/NuGet/NuGet.Client/pull/6635) remove EnvDteProjectExtensions.PathComparer + * [6623](https://github.com/NuGet/NuGet.Client/pull/6623) remove redundant GetManifestResourceNames in ManifestSchemaUtility + * [6619](https://github.com/NuGet/NuGet.Client/pull/6619) remove unused packageID variable + * [6620](https://github.com/NuGet/NuGet.Client/pull/6620) remove un-used variables in PackageManagerControl + * [6640](https://github.com/NuGet/NuGet.Client/pull/6640) remove redundant exception handling + * [6637](https://github.com/NuGet/NuGet.Client/pull/6637) remove PackageManagerControl.AddMigratorBar + * [6629](https://github.com/NuGet/NuGet.Client/pull/6629) remove un-used HashSet instance in ResolverMetadataClient + * [6602](https://github.com/NuGet/NuGet.Client/pull/6602) enable nullable in MSBuildUtilityTest + * [6641](https://github.com/NuGet/NuGet.Client/pull/6641) remove redundant null condition in UpdateCommand.ExecuteCommandAsync + * [6683](https://github.com/NuGet/NuGet.Client/pull/6683) remove redundant string alloc in GetTempFilePath + * [6626](https://github.com/NuGet/NuGet.Client/pull/6626) remove un-used variables in SignedPackageArchiveIOUtility + * [6574](https://github.com/NuGet/NuGet.Client/pull/6574) remove redundant dictionary lookup in CreatePackageSourceMappingDictionary + * [6594](https://github.com/NuGet/NuGet.Client/pull/6594) enable nullability in InfiniteScrollListTests + * [6682](https://github.com/NuGet/NuGet.Client/pull/6682) Use async delay in SafeReadAsync + * [6600](https://github.com/NuGet/NuGet.Client/pull/6600) enable nullable in NuGetUpdateCommandTests + * [6606](https://github.com/NuGet/NuGet.Client/pull/6606) enable nullable in VSNominationUtilitiesTests + * [6613](https://github.com/NuGet/NuGet.Client/pull/6613) remove redundant type variable in GetExternalProject + * [6611](https://github.com/NuGet/NuGet.Client/pull/6611) remove un-used solutionService instances + * [6643](https://github.com/NuGet/NuGet.Client/pull/6643) remove MsBuildUtility.GetMsBuildPathInPathVar + * [6632](https://github.com/NuGet/NuGet.Client/pull/6632) remove PackageSpecFactory.GetTargetFrameworkStrings + * [6573](https://github.com/NuGet/NuGet.Client/pull/6573) avoid some allocation in ProjectFactory.ProcessDependencies + * [6588](https://github.com/NuGet/NuGet.Client/pull/6588) remove dictionary lookups from GetPreviewResultsAsync + * [6597](https://github.com/NuGet/NuGet.Client/pull/6597) fix nullability in PackageModelCreationTestHelper + * [6612](https://github.com/NuGet/NuGet.Client/pull/6612) remove un-used list instances in NuGetPackageManager + * [6591](https://github.com/NuGet/NuGet.Client/pull/6591) enable nullable in PackageSourceValidatorTests + * [6603](https://github.com/NuGet/NuGet.Client/pull/6603) fix nullability in IVsProjectBuildProperties + * [6636](https://github.com/NuGet/NuGet.Client/pull/6636) remove _project* fields from PackageReferenceProject + * [6630](https://github.com/NuGet/NuGet.Client/pull/6630) remove un-used identity instance in LocalV3FindPackageByIdResource + * [6618](https://github.com/NuGet/NuGet.Client/pull/6618) remove LoggerAdapter instance in NuGetPackageManager + * [6621](https://github.com/NuGet/NuGet.Client/pull/6621) remove un-used projectsByUniqueName in SolutionUpToDateChecker + * [6624](https://github.com/NuGet/NuGet.Client/pull/6624) remove un-used variables in PackageBuilder + * [6633](https://github.com/NuGet/NuGet.Client/pull/6633) remove JsonPackageSpecReader DelimitedStringSeparators and VersionSeparators + * [6642](https://github.com/NuGet/NuGet.Client/pull/6642) use cast instead of as and null check in CommandLineParser.AssignValue + * [6615](https://github.com/NuGet/NuGet.Client/pull/6615) remove redundant list in GetPluginAsync + * [6627](https://github.com/NuGet/NuGet.Client/pull/6627) remove un-used GetDirectoryName in MisplacedAssemblyOutsideLibRule + * [6578](https://github.com/NuGet/NuGet.Client/pull/6578) remove redundant dictionary lookup in PrunePackageTree.PruneDowngrades + * [6576](https://github.com/NuGet/NuGet.Client/pull/6576) remove redundant dictionary lookup in RecommenderPackageFeed +* [baronfel](https://github.com/NuGet/NuGet.Client/pull/6554) + * [6554](https://github.com/NuGet/NuGet.Client/pull/6554) Fix NuGet->SDK Codeflow + * [6514](https://github.com/NuGet/NuGet.Client/pull/6514) Pin and stabilize the `NuGetToolVersion` property in the generated NuGet props files during restore. +* [omajid](https://github.com/NuGet/NuGet.Client/pull/6500) + * [6500](https://github.com/NuGet/NuGet.Client/pull/6500) Ensure stable order of entries in Content_Types.xml + * [6507](https://github.com/NuGet/NuGet.Client/pull/6507) Support building on Linux when full signing is not available +* [AlexDelepine](https://github.com/NuGet/NuGet.Client/pull/6793) + * [6793](https://github.com/NuGet/NuGet.Client/pull/6793) Update Ngen Priorities for VS +* [hickford](https://github.com/NuGet/NuGet.Client/pull/6475) + * [6475](https://github.com/NuGet/NuGet.Client/pull/6475) Populate audit sources consistently +* [nohwnd](https://github.com/NuGet/NuGet.Client/pull/6735) + * [6735](https://github.com/NuGet/NuGet.Client/pull/6735) Disable loading profile in utility powershell.exe calls +* [mmitche](https://github.com/NuGet/NuGet.Client/pull/6539) + * [6539](https://github.com/NuGet/NuGet.Client/pull/6539) Move NuGet to xliff-tasks +* [dkurepa](https://github.com/NuGet/NuGet.Client/pull/6644) + * [6644](https://github.com/NuGet/NuGet.Client/pull/6644) Add Version.Details.props +* [bdukes](https://github.com/NuGet/NuGet.Client/pull/6530) + * [6530](https://github.com/NuGet/NuGet.Client/pull/6530) Fix `nuget.exe` restore finding MSBuild from SSMS instead of Visual Studio +* [ToddGrun](https://github.com/NuGet/NuGet.Client/pull/6519) + * [6519](https://github.com/NuGet/NuGet.Client/pull/6519) Make LockFileLibrary immutable for performance and sanity reasons + \ No newline at end of file diff --git a/global.json b/global.json new file mode 100644 index 000000000..d894f924e --- /dev/null +++ b/global.json @@ -0,0 +1,5 @@ +{ + "msbuild-sdks": { + "Microsoft.Build.NoTargets" : "3.7.134" + } +} \ No newline at end of file