{"id":2466,"date":"2022-08-09T13:04:03","date_gmt":"2022-08-09T20:04:03","guid":{"rendered":"https:\/\/devblogs.microsoft.com\/dotnet\/?p=2466"},"modified":"2022-08-09T13:04:03","modified_gmt":"2022-08-09T20:04:03","slug":"announcing-nuget-6-3-transitive-dependencies-floating-versions-and-re-enabling-signed-package-verification","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/dotnet\/announcing-nuget-6-3-transitive-dependencies-floating-versions-and-re-enabling-signed-package-verification\/","title":{"rendered":"Announcing NuGet 6.3 &#8211; Transitive Dependencies, Floating Versions, and Re-enabling Signed Package Verification"},"content":{"rendered":"<p>NuGet 6.3 is included in <a href=\"https:\/\/visualstudio.microsoft.com\/downloads\/\">Visual Studio 2022<\/a> and <a href=\"https:\/\/dotnet.microsoft.com\/download\/dotnet\/6.0\">.NET 6.0<\/a> out of the box. You can also download NuGet 6.3 for Windows, macOS, and Linux as a <a href=\"https:\/\/dist.nuget.org\/win-x86-commandline\/v6.3.0\/nuget.exe\">standalone executable<\/a>.<\/p>\n<p>NuGet 6.3 is one of many releases in our .NET unification journey. Our NuGet tooling helps developers discover new .NET packages to use for their .NET applications, while making package management easier during your daily development.<\/p>\n<h2>NuGet 6.3 Highlights<\/h2>\n<p>There are many <a href=\"https:\/\/docs.microsoft.com\/nuget\/release-notes\/nuget-6.3\">new features in NuGet 6.3<\/a>:<\/p>\n<ul>\n<li><a href=\"#consume-pdbs-from-packages-in-packagereference\">Consume pdbs from packages in PackageReference<\/a>.<\/li>\n<li><a href=\"#view-transitive-dependencies-in-visual-studio\">View transitive dependencies in Visual Studio<\/a>.<\/li>\n<li><a href=\"#new-warnings-when-duplicate-packagereference-packageversion-or-packagedownload-are-found\">New warnings when duplicate <code>PackageReference<\/code>, <code>PackageVersion<\/code>, or <code>PackageDownload<\/code> are found<\/a>.<\/li>\n<li><a href=\"#install-packages-with-custom-floating-versions-in-visual-studio\">Install packages with custom floating versions in Visual Studio<\/a>.<\/li>\n<li><a href=\"#re-enable-signed-package-verification-on-linux-by-default\">Re-enable signed package verification on Linux by default<\/a>.<\/li>\n<li><a href=\"#https-everywhere\">HTTPS everywhere<\/a>.<\/li>\n<\/ul>\n<h2>Consume pdbs from packages in PackageReference<\/h2>\n<p>For any given assembly under <code>lib<\/code> and <code>runtime<\/code> folder from a <code>&lt;PackageReference&gt;<\/code>, if there are files next to it that differ only by the extension, NuGet will now add a <code>related<\/code> property underneath the assembly in the targets section of the assets file, listing the extensions of these files, separated by <code>;<\/code>.<\/p>\n<pre><code>\"lib\/netstandard2.0\/Newtonsoft.Json.dll\": {\n    \"related\": [\".pdb\", \".xml\"]\n}\n<\/code><\/pre>\n<p>This feature allows you and the .NET SDK to consume <code>.pdb<\/code> and <code>.xml<\/code> files alongside the assembly for <code>&lt;PackageReference&gt;<\/code> for scenarios like debugging and API documentation. While the work is completed in the 6.3 release, you will likely not see any benefit until the .NET SDK becomes aware of this functionality in a future release.<\/p>\n<h2>View transitive dependencies in Visual Studio<\/h2>\n<p>There is now a new dependency section labeled \u201ctransitive packages\u201d that you can optionally collapse or expand depending on your daily use.<\/p>\n<p><a href=\"https:\/\/devblogs.microsoft.com\/dotnet\/wp-content\/uploads\/sites\/10\/2022\/08\/TransitiveDependencies-1.png\"><img decoding=\"async\" src=\"https:\/\/devblogs.microsoft.com\/dotnet\/wp-content\/uploads\/sites\/10\/2022\/08\/TransitiveDependencies-1-560x322.png\" alt=\"Image TransitiveDependencies\" width=\"560\" height=\"322\" class=\"aligncenter size-medium wp-image-2456\" \/><\/a><\/p>\n<p>You can click on the dependencies like you would your top-level dependencies and even promote any transitive dependency to a top-level dependency at any time. One such reason might be overriding a resolved version to an unaffected version of a library that has a known vulnerability until a patch has been released.<\/p>\n<p><a href=\"https:\/\/devblogs.microsoft.com\/dotnet\/wp-content\/uploads\/sites\/10\/2022\/08\/TransitiveDependenciesDetails-1.png\"><img decoding=\"async\" src=\"https:\/\/devblogs.microsoft.com\/dotnet\/wp-content\/uploads\/sites\/10\/2022\/08\/TransitiveDependenciesDetails-1-560x324.png\" alt=\"Image TransitiveDependenciesDetails\" width=\"560\" height=\"324\" class=\"aligncenter size-medium wp-image-2457\" \/><\/a><\/p>\n<p>Lastly, you can hover over any transitive dependency to understand the top-level dependencies that brought it into your project.<\/p>\n<p><a href=\"https:\/\/devblogs.microsoft.com\/dotnet\/wp-content\/uploads\/sites\/10\/2022\/08\/TransitiveDependenciesHover-1.png\"><img decoding=\"async\" src=\"https:\/\/devblogs.microsoft.com\/dotnet\/wp-content\/uploads\/sites\/10\/2022\/08\/TransitiveDependenciesHover-1-560x99.png\" alt=\"Image TransitiveDependenciesHover\" width=\"560\" height=\"99\" class=\"aligncenter size-medium wp-image-2458\" \/><\/a><\/p>\n<p>This is currently an experiment in Visual Studio 17.3 where you can read more about the feature in our blog <a href=\"https:\/\/devblogs.microsoft.com\/dotnet\/introducing-transitive-dependencies-in-visual-studio\/\">Introducing Transitive Dependencies in Visual Studio<\/a>.<\/p>\n<h2>New warnings when duplicate <code>PackageReference<\/code>, <code>PackageVersion<\/code>, or <code>PackageDownload<\/code> are found<\/h2>\n<p>Whenever you include a duplicate <code>PackageReference<\/code>, <code>PackageVersion<\/code>, or <code>PackageDownload<\/code> item, you will be provided a new NuGet warning such as:<\/p>\n<ul>\n<li><code>NU1504<\/code> &#8211; Duplicate &#8216;PackageReference&#8217; items found. Remove the duplicate items or use the Update functionality to ensure a consistent restore behavior. The duplicate &#8216;PackageReference&#8217; items are: X 1.0.0, X 2.0.0.<\/li>\n<li><code>NU1505<\/code> &#8211; Duplicate &#8216;PackageDownload&#8217; items found. Remove the duplicate items or use the Update functionality to ensure a consistent restore behavior. The duplicate &#8216;PackageDownload&#8217; items are: X [1.0.0], X [2.0.0].<\/li>\n<li><code>NU1506<\/code> &#8211; Duplicate &#8216;PackageVersion&#8217; items found. Remove the duplicate items or use the Update functionality to ensure a consistent restore behavior. The duplicate &#8216;PackageVersion&#8217; items are: X [1.0.0], X [2.0.0].<\/li>\n<\/ul>\n<h2>Install packages with custom floating versions in Visual Studio<\/h2>\n<p>You can now install custom versions of packages with <a href=\"https:\/\/docs.microsoft.com\/nuget\/concepts\/package-versioning#floating-version-resolutions\">floating version syntax<\/a>.<\/p>\n<p><a href=\"https:\/\/devblogs.microsoft.com\/dotnet\/wp-content\/uploads\/sites\/10\/2022\/08\/FloatingVersions-1.gif\"><img decoding=\"async\" src=\"https:\/\/devblogs.microsoft.com\/dotnet\/wp-content\/uploads\/sites\/10\/2022\/08\/FloatingVersions-1-560x318.gif\" alt=\"Image FloatingVersions\" width=\"560\" height=\"318\" class=\"aligncenter size-medium wp-image-2468\" \/><\/a><\/p>\n<h2>Re-enable signed package verification on Linux by default<\/h2>\n<p>Signed NuGet package verification will be enabled by default in .NET 7 SDK Linux builds, starting with RC1.<\/p>\n<p>It is opt-in for .NET 7 Preview 7 and  .NET 6 SDK (6.0.400) builds. However, we have enabled it (<a href=\"https:\/\/github.com\/dotnet\/dotnet-docker\/blob\/7cf01d82858fcc3824574fb92580c4151954699a\/src\/sdk\/6.0\/jammy\/amd64\/Dockerfile#L11-L12\">via an environment variable<\/a>) <a href=\"https:\/\/github.com\/dotnet\/dotnet-docker\/issues\/3932\">with .NET 6 SDK container images<\/a> with .NET SDK 6.0.400 (released August 9th, 2022). It will be enabled for .NET 7 SDK container images with .NET 7 RC1.<\/p>\n<p>You can opt-in to the feature with the following environment variable, set to <code>true<\/code>:<\/p>\n<pre><code class=\"bash\">DOTNET_NUGET_SIGNATURE_VERIFICATION=true\n<\/code><\/pre>\n<p>With .NET 7 RC1+, you can use the same environment variable to opt-out. We have not decided how long we will retain the ability to opt-out. If you need to use it, we would appreciate feedback on why you needed to do that. It might be an issue we need to address.<\/p>\n<p>For more information on this topic, see <a href=\"https:\/\/github.com\/dotnet\/core\/issues\/7688\">Signed NuGet Package Verification Re-enabled for Linux<\/a><\/p>\n<h2>HTTPS everywhere<\/h2>\n<p>As an ongoing effort to make <a href=\"https:\/\/devblogs.microsoft.com\/dotnet\/https-everywhere\/\">HTTPS everywhere<\/a> a reality for NuGet, we have taken a number of steps to help protect your everyday package management experiences.<\/p>\n<p>We have introduced a new <a href=\"https:\/\/docs.microsoft.com\/nuget\/reference\/errors-and-warnings\/nu1803\">NU1803 warning<\/a> that will let you know that you&#8217;re using a non-HTTPS source.<\/p>\n<p>For more information about this topic, see our blog <a href=\"https:\/\/devblogs.microsoft.com\/dotnet\/https-everywhere\/\">HTTPS everywhere<\/a><\/p>\n<h2>Closing<\/h2>\n<p>NuGet 6.3 is a big release that should improve many aspects of your daily package management needs. We\u2019ve added a few new features to Visual Studio to help you manage and install dependencies, improved warning experiences of duplicate items, and re-enabled package verification on Linux.<\/p>\n<p>We\u2019re excited to see you use NuGet 6.3 &amp; include it in your toolset for building amazing things with .NET.<\/p>\n<p>For more details on NuGet 6.3, see our <a href=\"https:\/\/docs.microsoft.com\/nuget\/release-notes\/nuget-6.3\">official release notes<\/a>.<\/p>\n<h2>Feedback<\/h2>\n<p>Your feedback is important to us. If there are any problems with this release, check our <a href=\"https:\/\/github.com\/NuGet\/Home\/issues\">GitHub Issues<\/a> and <a href=\"https:\/\/developercommunity.visualstudio.com\/\">Visual Studio Developer Community<\/a> for existing issues. For new issues within NuGet, please report a <a href=\"https:\/\/github.com\/NuGet\/Home\/issues\/new\/choose\">GitHub Issue<\/a>. For general NuGet experience issues, let us know via the <a href=\"https:\/\/docs.microsoft.com\/visualstudio\/ide\/how-to-report-a-problem-with-visual-studio\">Report a Problem<\/a> option found in your favorite IDE under <code>Help &gt; Report a Problem<\/code>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>NuGet 6.3 is included in Visual Studio 2022 and .NET 6.0 out of the box. You can also download NuGet 6.3 for Windows, macOS, and Linux as a standalone executable. NuGet 6.3 is one of many releases in our .NET unification journey. Our NuGet tooling helps developers discover new .NET packages to use for their [&hellip;]<\/p>\n","protected":false},"author":551,"featured_media":2368,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[7933,7874,7930,646],"tags":[7983,7982,7984],"class_list":["post-2466","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-feature-announcement","category-nuget","category-release-announcement","category-visual-studio","tag-nuget-6-3","tag-transitive-dependencies","tag-visual-studio-17-3"],"acf":[],"blog_post_summary":"<p>NuGet 6.3 is included in Visual Studio 2022 and .NET 6.0 out of the box. You can also download NuGet 6.3 for Windows, macOS, and Linux as a standalone executable. NuGet 6.3 is one of many releases in our .NET unification journey. Our NuGet tooling helps developers discover new .NET packages to use for their [&hellip;]<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/dotnet\/wp-json\/wp\/v2\/posts\/2466","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/dotnet\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/dotnet\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/dotnet\/wp-json\/wp\/v2\/users\/551"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/dotnet\/wp-json\/wp\/v2\/comments?post=2466"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/dotnet\/wp-json\/wp\/v2\/posts\/2466\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/dotnet\/wp-json\/wp\/v2\/media\/2368"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/dotnet\/wp-json\/wp\/v2\/media?parent=2466"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/dotnet\/wp-json\/wp\/v2\/categories?post=2466"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/dotnet\/wp-json\/wp\/v2\/tags?post=2466"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}