{"id":2841,"date":"2023-08-10T08:27:01","date_gmt":"2023-08-10T15:27:01","guid":{"rendered":"https:\/\/devblogs.microsoft.com\/dotnet\/?p=2841"},"modified":"2023-08-10T08:27:01","modified_gmt":"2023-08-10T15:27:01","slug":"announcing-nuget-6-7-keeping-you-secure","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/dotnet\/announcing-nuget-6-7-keeping-you-secure\/","title":{"rendered":"Announcing NuGet 6.7 \u2013 Keeping You Secure"},"content":{"rendered":"<p>NuGet 6.7 is included in <a href=\"https:\/\/visualstudio.microsoft.com\/downloads\/\">Visual Studio 2022<\/a> and <a href=\"https:\/\/dotnet.microsoft.com\/download\/dotnet\/7.0\">.NET 7.0<\/a> out of the box. You can also download NuGet 6.7 for Windows, macOS, and Linux as a <a href=\"https:\/\/dist.nuget.org\/win-x86-commandline\/v6.7.0\/nuget.exe\">standalone executable<\/a>.<\/p>\n<p>Security is a chain; it&#8217;s only as strong as its weakest link. That&#8217;s why today, we are happy to announce that NuGet 6.7 brings a plethora of security features such as enhancements to package source mapping, new vulnerability APIs, package version dropdown changes, and new warning messages for chain of trust issues.<\/p>\n<h2>NuGet 6.7 Highlights<\/h2>\n<p>There are many <a href=\"https:\/\/docs.microsoft.com\/nuget\/release-notes\/nuget-6.7\">new features in NuGet 6.7<\/a>:<\/p>\n<ul>\n<li><a href=\"#view-your-package-source-mapping-status-in-the-package-details-pane\">View your package source mapping status in the package details pane<\/a><\/li>\n<li><a href=\"#easily-create-package-source-mappings-for-your-nuget-config\">Easily create package source mappings for your NuGet.config<\/a><\/li>\n<li><a href=\"#new-vulnerabilityinfo-api-in-nuget-protocol\">New VulnerabilityInfo API in NuGet.Protocol<\/a><\/li>\n<li><a href=\"#know-what-package-versions-are-vulnerable-when-you-select-them\">Know what package versions are vulnerable when you select them<\/a><\/li>\n<li><a href=\"#empowering-warning-messages-on-linux-macos-if-signed-package-verification-is-untrusted\">Empowering warning messages on Linux &amp; macOS if signed package verification is untrusted<\/a><\/li>\n<\/ul>\n<h2>View your package source mapping status in the package details pane<\/h2>\n<p>You will now see when NuGet packages are not mapped to respective package source(s).<\/p>\n<p><a href=\"https:\/\/devblogs.microsoft.com\/dotnet\/wp-content\/uploads\/sites\/10\/2023\/08\/packageSourceMappingOn-1.png\"><img decoding=\"async\" src=\"https:\/\/devblogs.microsoft.com\/dotnet\/wp-content\/uploads\/sites\/10\/2023\/08\/packageSourceMappingOn-1-560x295.png\" alt=\"Image packageSourceMappingOn\" width=\"560\" height=\"295\" class=\"aligncenter size-medium wp-image-2846\" \/><\/a><\/p>\n<p>When packages are not mapped, you can configure your <code>NuGet.config<\/code> package source mappings by hitting the <code>Configure<\/code> link.<\/p>\n<p><a href=\"https:\/\/devblogs.microsoft.com\/dotnet\/wp-content\/uploads\/sites\/10\/2023\/08\/packageSourceMappingOff-1.png\"><img decoding=\"async\" src=\"https:\/\/devblogs.microsoft.com\/dotnet\/wp-content\/uploads\/sites\/10\/2023\/08\/packageSourceMappingOff-1-560x295.png\" alt=\"Image packageSourceMappingOff\" width=\"560\" height=\"295\" class=\"aligncenter size-medium wp-image-2845\" \/><\/a><\/p>\n<p>For more information, see our <a href=\"https:\/\/learn.microsoft.com\/nuget\/consume-packages\/package-source-mapping\">documentation on package source mapping<\/a>.<\/p>\n<h2>Easily create package source mappings for your NuGet.config<\/h2>\n<p>To manage all of your package source mappings, you can now do so through the <code>Tools &gt; Options &gt; NuGet Package Manager &gt; Package Source Mappings<\/code> options menu.<\/p>\n<p><a href=\"https:\/\/devblogs.microsoft.com\/dotnet\/wp-content\/uploads\/sites\/10\/2023\/08\/packageSourceMappingAddMappings-1.png\"><img decoding=\"async\" src=\"https:\/\/devblogs.microsoft.com\/dotnet\/wp-content\/uploads\/sites\/10\/2023\/08\/packageSourceMappingAddMappings-1-507x350.png\" alt=\"Image packageSourceMappingAddMappings\" width=\"507\" height=\"350\" class=\"aligncenter size-medium wp-image-2844\" \/><\/a><\/p>\n<p>For more information, see our <a href=\"https:\/\/learn.microsoft.com\/nuget\/consume-packages\/package-source-mapping\">documentation on package source mapping<\/a>.<\/p>\n<h2>New VulnerabilityInfo API in NuGet.Protocol<\/h2>\n<p>There is a new resource in the V3 protocol called <code>VulnerabilityInfo<\/code> which provides package vulnerability information to use in scenarios such as checking packages during restore operations. In the case that an application or tool needs to check a large number of packages for known vulnerabilities, you can use this new resource.<\/p>\n<p><a href=\"https:\/\/devblogs.microsoft.com\/dotnet\/announcing-dotnet-8-preview-4\/#nuget-auditing-package-dependencies-for-security-vulnerabilities\">Also, don&#8217;t forget to check out our new NuGet package auditing experience in .NET 8 Previews!<\/a><\/p>\n<p>For more information about this API, see our <a href=\"https:\/\/learn.microsoft.com\/nuget\/api\/vulnerability-info\">documentation on Vulnerability information<\/a>.<\/p>\n<h2>Know what package versions are vulnerable when you select them<\/h2>\n<p>Now you can know what package versions are vulnerable prior to selecting them in the package version selector in Visual Studio.<\/p>\n<p><a href=\"https:\/\/devblogs.microsoft.com\/dotnet\/wp-content\/uploads\/sites\/10\/2023\/08\/packageDetailsDropdown-1.png\"><img decoding=\"async\" src=\"https:\/\/devblogs.microsoft.com\/dotnet\/wp-content\/uploads\/sites\/10\/2023\/08\/packageDetailsDropdown-1-560x289.png\" alt=\"Image packageDetailsDropdown\" width=\"560\" height=\"289\" class=\"aligncenter size-medium wp-image-2843\" \/><\/a><\/p>\n<h2>Empowering warning messages on Linux &amp; macOS if signed package verification is untrusted<\/h2>\n<p>There is a new warning (<a href=\"https:\/\/learn.microsoft.com\/nuget\/reference\/errors-and-warnings\/nu3042\">NU3042<\/a>) on Linux and macOS that accompanies an existing <a href=\"https:\/\/learn.microsoft.com\/nuget\/reference\/errors-and-warnings\/nu3018\">NU3018<\/a>\/<a href=\"https:\/\/learn.microsoft.com\/nuget\/reference\/errors-and-warnings\/nu3028\">NU3028<\/a> warning to provide actionable information on how to resolve untrusted certificate chain issues.<\/p>\n<pre><code>The following X.509 root certificate is untrusted because it is not present in the certificate bundle at &lt;file-path&gt;.  For more information, see documentation for NU3042.\n    Subject:  &lt;certificate subject&gt;\n    Fingerprint (SHA-256):  &lt;certificate fingerprint&gt;\n    Certificate (PEM):\n&lt;PEM-encoded certificate&gt;\n<\/code><\/pre>\n<h2>Closing<\/h2>\n<p>NuGet 6.7 is a security-filled release helping you know, prevent, and fix a <a href=\"https:\/\/learn.microsoft.com\/nuget\/concepts\/security-best-practices\">plethora of different security challenges<\/a> with your favorite package manager.<\/p>\n<p>On behalf of the NuGet team and the entire .NET community, we&#8217;d like to express our sincere gratitude to all the <a href=\"https:\/\/learn.microsoft.com\/nuget\/release-notes\/nuget-6.7#community-contributions\">community contributors<\/a> who have generously given their time and expertise to improve NuGet this release. Thank you.<\/p>\n<p>For more details on NuGet 6.7, see our <a href=\"https:\/\/docs.microsoft.com\/nuget\/release-notes\/nuget-6.7\">official release notes<\/a>.<\/p>\n<h2>Feedback<\/h2>\n<p>Your feedback is important to us. If there are any problems with this release, check our <a href=\"https:\/\/github.com\/NuGet\/Home\/issues\">GitHub Issues<\/a> and <a href=\"https:\/\/developercommunity.visualstudio.com\/\">Visual Studio Developer Community<\/a> for existing issues. For new issues within NuGet, please <a href=\"https:\/\/github.com\/NuGet\/Home\/issues\/new\/choose\">report a GitHub Issue<\/a>. For general NuGet experience issues, let us know via the <a href=\"https:\/\/docs.microsoft.com\/visualstudio\/ide\/how-to-report-a-problem-with-visual-studio\">Report a Problem<\/a> option found in your favorite IDE under <code>Help &gt; Report a Problem<\/code>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>NuGet 6.7 is included in Visual Studio 2022 and .NET 7.0 out of the box. You can also download NuGet 6.7 for Windows, macOS, and Linux as a standalone executable. Security is a chain; it&#8217;s only as strong as its weakest link. That&#8217;s why today, we are happy to announce that NuGet 6.7 brings a [&hellip;]<\/p>\n","protected":false},"author":551,"featured_media":1801,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[7933,7874],"tags":[8009,8010,7976,8011,7956],"class_list":["post-2841","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-feature-announcement","category-nuget","tag-6-7","tag-nuget-6-7","tag-package-source-mapping","tag-signed-package-verification","tag-vulnerabilities"],"acf":[],"blog_post_summary":"<p>NuGet 6.7 is included in Visual Studio 2022 and .NET 7.0 out of the box. You can also download NuGet 6.7 for Windows, macOS, and Linux as a standalone executable. Security is a chain; it&#8217;s only as strong as its weakest link. That&#8217;s why today, we are happy to announce that NuGet 6.7 brings a [&hellip;]<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/dotnet\/wp-json\/wp\/v2\/posts\/2841","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/dotnet\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/dotnet\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/dotnet\/wp-json\/wp\/v2\/users\/551"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/dotnet\/wp-json\/wp\/v2\/comments?post=2841"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/dotnet\/wp-json\/wp\/v2\/posts\/2841\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/dotnet\/wp-json\/wp\/v2\/media\/1801"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/dotnet\/wp-json\/wp\/v2\/media?parent=2841"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/dotnet\/wp-json\/wp\/v2\/categories?post=2841"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/dotnet\/wp-json\/wp\/v2\/tags?post=2841"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}