NuGet 6.10 is included in Visual Studio 2022 and .NET 8.0 out of the box. You can also download NuGet 6.10 for Windows, macOS, and Linux as a standalone executable.
In NuGet 6.10, we introduce some exciting new features and bug fixes, such as a new dotnet nuget config
command, vulnerability auditing in packages.config
, and improvements to cached credentials. For more information, and a detailed list of all changes, see our release notes.
NuGet 6.10 Highlights
dotnet nuget config
command- Vulnerability auditing in
packages.config
- Improvements to cached credentials
dotnet nuget config
command
You can now run the dotnet nuget config
command with paths
, get
, set
, and unset
sub-commands to easily configure and understand your NuGet environment. Here’s a few scenarios using this command:
dotnet nuget config paths
– will list all of theNuGet.config
files associated with a current working directory.dotnet nuget config get all --show-path
– will list all of the configuration settings and their respective file path.dotnet nuget config set signatureValidationMode require
– will set thesignatureValidationMode
property torequire
in yourNuGet.config
file.dotnet nuget config unset signatureValidationMode
– will unset thesignatureValidationMode
property in yourNuGet.config
file.
Vulnerability auditing in packages.config
You can now audit for known security vulnerabilities in packages.config
projects. You’ll see a familiar experience as you saw with <PackageReference>
last year, but for any project that hasn’t migrated from packages.config
quite yet:
Improvements to cached credentials
When authenticating to a private NuGet package source, there can be a retry loop after a 401 Unauthorized
challenge occurs instead of a 403 Forbidden
, causing unnecessary delays and potential strain on internal services. In these cases, NuGet will now verify if cached credentials work before asking for new ones, decreasing the frequency of cache invalidation and excess user prompts.
Thank you to @leong-desco for discovering this issue!
Closing
NuGet 6.10 comes with some exciting new features and bug fixes that will continue to improve your experience managing packages in your .NET projects!
On behalf of the NuGet team and the entire .NET community, we’d like to express our sincere gratitude to all the community contributors who have generously given their time and expertise to improve NuGet this release. Thank you.
For more details on NuGet 6.10, see our official release notes.
Feedback
Your feedback is important to us. If there are any problems with this release, check our GitHub Issues and Visual Studio Developer Community for existing issues. For new issues within NuGet, please report a GitHub Issue. For general NuGet experience issues, let us know via the Report a Problem option found in your favorite IDE under Help > Report a Problem
.
Nobody mentioned the most important (undocumented) feature: CentralPackageFloatingVersionsEnabled
https://github.com/NuGet/Home/issues/12919
Many packages relying on expired certificates, is this on purpose, backdoors?
Eg. System.Text.Encoding 4.3.0, widely used.
0E5F38F57DC1BCC806D8494F4F90FBCEDD988B46760709CBEEC6F4219AA6157D
Expired on: 4/14/2021
Root Untrusted
I’m guessing the “improvements to cached credentials” are why my cached credentials suddenly stopped working yesterday afternoon, and required me to obtain a new PAT, even though the existing one doesn’t expire for several months. 🤦♂️
Turns out I needed to install a newer version of the Azure Artifacts Credential Provider. The install script told me it was already installed, but after manually downloading and installing v1.1.1, it now seems to be working again.
And five days later, exactly the same problem again.
Did nobody test this update?!
OK, this is getting beyond a joke!
Having generated a new PAT 3 DAYS AGO, the dotnet nuget command line is now telling me that I need to generate another one.
None of my PATs have expired. There is clearly a serious bug in the latest version of the tool.
which forum should I post this CPM query?
I have two solutions with one shared core project. I upgrade one solution's projects to use CPM(Central Project Management), but when I go back to the first solution, when I complie the error is similar to: 'missing version in referenced package'.
At the moment one CPM'dproject in a solution is an issue, especially on dotnet6, with a dotnetstandard2.0 CPM'd shared project, and even more so when the...
Sound like a bug.
You can open a issue in the repos NuGet/Home.
Before, can you check the issue don’t exist?
CPM Bug