Announcing NuGet 6.3 – Transitive Dependencies, Floating Versions, and Re-enabling Signed Package Verification

Jon Douglas

Nikolche Kolev

NuGet 6.3 is included in Visual Studio 2022 and .NET 6.0 out of the box. You can also download NuGet 6.3 for Windows, macOS, and Linux as a standalone executable.

NuGet 6.3 is one of many releases in our .NET unification journey. Our NuGet tooling helps developers discover new .NET packages to use for their .NET applications, while making package management easier during your daily development.

NuGet 6.3 Highlights

There are many new features in NuGet 6.3:

Consume pdbs from packages in PackageReference

For any given assembly under lib and runtime folder from a <PackageReference>, if there are files next to it that differ only by the extension, NuGet will now add a related property underneath the assembly in the targets section of the assets file, listing the extensions of these files, separated by ;.

"lib/netstandard2.0/Newtonsoft.Json.dll": {
    "related": [".pdb", ".xml"]
}

This feature allows you and the .NET SDK to consume .pdb and .xml files alongside the assembly for <PackageReference> for scenarios like debugging and API documentation. While the work is completed in the 6.3 release, you will likely not see any benefit until the .NET SDK becomes aware of this functionality in a future release.

View transitive dependencies in Visual Studio

There is now a new dependency section labeled “transitive packages” that you can optionally collapse or expand depending on your daily use.

Image TransitiveDependencies

You can click on the dependencies like you would your top-level dependencies and even promote any transitive dependency to a top-level dependency at any time. One such reason might be overriding a resolved version to an unaffected version of a library that has a known vulnerability until a patch has been released.

Image TransitiveDependenciesDetails

Lastly, you can hover over any transitive dependency to understand the top-level dependencies that brought it into your project.

Image TransitiveDependenciesHover

This is currently an experiment in Visual Studio 17.3 where you can read more about the feature in our blog Introducing Transitive Dependencies in Visual Studio.

New warnings when duplicate PackageReference, PackageVersion, or PackageDownload are found

Whenever you include a duplicate PackageReference, PackageVersion, or PackageDownload item, you will be provided a new NuGet warning such as:

  • NU1504 – Duplicate ‘PackageReference’ items found. Remove the duplicate items or use the Update functionality to ensure a consistent restore behavior. The duplicate ‘PackageReference’ items are: X 1.0.0, X 2.0.0.
  • NU1505 – Duplicate ‘PackageDownload’ items found. Remove the duplicate items or use the Update functionality to ensure a consistent restore behavior. The duplicate ‘PackageDownload’ items are: X [1.0.0], X [2.0.0].
  • NU1506 – Duplicate ‘PackageVersion’ items found. Remove the duplicate items or use the Update functionality to ensure a consistent restore behavior. The duplicate ‘PackageVersion’ items are: X [1.0.0], X [2.0.0].

Install packages with custom floating versions in Visual Studio

You can now install custom versions of packages with floating version syntax.

Image FloatingVersions

Re-enable signed package verification on Linux by default

Signed NuGet package verification will be enabled by default in .NET 7 SDK Linux builds, starting with RC1.

It is opt-in for .NET 7 Preview 7 and .NET 6 SDK (6.0.400) builds. However, we have enabled it (via an environment variable) with .NET 6 SDK container images with .NET SDK 6.0.400 (released August 9th, 2022). It will be enabled for .NET 7 SDK container images with .NET 7 RC1.

You can opt-in to the feature with the following environment variable, set to true:

DOTNET_NUGET_SIGNATURE_VERIFICATION=true

With .NET 7 RC1+, you can use the same environment variable to opt-out. We have not decided how long we will retain the ability to opt-out. If you need to use it, we would appreciate feedback on why you needed to do that. It might be an issue we need to address.

For more information on this topic, see Signed NuGet Package Verification Re-enabled for Linux

HTTPS everywhere

As an ongoing effort to make HTTPS everywhere a reality for NuGet, we have taken a number of steps to help protect your everyday package management experiences.

We have introduced a new NU1803 warning that will let you know that you’re using a non-HTTPS source.

For more information about this topic, see our blog HTTPS everywhere

Closing

NuGet 6.3 is a big release that should improve many aspects of your daily package management needs. We’ve added a few new features to Visual Studio to help you manage and install dependencies, improved warning experiences of duplicate items, and re-enabled package verification on Linux.

We’re excited to see you use NuGet 6.3 & include it in your toolset for building amazing things with .NET.

For more details on NuGet 6.3, see our official release notes.

Feedback

Your feedback is important to us. If there are any problems with this release, check our GitHub Issues and Visual Studio Developer Community for existing issues. For new issues within NuGet, please report a GitHub Issue. For general NuGet experience issues, let us know via the Report a Problem option found in your favorite IDE under Help > Report a Problem.