Announcing NuGet 6.4 – Signed, Central, Delivered

Jon Douglas

Nikolche Kolev

NuGet 6.4 is included in Visual Studio 2022 and .NET 7.0 out of the box. You can also download NuGet 6.4 for Windows, macOS, and Linux as a standalone executable.

NuGet 6.4 is one of many releases in our .NET unification journey. Our NuGet tooling helps developers discover new .NET packages to use for their .NET applications, while making package management easier during your daily development.

NuGet 6.4 Highlights

There are many new features in NuGet 6.4:

Central Package Management is production ready

Earlier this year, we announced Central Package Management which is a feature to help you manage dependencies for multi-project solutions. Over the last couple releases, we’ve been busy fixing bugs preventing you from using it and adding features that improve your experience using it. This feature is now considered production ready and we’ve removed all mention of the feature being in a “preview” status.

To learn more, check out our docs on Central Package Management.

Use a single PackageReference everywhere with GlobalPackageReference

A new feature to central package management is <GlobalPackageReference>. A global package reference is used to specify that a package will be used by every project in a repository. This includes packages that do versioning, extend your build, or any other package that is needed by all projects. Global package references are added to the <PackageReference> item group with the following metadata implicitly:

  • IncludeAssets="Runtime;Build;Native;contentFiles;Analyzers" – This ensures that the package is only used as a development dependency and prevents any compile-time assembly references.
  • PrivateAssets="All" – This prevents global package references from being picked up by downstream dependencies.

<GlobalPackageReference> items should be placed in your Directory.Packages.props file to be used by every project in a repository:

<Project>
  <ItemGroup>
    <GlobalPackageReference Include="Nerdbank.GitVersioning" Version="3.5.109" />
  </ItemGroup>
</Project>

To learn more about this feature, see the documentation on Global Package References.

Improved performance while loading packages in all tabs in Visual Studio

For each of the tabs in the Visual Studio Package Management UI, we’ve improved the performance it takes to fully load each item and its metadata by almost 66%. A huge thanks to @mjolka for contributing this performance improvement to NuGet by increasing HttpClientHandler.MaxConnectionsPerServer to a higher value.

NuGet signed package verification

NuGet package signatures are based on X.509 certificates, and a prerequisite for signed package verification is a certificate root store that’s valid for both code signing and timestamping.

Starting with .NET 7, NuGet uses fallback certificate bundles included in the .NET SDK to verify signed packages where a suitable system root store is not available. These bundles are sourced from the Microsoft Trusted Root Program and contain the same code signing and timestamping certificates as the root store on Windows.

Some NuGet commands, such as sign and verify, always perform signed package verification.

For more information on this topic and the behavior on specific operating systems, see NuGet Signed Package Verification.

Authentication improvements in Visual Studio

One major issue we hear from you is the NuGet authentication experience in Visual Studio. Over the last release, we’ve been engaged in reducing the amount of times you are prompted to authenticate to your private sources while also providing context to the authentication windows so you know whether or not a prompt is to authenticate to a NuGet feed or a Visual Studio service.

In this release, we added context to each window to let you know when NuGet needs your attention.

Image VisualStudioAuth

NuGet.exe localization

NuGet.exe commands have been enhanced further with localization in 13 languages: Simplified Chinese, Traditional Chinese, Czech, German, Spanish, French, Italian, Japanese, Korean, Polish, Portuguese, Russian, Turkish.

Closing

NuGet 6.4 is a significant release that should improve many aspects of your daily package management needs. We’ve polished the central package management feature, improved performance of loading packages in Visual Studio, added fallback certificate bundles in the .NET SDK for signed packaged verficiation, and added contextual improvements to authentication prompts in Visual Studio.

We’re excited to see you use NuGet 6.4 & include it in your toolset for building amazing things with .NET.

For more details on NuGet 6.4, see our official release notes.

Feedback

Your feedback is important to us. If there are any problems with this release, check our GitHub Issues and Visual Studio Developer Community for existing issues. For new issues within NuGet, please report a GitHub Issue. For general NuGet experience issues, let us know via the Report a Problem option found in your favorite IDE under Help > Report a Problem.