Announcing NuGet 6.7 – Keeping You Secure
NuGet 6.7 is included in Visual Studio 2022 and .NET 7.0 out of the box. You can also download NuGet 6.7 for Windows, macOS, and Linux as a standalone executable.
Security is a chain; it’s only as strong as its weakest link. That’s why today, we are happy to announce that NuGet 6.7 brings a plethora of security features such as enhancements to package source mapping, new vulnerability APIs, package version dropdown changes, and new warning messages for chain of trust issues.
NuGet 6.7 Highlights
There are many new features in NuGet 6.7:
- View your package source mapping status in the package details pane
- Easily create package source mappings for your NuGet.config
- New VulnerabilityInfo API in NuGet.Protocol
- Know what package versions are vulnerable when you select them
- Empowering warning messages on Linux & macOS if signed package verification is untrusted
View your package source mapping status in the package details pane
You will now see when NuGet packages are not mapped to respective package source(s).
When packages are not mapped, you can configure your NuGet.config package source mappings by hitting the Configure link.
For more information, see our documentation on package source mapping.
Easily create package source mappings for your NuGet.config
To manage all of your package source mappings, you can now do so through the Tools > Options > NuGet Package Manager > Package Source Mappings options menu.
For more information, see our documentation on package source mapping.
New VulnerabilityInfo API in NuGet.Protocol
There is a new resource in the V3 protocol called VulnerabilityInfo which provides package vulnerability information to use in scenarios such as checking packages during restore operations. In the case that an application or tool needs to check a large number of packages for known vulnerabilities, you can use this new resource.
Also, don’t forget to check out our new NuGet package auditing experience in .NET 8 Previews!
For more information about this API, see our documentation on Vulnerability information.
Know what package versions are vulnerable when you select them
Now you can know what package versions are vulnerable prior to selecting them in the package version selector in Visual Studio.
Empowering warning messages on Linux & macOS if signed package verification is untrusted
There is a new warning (NU3042) on Linux and macOS that accompanies an existing NU3018/NU3028 warning to provide actionable information on how to resolve untrusted certificate chain issues.
The following X.509 root certificate is untrusted because it is not present in the certificate bundle at <file-path>. For more information, see documentation for NU3042.
Subject: <certificate subject>
Fingerprint (SHA-256): <certificate fingerprint>
Certificate (PEM):
<PEM-encoded certificate>
Closing
NuGet 6.7 is a security-filled release helping you know, prevent, and fix a plethora of different security challenges with your favorite package manager.
On behalf of the NuGet team and the entire .NET community, we’d like to express our sincere gratitude to all the community contributors who have generously given their time and expertise to improve NuGet this release. Thank you.
For more details on NuGet 6.7, see our official release notes.
Feedback
Your feedback is important to us. If there are any problems with this release, check our GitHub Issues and Visual Studio Developer Community for existing issues. For new issues within NuGet, please report a GitHub Issue. For general NuGet experience issues, let us know via the Report a Problem option found in your favorite IDE under Help > Report a Problem.
Jon Douglas Principal Program Manager, NuGet
Light
Dark
1 comment
It looks like information about package signatures is missing at nuget.org and package details pane in VS.
I would expect to see at least bare minimum in line with output of
command.