August 10th, 2023

Announcing NuGet 6.7 – Keeping You Secure

NuGet 6.7 is included in Visual Studio 2022 and .NET 7.0 out of the box. You can also download NuGet 6.7 for Windows, macOS, and Linux as a standalone executable.

Security is a chain; it’s only as strong as its weakest link. That’s why today, we are happy to announce that NuGet 6.7 brings a plethora of security features such as enhancements to package source mapping, new vulnerability APIs, package version dropdown changes, and new warning messages for chain of trust issues.

NuGet 6.7 Highlights

There are many new features in NuGet 6.7:

View your package source mapping status in the package details pane

You will now see when NuGet packages are not mapped to respective package source(s).

Image packageSourceMappingOn

When packages are not mapped, you can configure your NuGet.config package source mappings by hitting the Configure link.

Image packageSourceMappingOff

For more information, see our documentation on package source mapping.

Easily create package source mappings for your NuGet.config

To manage all of your package source mappings, you can now do so through the Tools > Options > NuGet Package Manager > Package Source Mappings options menu.

Image packageSourceMappingAddMappings

For more information, see our documentation on package source mapping.

New VulnerabilityInfo API in NuGet.Protocol

There is a new resource in the V3 protocol called VulnerabilityInfo which provides package vulnerability information to use in scenarios such as checking packages during restore operations. In the case that an application or tool needs to check a large number of packages for known vulnerabilities, you can use this new resource.

Also, don’t forget to check out our new NuGet package auditing experience in .NET 8 Previews!

For more information about this API, see our documentation on Vulnerability information.

Know what package versions are vulnerable when you select them

Now you can know what package versions are vulnerable prior to selecting them in the package version selector in Visual Studio.

Image packageDetailsDropdown

Empowering warning messages on Linux & macOS if signed package verification is untrusted

There is a new warning (NU3042) on Linux and macOS that accompanies an existing NU3018/NU3028 warning to provide actionable information on how to resolve untrusted certificate chain issues.

The following X.509 root certificate is untrusted because it is not present in the certificate bundle at <file-path>.  For more information, see documentation for NU3042.
    Subject:  <certificate subject>
    Fingerprint (SHA-256):  <certificate fingerprint>
    Certificate (PEM):
<PEM-encoded certificate>

Closing

NuGet 6.7 is a security-filled release helping you know, prevent, and fix a plethora of different security challenges with your favorite package manager.

On behalf of the NuGet team and the entire .NET community, we’d like to express our sincere gratitude to all the community contributors who have generously given their time and expertise to improve NuGet this release. Thank you.

For more details on NuGet 6.7, see our official release notes.

Feedback

Your feedback is important to us. If there are any problems with this release, check our GitHub Issues and Visual Studio Developer Community for existing issues. For new issues within NuGet, please report a GitHub Issue. For general NuGet experience issues, let us know via the Report a Problem option found in your favorite IDE under Help > Report a Problem.

Author

Jon Douglas
Principal Program Manager

Jon Douglas is a Principal Program Manager for NuGet at Microsoft. In his spare time he is most likely spending time with his family, performing comedy improv, or playing video games.

Nikolche Kolev
Principal Software Engineer

Nikolche is a Principal Software Engineer on the NuGet client team, with a focus on the restore functionality and performance.

1 comment

Discussion is closed. Login to edit/delete existing comments.

  • Oleg Deribas

    It looks like information about package signatures is missing at nuget.org and package details pane in VS.
    I would expect to see at least bare minimum in line with output of

    dotnet nuget verify

    command.