Announcing NuGet 6.8 – Maintaining Security with Ease
Maintaining and understanding security status in your projects is now easier than ever in NuGet 6.8. We’re happy to announce a plethora of new features to help you be aware potential vulnerabilities in your projects, visualize the configuration of precautionary measures to keep your code safe, and maintain fine-grained control over your dependency sources.
NuGet 6.8 Highlights
There are many new features in NuGet 6.8:
- NuGetAudit- notifications for package vulnerabilities
- Allowing opt-out of HTTPS Everywhere warnings with allowInsecureConnections property
- Create Package Source Mappings during installation/update through PM UI
- Conditional Package Updating is respected in Visual Studio
- ProtocolVersion argument added to nuget source add
NuGetAudit – Notifications for package vulnerabilities
NuGet will now audit PackageReference packages and warn you if any have known vulnerabilities, allowing you to improve the security of your projects. There are configuration options to change the minimum severity threshold, and to audit all packages (direct + transitive) rather than only the default directly referenced packages. For more information, see the docs page for auditing package dependencies.
> dotnet restore Determining projects to restore... D:\demo\demo.csproj : warning NU1903: Package 'Newtonsoft.Json' 9.0.1 has a known high severity vulnerability, https://github.com/advisories/GHSA-5crp-9r3c-p9vr Restored D:\demo\demo.csproj (in 311 ms).
In Visual Studio, audit information will appear in the Error List window, and for SDK style projects, in the project dependencies. A bar will also appear at the top of solution explorer after Visual Studio restores a solution, to warn you that one of the projects uses a package with a known vulnerability:
Visual Studio’s Package Manager UI will also warn you of transitive packages with known vulnerabilities, on a project’s “Installed” tab, even when audit is configured for direct packages only:
Allowing opt-out of HTTPS Everywhere warnings with allowInsecureConnections property
In NuGet 6.3, we introduced a new NU1803 warning that will let you know that you’re using a non-HTTPS source, and we were met with widespread feedback on scenarios we aren’t always aware of. With this feedback in mind, we would like to ensure that we have a generally agreed upon plan that provides a mechanism for flexibility based on where you are personally on your journey to “HTTPS Everywhere”. This plan needed a clear way to suppress the eventual error case when a non-HTTPS source is used due to various scenarios where you are able to accept the security risk.
We’ve recently added such functionality that will allow you to do just that. In NuGet 6.8, you will be able add the allowInsecureConnections attribute to your respective packageSources in your nuget.config to enable or disable this functionality. The default is allowInsecureConnections=”false”.
Create Package Source Mappings during installation/update through PM UI
Introduced in .NET 6, Package Source Mapping is a tool that gives you fine-grained control of where your packages are coming from by giving you the ability to map every package in your solution to a target package source. This helps you to know that you’re always getting your packages from the right source and protects against potential dependency confusion attacks. In NuGet 6.7, we introduced functionality to notify you of the status of package source mappings in your solution in the package details pane.
Additionally, creating source mappings from NuGet VS UI now considers the Global Packages Folder for transitive dependencies. When transitive packages exist in the GPF, if it’s an enabled source for this solution, then it will automatically map to that source. If it’s not an enabled source in this solution, then the install will fail with an error indicating the package/source in the message (as seen in the screenshot below):
Conditional Package Updating is respected in Visual Studio
If you have projects that target multiple frameworks, such as MAUI or Uno projects, it is very likely that you have conditionally installed packages as well.
Starting with this release of NuGet, conditionally referenced packages will be correctly updated when using the Package Manager UI or the Package Manager Console. For a conditionally installed package, NuGet historically has not updated conditional reference correctly consistently. All updates of conditional packages would lead to attempting to install the package to all frameworks, thus often causing an NU1504 warning. The change here is for the update to recognize when a package is conditionally installed, and update that package only in the frameworks it’s installed in.
ProtocolVersion argument added to nuget source add
We heard your requests, and starting with NuGet 6.8, you will now have the ability to specify protocolVersion property when adding new package source with CLI.
NuGet 6.8 provides a range of new features that makes it simple for you to visualize and be notified of security status of dependencies in your projects.
On behalf of the NuGet team and the entire .NET community, we’d like to express our sincere gratitude to all the community contributors who have generously given their time and expertise to improve NuGet this release. Thank you.
For more details on NuGet 6.8, see our official release notes.
Your feedback is important to us. If there are any problems with this release, check our GitHub Issues and Visual Studio Developer Community for existing issues. For new issues within NuGet, please report a GitHub Issue. For general NuGet experience issues, let us know via the Report a Problem option found in your favorite IDE under
Help > Report a Problem.