Announcing NuGet 6.8 – Maintaining Security with Ease

Allie Barry

November 17th, 20234 3

NuGet 6.8 is included in Visual Studio 2022 and .NET 8.0 out of the box. You can also download NuGet 6.8 for Windows, macOS, and Linux as a standalone executable.

Maintaining and understanding security status in your projects is now easier than ever in NuGet 6.8. We’re happy to announce a plethora of new features to help you be aware potential vulnerabilities in your projects, visualize the configuration of precautionary measures to keep your code safe, and maintain fine-grained control over your dependency sources.

NuGet 6.8 Highlights

There are many new features in NuGet 6.8:

NuGetAudit- notifications for package vulnerabilities
Allowing opt-out of HTTPS Everywhere warnings with allowInsecureConnections property
Create Package Source Mappings during installation/update through PM UI
Conditional Package Updating is respected in Visual Studio
ProtocolVersion argument added to nuget source add

NuGetAudit – Notifications for package vulnerabilities

NuGet will now audit PackageReference packages and warn you if any have known vulnerabilities, allowing you to improve the security of your projects. There are configuration options to change the minimum severity threshold, and to audit all packages (direct + transitive) rather than only the default directly referenced packages. For more information, see the docs page for auditing package dependencies.

> dotnet restore 
Determining projects to restore... D:\demo\demo.csproj : warning NU1903: 
Package 'Newtonsoft.Json' 9.0.1 has a known high severity vulnerability, 
https://github.com/advisories/GHSA-5crp-9r3c-p9vr 
Restored D:\demo\demo.csproj (in 311 ms).

In Visual Studio, audit information will appear in the Error List window, and for SDK style projects, in the project dependencies. A bar will also appear at the top of solution explorer after Visual Studio restores a solution, to warn you that one of the projects uses a package with a known vulnerability:

Visual Studio’s Package Manager UI will also warn you of transitive packages with known vulnerabilities, on a project’s “Installed” tab, even when audit is configured for direct packages only:

Allowing opt-out of HTTPS Everywhere warnings with allowInsecureConnections property

In NuGet 6.3, we introduced a new NU1803 warning that will let you know that you’re using a non-HTTPS source, and we were met with widespread feedback on scenarios we aren’t always aware of. With this feedback in mind, we would like to ensure that we have a generally agreed upon plan that provides a mechanism for flexibility based on where you are personally on your journey to “HTTPS Everywhere”. This plan needed a clear way to suppress the eventual error case when a non-HTTPS source is used due to various scenarios where you are able to accept the security risk.

We’ve recently added such functionality that will allow you to do just that. In NuGet 6.8, you will be able add the allowInsecureConnections attribute to your respective packageSources in your nuget.config to enable or disable this functionality. The default is allowInsecureConnections=”false”.

Create Package Source Mappings during installation/update through PM UI

Introduced in .NET 6, Package Source Mapping is a tool that gives you fine-grained control of where your packages are coming from by giving you the ability to map every package in your solution to a target package source. This helps you to know that you’re always getting your packages from the right source and protects against potential dependency confusion attacks. In NuGet 6.7, we introduced functionality to notify you of the status of package source mappings in your solution in the package details pane.

Now, in NuGet 6.8, new functionality has been added to automatically create package source mappings on package install/update in the NuGet UI in Visual Studio.

Additionally, creating source mappings from NuGet VS UI now considers the Global Packages Folder for transitive dependencies. When transitive packages exist in the GPF, if it’s an enabled source for this solution, then it will automatically map to that source. If it’s not an enabled source in this solution, then the install will fail with an error indicating the package/source in the message (as seen in the screenshot below):

Conditional Package Updating is respected in Visual Studio

If you have projects that target multiple frameworks, such as MAUI or Uno projects, it is very likely that you have conditionally installed packages as well.

Starting with this release of NuGet, conditionally referenced packages will be correctly updated when using the Package Manager UI or the Package Manager Console. For a conditionally installed package, NuGet historically has not updated conditional reference correctly consistently. All updates of conditional packages would lead to attempting to install the package to all frameworks, thus often causing an NU1504 warning. The change here is for the update to recognize when a package is conditionally installed, and update that package only in the frameworks it’s installed in.

ProtocolVersion argument added to nuget source add

We heard your requests, and starting with NuGet 6.8, you will now have the ability to specify protocolVersion property when adding new package source with CLI.

Closing

NuGet 6.8 provides a range of new features that makes it simple for you to visualize and be notified of security status of dependencies in your projects.

On behalf of the NuGet team and the entire .NET community, we’d like to express our sincere gratitude to all the community contributors who have generously given their time and expertise to improve NuGet this release. Thank you.

For more details on NuGet 6.8, see our official release notes.

Feedback

Your feedback is important to us. If there are any problems with this release, check our GitHub Issues and Visual Studio Developer Community for existing issues. For new issues within NuGet, please report a GitHub Issue. For general NuGet experience issues, let us know via the Report a Problem option found in your favorite IDE under Help > Report a Problem.

Allie Barry Product Manager, .NET Team/NuGet

4 comments

Discussion is closed. Login to edit/delete existing comments.

Rand Random November 18, 2023 12:56 am 0

I hope some day this

NuGet 6.8 is included in Visual Studio 2022 and .NET 8.0 out of the box.

will actually include the command line tool, because manually maintaining/installing/updating a separate nuget.exe is rather annoying.

So, that this

You can also download NuGet 6.8 for Windows, macOS, and Linux as a standalone executable.

would only be necessary if you have neither Visual Studio, or .NET installed.
- Kenneth Hoff November 19, 2023 12:12 am 0
  
  Is there a difference between the NuGet CLI (tbh, didn’t realize it still existed – I thought it died years ago) and the dotnet CLI – which is included?
  - Michael Taylor November 20, 2023 7:45 am 1
    
    IIRC dotnet version only supports SDK-based projects. Not every project type is supported by SDK project format yet. So yes Nuget is still needed.
    
    Furthermore in order to use the CLI you have to have the SDK installed first whereas Nuget just needs the framework that is already installed (or at least it did) with Windows. In some cases an app might use Nuget to download packages at runtime (it happens…) but it isn’t actually targeting .NET Core so using the CLI would be another install that isn’t really needed.
    - Nikolche Kolev December 6, 2023 11:15 am 0
      
      MSBuild.exe -t:restore is also capable of restoring packages.config based projects.
      You can consider using that instead of having to download NuGet.exe, https://learn.microsoft.com/en-us/nuget/reference/msbuild-targets#restoring-packagereference-and-packagesconfig-projects-with-msbuild.