Announcing NuGet 6.0 – Source Mapping, Package Vulnerabilities, Faster Solution Load, Oh My!

Jon Douglas

November 8th, 20216 0

NuGet 6.0 – Source Mapping, Package Vulnerabilities, Faster Solution Load, Oh My!

NuGet 6.0 is included in Visual Studio 2022 and .NET 6.0 out of the box. You can also download NuGet 6.0 for Windows, macOS, and Linux as a standalone executable.

NuGet 6.0 is one of many releases in our .NET unification journey. Our NuGet tooling helps developers discover new .NET packages to use for their .NET applications, while making package management easier during your daily development.

NuGet 6.0 Highlights

There are many new features in NuGet 6.0:

Create and use .NET 6 NuGet packages with .NET 6 Support.
Know where your packages come from with Source Mapping.
View Package Vulnerabilities in Visual Studio.
Configure retry & backoff behavior in NuGet Clients.
Exclude Default File Extensions in Build Output.
Find alternative packages with Improved Deprecation Information in Visual Studio.
Add a package README in Visual Studio.
Faster Solution Load & Branch Switching in Visual Studio.

.NET 6 Support

NuGet 6.0 is the first release to offer full authoring and restoring support for NuGet packages targeting .NET 6.0. You can now target the following target frameworks:

net6.0
net6.0-windows
net6.0-android
net6.0-ios
net6.0-macos
net6.0-maccatalyst
net6.0-tvos
net6.0-tizen

If you aren’t familiar with the .NET 6.0 targets today or what it will look like in the future, don’t forget to check out the .NET 6.0 TFM spec.

Source Mapping

Earlier this year, many package managers became aware of dependency confusion attacks in which a user can be tricked into installing a malicious dependency instead of the one they intended to. To fortify your software supply chain against these attacks, the NuGet team has developed a new feature that allows you to map your dependencies to specific sources. Below is an example of how you can use source mapping to protect your projects.

<!-- Define a global packages folder for your repository. -->
<!-- This is where installed packages will be stored locally. -->
<config>
  <add key="globalPackagesFolder" value="globalPackagesFolder" />
</config>

<!-- Define my package sources, nuget.org and contoso.com. -->
<!-- `clear` ensures no additional sources are inherited from another config file. -->
<packageSources>
  <clear />
  <!-- `key` can be any identifier for your source. -->
  <add key="nuget.org" value="https://api.nuget.org/v3/index.json" />
  <add key="contoso.com" value="https://contoso.com/packages/" />
</packageSources>

<!-- Define mappings by adding package ID patterns beneath the target source. -->
<!-- Contoso.* packages will be restored from contoso.com, everything else from nuget.org. -->
<packageSourceMapping>
  <!-- key value for <packageSource> should match key values from <packageSources> element -->
  <packageSource key="nuget.org">
    <package pattern="*" />
  </packageSource>
  <packageSource key="contoso.com">
    <package pattern="Contoso.*" />
  </packageSource>
</packageSourceMapping>

You can read more about source mapping in our documentation. To secure your software supply chain, you can also read our documentation on the topic.

Package Vulnerabilities in Visual Studio

When using the NuGet Package Manager within Visual Studio, you will now see package vulnerabilities for your packages including details such as the number and severity of vulnerabilities as well as direct links to learn more about the advisories.

Retry & Backoff Behavior

There is now a NUGET_ENABLE_EXPERIMENTAL_HTTP_RETRY flag to improve the retry & backoff behavior of NuGet clients such as increasing the maximum amount of retries and increasing the delay for a more resilient experience when encountering a weaker internet connection.

Exclude Default File Extensions

You can now use the MSBuild flag <AllowedOutputExtensionsInPackageBuildOutputFolder> to edit the file extensions included in the build output of your package. This gives you more control over the extensions being included in your build output folder.

Improved Deprecation Information in Visual Studio

Deprecated packages in Visual Studio now include a link to the suggested alternate package to use. You can use this feature to quickly browse and install packages that are actively maintained.

Add a Package README in Visual Studio

You can now add a package README.md file directly within Visual Studio. A README helps communicate important information about your package. It is often the first item a visitor will see when visiting your package on NuGet.org. README files typically include information on:

What the package does
Why the package is useful
How users can get started with the package
Where users can get help or contribute to your package

You can read more about adding a README to your NuGet package on our blog.

Faster Solution Load & Branch Switching in Visual Studio

In Visual Studio 2022, NuGet has redefined the contract between NuGet package restore and common Visual Studio components to improve performance for large solutions by only calling restore once instead of multiple times. This improves the time it takes for background processes to complete significantly.

Install Visual Studio 2022 and let us know if you notice a faster experience when loading your large solutions or switching between branches!

Closing

NuGet 6.0 is a big release that should improve many aspects of your daily package management needs. We’ve added a bunch of new features to Visual Studio experiences, improved restore performance to solution load & branch switching, and added support to .NET 6!

We’re excited to see you use NuGet 6.0 & include it in your toolset for building amazing things with .NET.

For more details on NuGet 6.0, see our official release notes.

Feedback

Your feedback is important to us. If there are any problems with this release, check our GitHub Issues and Visual Studio Developer Community for existing issues. For new issues within NuGet, please report a GitHub Issue. For general NuGet experience issues, let us know via the Report a Problem option found in your favorite IDE under Help > Report a Problem.

Jon Douglas Principal Program Manager, NuGet

6 comments

Discussion is closed. Login to edit/delete existing comments.

Renè Riedinger November 8, 2021 1:22 pm 0

@John Douglas the link for the standalone nuget.exe seems not to work. Here is the error:

BlobNotFound
The specified blob does not exist.
- Jon Douglas November 8, 2021 4:39 pm 0
  
  It should be fixed now. Sorry about that.
Tony Henrique November 8, 2021 1:23 pm 0

NuGet is very cool!
- Jon Douglas November 8, 2021 4:39 pm 0
  
  Thank you, Tony!
- Mike-E November 9, 2021 12:27 pm 0
  
  +1. I am in awe every time I have to update dependencies and watch it work its magic in Visual Studio. Really nice work over there, team. 🙏
Tristan Barcelon November 18, 2021 10:15 pm 0

Hi @Jon Douglas. You mentioned that there’s a Nuget 6 standalone download for Windows, Linux and MacOS however the link provided only references the Windows binary. Is there a package name we should search for in Linux or could you provide a direct link that doesn’t include the .net sdk?