Announcing NuGet.exe and NuGet Client SDK Packages Support Policy: Keeping You Informed and Secure
At NuGet, our commitment is to ensure that our users have access to the latest, most secure, and well-maintained versions of our tools and packages. With this in mind, we would like to announce the NuGet Support Policy, a set of guidelines designed to keep you informed about the status of NuGet.exe and NuGet Client SDK packages on nuget.org.
Why We’re Introducing This Policy
We firmly believe that transparency and security are of utmost importance in software development. Here’s why we’re implementing this policy:
-
Raising Vulnerability Awareness: Data reveals that a significant percentage of downloaded NuGet.exe versions are either vulnerable or no longer supported. We want you to understand the risks associated with using such versions.
-
Enhancing Package Maintenance: While many NuGet Client SDK packages offer multiple versions, not all of them are actively maintained. We want to ensure that you can make informed decisions about your package dependencies.
What You Can Expect
NuGet Client tools are distributed through the following vehicles. The support for NuGet tooling in Visual Studio and the .NET SDK aligns with the support policies of those distributions. We want to ensure the community is aware of the support policy for other distribution vehicles, such as NuGet.exe and NuGet Client SDK packages.
| NuGet Distribution Vehicle | Support Policy |
|---|---|
| Visual Studio for Windows | Visual Studio Product Lifecycle and Servicing |
| .NET SDK | .NET and .NET Core Support Policy |
| NuGet Client SDK packages | Microsoft Modern Lifecycle Policy. Publishing soon to NuGet docs. |
| NuGet.exe | Microsoft Modern Lifecycle Policy. Publishing soon to NuGet docs. |
The current versions of both NuGet.exe and the NuGet Client SDK packages will be supported. Here’s what you can expect in the future:
Full Support for Current Version
We are fully committed to supporting the most recent version of NuGet.exe and NuGet Client SDK packages. This means you can rely on us for bug fixes, updates, and enhancements exclusive to the version currently under development.
Security Patch Releases
We will release patched versions of NuGet.exe and NuGet Client SDK packages exclusively when critical security fixes are required for a long-term support (LTS) version of Visual Studio or .NET SDK.
NuGet.exe unlisting
We will begin to remove links to deprecated and vulnerable versions of NuGet.exe from tool.json by March 31st, 2024.
Package Deprecation
We will deprecate older versions of NuGet Client SDK packages that are not tied to an LTS version of either Visual Studio or .NET by January 31, 2024. We will follow Deprecating packages guidance on nuget.org to ensure a seamless transition.
Going forward, our approach will probably align with the .NET Package Maintenance (deprecation) guidance.
Our Unwavering Commitment
Our team is dedicated to providing you with the finest NuGet experience possible. The NuGet Support Policy is our way of ensuring you have the information and tools needed to make informed decisions regarding your NuGet dependencies.
Here are steps you can take to leverage the NuGet Support Policy effectively:
- Use the latest versions of NuGet.exe & NuGet Client SDK packages.
- Note that we will release patches for these distribution vehicles when critical security fixes are required for an LTS version of either Visual Studio or the .NET SDK.
- Watch for unlisted NuGet.exe versions in tool.json
- Examine your project for dependencies on deprecated NuGet Client SDK packages.
We extend our gratitude for being a part of our community and for entrusting NuGet as a pivotal component of your development process.
Should you have any questions or feedback concerning the NuGet Support Policy, please don’t hesitate to reach out to us. Your input is invaluable as we continually enhance our platform.
Stay secure and enjoy coding!
Light
Dark
2 comments
Will (the current version) of nuget.exe be included in Visual Studio going forward?
There are no plans to include nuget.exe in Visual Studio. I am curious, how would it help in your scenario if nuget.exe were included in Visual Studio? Since Visual Studio installs the .NET SDK, how about leveraging NuGet functionality via the .NET CLI instead of NuGet.exe?