The NuGet Blog

The latest news, updates, and insights from the NuGet team

NuGetAudit 2.0: Elevating Security and Trust in Package Management

July 17, 2024 Jul 17, 2024 07/17/24

Introduction In November 2023 (NuGet 6.8, Visual Studio 17.8, .NET SDK 8.0.100), we released NuGet Audit. NuGet Audit provides warnings during restore when a package with a known vulnerability is used by a project. More information about NuGet Audit, including detailed configuration options can be found on our learn website. New features are ...

Building a Safer Future – How NuGet is Tackling Software Supply Chain Threats

July 16, 2024 Jul 16, 2024 07/16/24

Jon Douglas

Despite significant technological progress in addressing complex security threats, the key to preventing the next attack lies in adhering to fundamental security principles. It's essential to ensure the software ecosystem is secure, focusing on protecting .NET developers who design, build, and maintain the critical software we all use. As the...

HTTPS Everywhere Update

September 19, 2023 Sep 19, 2023 09/19/23

Jon Douglas

Mistakes were made When we first published the plan for the effort of HTTPS everywhere, we wanted to get developer community feedback on the various HTTP and HTTPS scenarios that we don't have much everyday visibility of. After we published that blog, we heard you loud and clear that there was a gap. This plan needed a clear way to suppress ...

Introducing Transitive Dependencies in Visual Studio

August 9, 2022 Aug 9, 2022 08/9/22

Jon Douglas, Jean-Pierre Briedé

We heard from you that direct dependencies are easy to track, but that you struggle with tracking transitive dependencies. We want to make that easier for the day-to-day management of your NuGet packages in Visual Studio. To help you track transitive dependencies and remediate vulnerabilities quickly with SDK-style projects, we are ...

HTTPS everywhere

August 9, 2022 Aug 9, 2022 08/9/22

Jon Douglas

Safety guaranteed As an ongoing effort to make HTTPS everywhere a reality for NuGet, we have taken a number of steps to help protect your everyday package management experiences. Earlier this year, a security fact sheet from The White House reinforced companies to take action to secure our software supply chains. HTTPS and SSL not only ...

Requiring two-factor authentication on NuGet.org

February 22, 2022 Feb 22, 2022 02/22/22

Claire Novotny

NuGet.org will begin requiring two-factor authentication for accounts starting March 8th.

Introducing Package Source Mapping

September 15, 2021 Sep 15, 2021 09/15/21

Nikolche Kolev

We're happy to announce the first preview release of Package Source Mapping with Visual Studio 2022 preview 4! Package Source Mapping gives you fine-grained control of where your packages come from by mapping every package in your solution to a target package source.

.NET 5 NuGet Restore Failures on Linux distributions using NSS or ca-certificates

April 6, 2021 Apr 6, 2021 04/6/21

Jon Douglas

We will be releasing updated builds of NuGet this week to accommodate NuGet restore failures on Linux distributions. The failures are observed when updated versions of the NSS or ca-certificates packages are installed.

How to Scan NuGet Packages for Security Vulnerabilities

March 2, 2021 Mar 2, 2021 03/2/21

Drew Gillies

Today, we are announcing the public availability of NuGet’s vulnerability features that you can use to ensure your projects are vulnerability free and if not, to take action to securing your software supply chain.

The NuGet.org repository signing certificate will be updated as soon as March 15th, 2021

February 25, 2021 Feb 25, 2021 02/25/21

Christopher Gill

The current NuGet.org repository signing certificate will be updated as soon as March 15th, 2021. If you validate that packages are repository signed by NuGet.org, you will need to take steps to avoid disruptions when installing packages from NuGet.org.

The NuGet Blog

Security - The NuGet Blog