The NuGet team announced NuGet 6.7, an update that introduces a set of advanced security features. These enhancements span from updated package source mapping to the integration of vulnerability APIs, updated package version dropdowns, and the addition of warning messages to tackle trust chain issues.
At the core of NuGet 6.7 lies a refined approach to package source mapping. Now, developers are instantly alerted if NuGet packages are not correctly mapped to their designated package sources. A Configure link accompanies these alerts, guiding developers to swiftly adjust their NuGet.config package source mappings, enhancing control and security.
The management of package source mappings has been made more intuitive with NuGet 6.7. Through the Tools > Options > NuGet Package Manager > Package Source Mappings menu, developers gain a centralized space to manage all their mappings.
NuGet 6.7 also holds the introduction of the new VulnerabilityInfo API in NuGet.Protocol. Embedded within the V3 protocol, this API equips developers with a wealth of package vulnerability information. This becomes particularly valuable in scenarios demanding comprehensive vulnerability assessments during restore operations, confirming that developers can make informed choices while integrating new packages.
As reported back in May while announcing .NET 8 Preview 4, the process of enabling security auditing can be done with:
At any time you wish to receive security audit reports, you can opt-in to the experience by setting the following MSBuild property in a .csproj or MSBuild file being evaluated as part of your project:
<NuGetAudit>true</NuGetAudit>Additionally, ensure that you have the NuGet.org central registry defined as one of your package sources to retrieve the known vulnerability dataset:
<packageSources>
<add key="nuget.org" value="https://api.nuget.org/v3/index.json" protocolVersion="3" />
</packageSources>
Furthermore, NuGet 6.7 empowers developers with pre-selection insights, a feature designed to detect vulnerabilities. Before selecting package versions using the version selector in Visual Studio, users can now gauge the potential vulnerabilities associated with their choices.
(Source: Microsoft DevBlogs: Nuget)
With an unwavering focus on trust, NuGet 6.7 introduces novel warning messages for Linux and macOS users. This includes a fresh warning NU3042, complementing the existing NU3018/NU3028 warnings. This dynamic warning system identifies untrusted certificate chain issues and provides actionable guidance on these platforms.
The following X.509 root certificate is untrusted because it is not present in the certificate bundle at <file-path>. For more information, see documentation for NU3042.
Subject: <certificate subject>
Fingerprint (SHA-256): <certificate fingerprint>
Certificate (PEM):
<PEM-encoded certificate>
In the addition to original blog post, as reported there is a genuine tribute to the spirit of community collaboration; the NuGet team extends its gratitude to the dedicated community contributors.
On behalf of the NuGet team and the entire .NET community, we’d like to express our sincere gratitude to all the community contributors who have generously given their time and expertise to improve NuGet this release. Thank you.
Lastly, in terms of features, NuGet 6.7 occurs as a pivotal release, redefining the benchmarks for secure package management. For an in-depth understanding of the parts in NuGet 6.7, refer to the official release notes. The development team is also calling for feedback from the developers, to report new issues and to find out about existing ones.