Facilitating the Spread of Knowledge and Innovation in Professional Software Development

Write for InfoQ


Choose your language

InfoQ Homepage News NuGet 6.8 Released with Enhanced Security Features

NuGet 6.8 Released with Enhanced Security Features

Following the release of .NET 8.0, NuGet 6.8 was announced and is now included in Visual Studio 2022. NuGet 6.8 introduces significant enhancements, including NuGetAudit for package vulnerability notifications, an opt-out option for HTTPS Everywhere warnings, Package Source Mappings during installation/update via Package Manager UI, improved support for Conditional Package Updating in Visual Studio, and the addition of the ProtocolVersion argument to nuget source add.

Besides the Visual Studio 2022 standalone executables tailored for Windows, macOS, and Linux are now accessible for download.

Regarding the new features NuGetAudit now provides notifications regarding known vulnerabilities in PackageReference packages. Developers can receive warnings, configurable by severity threshold, as reported for direct and transitive packages, enhancing overall project security awareness.

In Visual Studio, audit information is displayed in the Error List window and project dependencies for SDK-style projects, with a warning bar appearing in the Solution Explorer after restore, alerting users to projects utilizing packages with known vulnerabilities. The Package Manager UI in Visual Studio now warns of transitive packages with known vulnerabilities on the "Installed" tab, even when an audit is configured for direct packages only.

Furthermore, regarding the security NuGet 6.8 addresses concerns raised in version 6.3 regarding non-HTTPS sources. The introduction of the allowInsecureConnections property in the nuget.config file now enables developers to opt out of HTTPS Everywhere warnings, providing flexibility based on individual security risk acceptance. With the note that the default setting is false for allowInsecureConnections.

Looking back to the .NET 6 release, Package Source Mapping was introduced, allowing precise control over package sources in a solution. NuGet 6.8 version now extends this functionality, enabling the automatic creation of package source mappings during package installation/update through the NuGet UI in Visual Studio. The tool now considers the Global Packages Folder for transitive dependencies, automatically mapping them if the source is enabled for the solution, failing with an error if not enabled.

Conditional Package Updating is now implemented in Visual Studio. Projects targeting multiple frameworks, like MAUI or Uno projects, with conditionally installed packages, will be correctly updated using the Package Manager UI or Package Manager Console.

As reported, before this release, updating conditional packages often triggered an NU1504 warning, attempting to install the package to all frameworks. The update in NuGet 6.8 recognizes when a package is conditionally installed, updating it only in the frameworks where it is installed.

Responding to developers and community requests, NuGet 6.8 introduces the ProtocolVersion argument to the nuget source add command in the Command Line Interface (CLI). Developers can now specify the protocolVersion property when adding a new package source, providing greater control over the source configuration process.

The release also mentions some of the breaking changes in NuGet SDK with the note that:

The following is a list of breaking changes in the NuGet SDK. If you are using NuGet tooling, such as Visual Studio or .NET SDK, you are not affected.

Specifically, NuGetOperationType has been removed from NuGet.PackageManagement, with users advised to use NuGetProjectActionType instead. PackageVulnerabilityInfo severity has shifted from an integer to an enumeration, and nullable annotations have been added to NuGet.Common, and Clone methods on immutable types are deprecated.

Lastly, readers are encouraged to take a look at full release notes, since they hold detailed info about issues fixed in this release.

About the Author

Rate this Article