Merge pull request #3351 from NuGet/main

docs/TOC.md

@@ -344,6 +344,7 @@
 ### [Known Issues](release-notes/known-issues.md)
 
 ### NuGet 6.x
+#### [NuGet 6.12](release-notes/NuGet-6.12.md)
 #### [NuGet 6.11](release-notes/NuGet-6.11.md)
 #### [NuGet 6.10](release-notes/NuGet-6.10.md)
 #### [NuGet 6.9](release-notes/NuGet-6.9.md)

docs/concepts/Auditing-Packages.md

@@ -102,8 +102,8 @@ It is available for packages.config from [Visual Studio 17.12 and NuGet 6.12](..
 | [NU1905](../reference/errors-and-warnings/NU1905.md) | An audit source does not provide a vulnerability database |
 
 You can customize your build to treat these warnings as errors to [treat warnings as errors, or treat warnings not as errors](/dotnet/csharp/language-reference/compiler-options/errors-warnings#warningsaserrors-and-warningsnotaserrors).
-For example, if you're already using `<TreatWarningsAsErrors>` to treat all (C#, NuGet, MSBuild, etc) warnings as errors, you can use `<WarningsNotAsErrors>NU1901;NU1902;NU1903;NU1904</WarningsNotAsErrors>` to prevent vulnerabilities discovered in the future from breaking your build.
-Alternatively, if you want to keep low and moderate vulnerabilities as warnings, but treat high and critical vulnerabilities as errors, and you're not using `TreatWarningsAsErrors`, you can use `<WarningsAsErrors>NU1903;NU1904</WarningsAsErrors>`.
+For example, if you're already using `<TreatWarningsAsErrors>` to treat all (C#, NuGet, MSBuild, etc) warnings as errors, you can use `<WarningsNotAsErrors>$(WarningsNotAsErrors);NU1901;NU1902;NU1903;NU1904</WarningsNotAsErrors>` to prevent vulnerabilities discovered in the future from breaking your build.
+Alternatively, if you want to keep low and moderate vulnerabilities as warnings, but treat high and critical vulnerabilities as errors, and you're not using `TreatWarningsAsErrors`, you can use `<WarningsAsErrors>$(WarningsAsErrors);NU1903;NU1904</WarningsAsErrors>`.
 
 > [!NOTE]
 > MSBuild properties for message severity such as `NoWarn` and `TreatWarningsAsErrors` are not supported for packages.config projects.
@@ -130,8 +130,8 @@ If security vulnerabilities are found and updates are available for the package,
 If a known vulnerability exists in a top-level package's transitive dependencies, you have these options:
 
 - Add the fixed package version as a direct package reference. **Note:** Be sure to remove this reference when a new package version update becomes available and be sure to maintain the defined attributes for the expected behavior.
-- Use [Central Package Management with the transitive pinning functionality](https://learn.microsoft.com/nuget/consume-packages/Central-Package-Management#transitive-pinning).
-- [Suppress the advisory](https://learn.microsoft.com/nuget/concepts/auditing-packages#excluding-advisories) until it can be addressed.
+- Use [Central Package Management with the transitive pinning functionality](../consume-packages/Central-Package-Management.md#transitive-pinning).
+- [Suppress the advisory](#excluding-advisories) until it can be addressed.
 - File an issue in the top-level package's tracker to request an update.
 
 ### Security vulnerabilities found with no updates

docs/reference/errors-and-warnings/NU1011.md

@@ -15,7 +15,7 @@ f1_keywords:
 
 ### Issue
 
-`<PackageVersion />` items cannot contain floating versions.  NuGet's central package management (CPM) is considered an enterprise-level feature which provides easier version
+By default, `<PackageVersion />` items cannot contain floating versions.  NuGet's central package management (CPM) is considered an enterprise-level feature which provides easier version
 management at scale as well as deterministic and secure restores.  The use of floating versions introduces the possibility for a bad package to be introduced into your build
 after it has been pushed to a feed.  This can lead to a situation where you made no changes in your repository but suddenly something is broken and there is no way for you to
 get back into a good state without removing the floating version or pushing a newer version of the package which is fixed.  Using non-floating versions means that every upgrade
@@ -30,4 +30,11 @@ commit in your repository.
 
 ### Solution
 
-Change the floating version to a [non floating version range](../../concepts/Package-Versioning.md#version-ranges).
+It is recommended to change the floating version to a [non floating version range](../../concepts/Package-Versioning.md#version-ranges).  If that is not possible, you can enable
+floating versions with CPM by setting an MSBuild property:
+
+```xml
+<PropertyGroup>
+  <CentralPackageFloatingVersionsEnabled>true</CentralPackageFloatingVersionsEnabled>
+</PropertyGroup>
+```

docs/reference/nuspec.md

@@ -825,11 +825,11 @@ C#-specific content for net45 and up
     /contentFiles/cs/net45/sample.cs
 ```
 
-Empty folders can use `.` to opt out of providing content for certain combinations of language and TxM, for example:
+Empty folders can use `_._` to opt out of providing content for certain combinations of language and TxM, for example:
 
 ```
 /contentFiles/vb/any/code.vb
-/contentFiles/cs/any/.
+/contentFiles/cs/any/_._
 ```
 
 #### Example contentFiles section

docs/release-notes/NuGet-6.12.md

@@ -2,12 +2,10 @@
 title: NuGet 6.12 Release Notes
 description: Release notes for NuGet 6.12 including new features, bug fixes, and DCRs.
 author: zivkan
-ms.date: 8/19/2024
 ms.topic: conceptual
 ---
-# NuGet 6.12 Release Notes
 
-<!-- This is intentionally not yet added to TOC.md. When release notes are added for the GA release, add this file to TOC.md -->
+# NuGet 6.12 Release Notes
 
 NuGet distribution vehicles:
 
@@ -17,6 +15,147 @@ NuGet distribution vehicles:
 
 <sup>1</sup> Installed with Visual Studio 2022 with any .NET workload
 
-## Not yet released
+## Known Issues
+
+* Project and package in the same graph with the same name but different dependencies may lead to incorrect versions of the dependencies of that id [#13888](https://github.com/NuGet/Home/issues/13888)
+* VS PM UI shows warning icon about package vulnerability even after upgrade [#13866](https://github.com/NuGet/Home/issues/13866)
+* dotnet nuget why reports missing argument, even though it ran [#13908](https://github.com/NuGet/Home/issues/13908)
+
+## Summary: What's New in 6.12.1
+
+NuGet 6.12.1 is available in Visual Studio 17.12.0 and the .NET 9.0.101 SDK.
+
+### Issues fixed in this release
+
+* Deserializing an empty version range in a package dependency fails in .NET SDK 9.0.100-rc.2 [#13869](https://github.com/NuGet/Home/issues/13869)
+
+## Summary: What's New in 6.12
+
+NuGet 6.12.0 is available in the .NET 9.0.100 SDK.
+
+* Add new graph resolution algorithm for better performance with large graphs - [#13692](https://github.com/NuGet/Home/issues/13692)
+
+* Owner profile hyperlinks needed in Details Pane of PM UI - [#13686](https://github.com/NuGet/Home/issues/13686)
+
+* Audit security vulnerabilities without adding nuget.org as package source - [#12698](https://github.com/NuGet/Home/issues/12698)
+
+* Deprecate SHA-1 fingerprints usage in NuGet Sign commands in favor of SHA-2 family fingerprints [#13891](https://github.com/NuGet/Home/issues/13891)
+
+* Deprecate http usage: Promote from warning to error - [#13289](https://github.com/NuGet/Home/issues/13289)
+
+### Breaking changes
+
+* NuGetAudit should check transitive packages by default when the .NET 9 SDK is installed [#13293](https://github.com/NuGet/Home/issues/13293)
+
+* Change NuGetAuditMode default to all for non-SDK style projects - [#13584](https://github.com/NuGet/Home/issues/13584)
+
+### Issues fixed in this release
+
+* Bubble-up Known Vulnerability Indicators in Solution Explorer for Transitive Packages - [#13636](https://github.com/NuGet/Home/issues/13636)
+
+* Enable `dotnet nuget why` on non-SDK style projects - [#13576](https://github.com/NuGet/Home/issues/13576)
+
+* NuGetAuditSuppress for packages.config - [#13575](https://github.com/NuGet/Home/issues/13575)
+
+* Enable Transitive Dependencies for Solution-level in Visual Studio - [#13216](https://github.com/NuGet/Home/issues/13216)
+
+* Roll-out new breaking change process for SDK tools, respect SdkAnalysisLevel - [#13309](https://github.com/NuGet/Home/issues/13309)
+
+* Add property for toggling the to the previous NuGet resolver: RestoreUseLegacyDependencyResolver - [#13700](https://github.com/NuGet/Home/issues/13700)
+
+* Reduce allocations in TokenSegment.TryMatch - [#12728](https://github.com/NuGet/Home/issues/12728)
+
+* Use `SDKAnalysisLevel` in restore "https everywhere: promote from warning to error" - [#13546](https://github.com/NuGet/Home/issues/13546)
+
+* tweak wording of NU1603 - [#13446](https://github.com/NuGet/Home/issues/13446)
+
+* Default Package icon shown even when embedded icon file exists on disk - [#13766](https://github.com/NuGet/Home/issues/13766)
+
+* Navigation telemetry for hyperlinks: License, ReportAbuse, Readme, ProjectUrl - [#13749](https://github.com/NuGet/Home/issues/13749)
+
+* Navigation telemetry for Owner Profile URLs in PM UI - [#13738](https://github.com/NuGet/Home/issues/13738)
+
+* PM UI should show transitive path - [#13574](https://github.com/NuGet/Home/issues/13574)
+
+* NuGetVersion should use a factory to intern parsed versions - [#13532](https://github.com/NuGet/Home/issues/13532)
+
+* Remove NuGet.Packaging.Core code - [#13385](https://github.com/NuGet/Home/issues/13385)
+
+* PM UI transitive dependencies should display all transitive dependencies, not just ones brought in through packages directly installed in a project - [#13060](https://github.com/NuGet/Home/issues/13060)
+
+* Remove deprecated field "owners" from VS UI Details Pane - [#10666](https://github.com/NuGet/Home/issues/10666)
+
+* "Value cannot be null; Parameter name: source" displays in error list when clicking installed tab in PM UI - [#13801](https://github.com/NuGet/Home/issues/13801)
+
+* New dependency resolver does not properly handle missing package versions when using CPM - [#13788](https://github.com/NuGet/Home/issues/13788)
+
+* Saving PackageManagementFormat throws Nullable object must have a value. - [#13773](https://github.com/NuGet/Home/issues/13773)
+
+* ProjectReference causing PM UI to error with "Value cannot be null. Parameter name: frameworkIdentifier" - [#13737](https://github.com/NuGet/Home/issues/13737)
+
+* LockFileUtils.CreateLockFileTargetProject allocates a lot - [#13712](https://github.com/NuGet/Home/issues/13712)
+
+* ConvertToProjectPaths  causes extra allocations due to yield usage - [#13677](https://github.com/NuGet/Home/issues/13677)
+
+* dotnet add package with CPM installs a different version than what gets restored - [#13657](https://github.com/NuGet/Home/issues/13657)
+
+* `dotnet list package` does not work if project is using central package management system, after upgrading to `.NET 8.0` - [#13632](https://github.com/NuGet/Home/issues/13632)
+
+* Add a log code NuGetAuditSuppress duplicate items - [#13620](https://github.com/NuGet/Home/issues/13620)
+
+* Solution Explorer search can be broken by skipped dataflow updates - [#13619](https://github.com/NuGet/Home/issues/13619)
+
+* Add nullability declarations to ResolverUtility and RemoteWalkContext - [#13617](https://github.com/NuGet/Home/issues/13617)
+
+* Use of Obsolete X509Certificate2 ctor - [#13612](https://github.com/NuGet/Home/issues/13612)
+
+* nuget restore warnings can't be suppressed with NoWarn in Visual Studio - [#13571](https://github.com/NuGet/Home/issues/13571)
+
+* Restore may write nulls to project.assets.json  - [#13563](https://github.com/NuGet/Home/issues/13563)
+
+* VS 17.10 - Error building projects with CPM explicitly enabled if ManagePackageVersionsCentrally is set to false in Directory.Build.props - [#13560](https://github.com/NuGet/Home/issues/13560)
+
+* PERF: Version and VersionRange allocations are very prevalent in profiles of Roslyn solution load - [#13559](https://github.com/NuGet/Home/issues/13559)
+
+* PERF: LockFileFormat is filled completely when common callers only need some of the data - [#13558](https://github.com/NuGet/Home/issues/13558)
+
+* PERF: Unnecessary construction of LockFileItem.Properties dictionary - [#13557](https://github.com/NuGet/Home/issues/13557)
+
+* Narator does not read the value of  `allowInsecureConnections`  - [#13555](https://github.com/NuGet/Home/issues/13555)
+
+* NuGet fails because of invalid characters in User-Agent header - [#13531](https://github.com/NuGet/Home/issues/13531)
+
+* 'why' and 'config' command does not show up in 'dotnet nuget --help' output - [#13517](https://github.com/NuGet/Home/issues/13517)
+
+* allocation: nuget.protocol.dll!NuGet.Protocol.HttpCacheUtility+&lt;CreateCacheFileAsync&gt;d__.MoveNext|nuget.protocol.dll!NuGet.Protocol.PackageDependencyGroupConverter.ReadJson - [#13445](https://github.com/NuGet/Home/issues/13445)
+
+* Reduce allocations in ContentItemCollection - [#12657](https://github.com/NuGet/Home/issues/12657)
+
+* When a source isn't accessible, service index cannot be read issues suppress the internal message making it difficult to understand the root cause - [#12530](https://github.com/NuGet/Home/issues/12530)
+
+* [Bug]: Extra space at start of package description in tooltip - [#12105](https://github.com/NuGet/Home/issues/12105)
+
+* Map branch name from sourcelink to RepositoryBranch for NuGet pack - [#13625](https://github.com/NuGet/Home/issues/13625)
+
+[List of commits in this release](https://github.com/NuGet/NuGet.Client/compare/6.12.1.1...6.11.1.2)
+
+### Community contributions
+
+Thank you to all the contributors who helped make this NuGet release awesome!
 
-This version of NuGet is in preview and these release notes will be updated when it is released.
+* [akoeplinger](https://github.com/NuGet/NuGet.Client/pull/6005)
+  * [6005](https://github.com/NuGet/NuGet.Client/pull/6005) Improve build.sh and fixes for building on arm64 macOS
+  * [5956](https://github.com/NuGet/NuGet.Client/pull/5956) Add System.Formats.Asn1 into Version.Details.xml
+  * [5911](https://github.com/NuGet/NuGet.Client/pull/5911) Don't use obsolete X509Certificate2 constructor on net9.0
+* [ToddGrun](https://github.com/NuGet/NuGet.Client/pull/5862)
+  * [5862](https://github.com/NuGet/NuGet.Client/pull/5862) Reduce allocations for version / versionranges
+  * [5857](https://github.com/NuGet/NuGet.Client/pull/5857) Reduce memory allocations during solution load in VS
+  * [5861](https://github.com/NuGet/NuGet.Client/pull/5861) Defer LockFileItem.Properties dictionary construction until needed
+* [KirillOsenkov](https://github.com/NuGet/NuGet.Client/pull/6008)
+  * [6008](https://github.com/NuGet/NuGet.Client/pull/6008) Always debug RestoreTask and RestoreEx when environment variable is set
+* [vernou](https://github.com/NuGet/NuGet.Client/pull/5982)
+  * [5982](https://github.com/NuGet/NuGet.Client/pull/5982) Fix restore when a package is installed with a version specified in CPM
+* [mthalman](https://github.com/NuGet/NuGet.Client/pull/5959)
+  * [5959](https://github.com/NuGet/NuGet.Client/pull/5959) Allow override of System.Formats.Asn1 package version
+* [MattKotsenas](https://github.com/NuGet/NuGet.Client/pull/5923)
+  * [5923](https://github.com/NuGet/NuGet.Client/pull/5923) Map SourceBranchName from sourcelink to RepositoryBranch for NuGet pack

docs/release-notes/NuGet-6.13.md

@@ -0,0 +1,28 @@
+---
+title: NuGet 6.13 Release Notes
+description: Release notes for NuGet 6.13 including new features, bug fixes, and DCRs.
+author: zivkan
+ms.topic: conceptual
+---
+# NuGet 6.13 Release Notes
+
+<!--
+    This is intentionally not yet added to TOC.md.
+    When this version is ready for release:
+    1. Rename this file to the next version
+    2. Change the version strings in this file to the next version
+    3. Use the release tool to create the real release notes for the version ready for release
+    4. Add the release notes to TOC.yml
+-->
+
+NuGet distribution vehicles:
+
+| NuGet version | Available in Visual Studio version | Available in .NET SDK(s) |
+|:---|:---|:---|
+| [**6.13**](https://nuget.org/downloads) | [Visual Studio 2022 version 17.13](https://visualstudio.microsoft.com/downloads/) | [9.0.2xx](https://dotnet.microsoft.com/download/dotnet/9.0)<sup>1</sup> |
+
+<sup>1</sup> Installed with Visual Studio 2022 with any .NET workload
+
+## Not yet released
+
+This version of NuGet is in preview and these release notes will be updated when it is released.