NuGet · Mikejo5000 · Sep 10, 2024 · Aug 13, 2024 · Aug 17, 2024 · Aug 22, 2024
@@ -183,6 +183,8 @@
 ### [NU1504](reference/errors-and-warnings/NU1504.md)
 ### [NU1505](reference/errors-and-warnings/NU1505.md)
 ### [NU1506](reference/errors-and-warnings/NU1506.md)
+### [NU1507](reference/errors-and-warnings/NU1507.md)
+### [NU1508](reference/errors-and-warnings/NU1508.md)
 ### [NU1601](reference/errors-and-warnings/NU1601.md)
 ### [NU1602](reference/errors-and-warnings/NU1602.md)
 ### [NU1603](reference/errors-and-warnings/NU1603.md)

@@ -22,11 +22,11 @@ We also have a [blog post](https://devblogs.microsoft.com/nuget/nugetaudit-2-0-e
 
 | NuGet | .NET SDK | Visual Studio | Feature |
 |-------|----------|---------------|---------|
-| 5.9 | .NET 5 SDK (5.0.200) | N/A | [`dotnet list package --vulnerable`](#dotnet-list-package---vulnerable) |
-| 6.8 | .NET 8 SDK (8.0.100) | Visual Studio 2022 17.8 | [NuGetAudit](#running-a-security-audit-with-restore) for PackageReference |
-| 6.10 | N/A | Visual Studio 2022 17.10 | [NuGetAudit](#running-a-security-audit-with-restore) for packages.config|
-| 6.11 | .NET 8 SDK (8.0.400) | Visual Studio 2022 17.11 | [NuGetAuditSuppress](#excluding-advisories) for PackageReference |
-| 6.12 | .NET 9 SDK (9.0.100) | Visual Studio 2022 17.12 | [Audit sources](#audit-sources). [NuGetAuditSuppress](#excluding-advisories) for packages.config. |
+| [5.9](../release-notes/NuGet-5.9.md) | .NET 5 SDK (5.0.200) | N/A | [`dotnet list package --vulnerable`](#dotnet-list-package---vulnerable) |
+| [6.8](../release-notes/NuGet-6.8.md) | .NET 8 SDK (8.0.100) | Visual Studio 2022 17.8 | [NuGetAudit](#running-a-security-audit-with-restore) for PackageReference |
+| [6.10](../release-notes/NuGet-6.10.md) | N/A | Visual Studio 2022 17.10 | [NuGetAudit](#running-a-security-audit-with-restore) for packages.config|
+| [6.11](../release-notes/NuGet-6.11.md) | .NET 8 SDK (8.0.400) | Visual Studio 2022 17.11 | [NuGetAuditSuppress](#excluding-advisories) for PackageReference |
+| [6.12](../release-notes/NuGet-6.12.md) | .NET 9 SDK (9.0.100) | Visual Studio 2022 17.12 | [Audit sources](#audit-sources). [NuGetAuditSuppress](#excluding-advisories) for packages.config. |
 
 ## Running a security audit with `restore`
 
@@ -48,7 +48,7 @@ We recommend that audit is configured at a repository level.
 | NuGetAuditLevel | low | `low`, `moderate`, `high`, and `critical` | The minimum severity level to report. If you'd like to see `moderate`, `high`, and `critical` advisories (exclude `low`), set the value to `moderate` |
 | NuGetAudit | true | `true` and `false` | If you wish to not receive security audit reports, you can opt-out of the experience entirely by setting the value to `false` |
 
-(1) NuGetAuditMode defaulted to `direct` when it was introduced in the .NET 8.0.100 SDK and VS 17.8. In .NET 9.0.100 SDK and VS 17.12 the default changed to `all`.
+(1) NuGetAuditMode defaulted to `direct` when it was introduced in [the .NET 8.0.100 SDK and VS 17.8](../release-notes/NuGet-6.8.md). In [.NET 9.0.100 SDK and VS 17.12](../release-notes/NuGet-6.12.md) the default changed to `all`.
 
 #### Audit Sources
 
@@ -70,7 +70,7 @@ Note that the [V2 protocol is deprecated](../nuget-org/overview-nuget-org.md#api
 </configuration>
 ```
 
-Audit sources are available from NuGet 6.12, .NET 9.0.100 SDK, and Visual Studio 2022 17.12.
+Audit sources are available from [NuGet 6.12, .NET 9.0.100 SDK, and Visual Studio 2022 17.12](../release-notes/NuGet-6.12.md).
 Prior to this version, NuGet Audit will only use package sources to download vulnerability information.
 Audit sources are not used by `dotnet list package --vulnerable` at this time.
 
@@ -87,8 +87,8 @@ Define a `NuGetAuditSuppress` item with the `Include=` metadata set to the advis
 
 Similar to the other NuGet audit configuration properties, `NuGetAuditSuppress` items can be defined at the project or repository level.
 
-`NuGetAuditSuppress` is available for PackageReference projects starting from NuGet 6.11, Visual Studio 17.11, and the .NET 8.0.400 SDK.
-It is available for packages.config with Visual Studio 17.12 and NuGet 6.12.
+`NuGetAuditSuppress` is available for PackageReference projects starting from [NuGet 6.11, Visual Studio 17.11, and the .NET 8.0.400 SDK](../release-notes/NuGet-6.11.md).
+It is available for packages.config from [Visual Studio 17.12 and NuGet 6.12](../release-notes/NuGet-6.12.md).
 
 ### Warning codes
 

@@ -43,7 +43,7 @@ NuGet supports the following configuration properties.
 
 | Group | Warning numbers |
 | --- | --- |
-| Invalid input warnings | [NU1501](./errors-and-warnings/NU1501.md), [NU1502](./errors-and-warnings/NU1502.md), [NU1503](./errors-and-warnings/NU1503.md), [NU1504](./errors-and-warnings/NU1504.md), [NU1505](./errors-and-warnings/NU1505.md), [NU1506](./errors-and-warnings/NU1506.md), [NU1507](./errors-and-warnings/NU1507.md) |
+| Invalid input warnings | [NU1501](./errors-and-warnings/NU1501.md), [NU1502](./errors-and-warnings/NU1502.md), [NU1503](./errors-and-warnings/NU1503.md), [NU1504](./errors-and-warnings/NU1504.md), [NU1505](./errors-and-warnings/NU1505.md), [NU1506](./errors-and-warnings/NU1506.md), [NU1507](./errors-and-warnings/NU1507.md), [NU1508](./errors-and-warnings/NU1508.md) |
 | Unexpected package version warnings | [NU1601](./errors-and-warnings/NU1601.md), [NU1602](./errors-and-warnings/NU1602.md), [NU1603](./errors-and-warnings/NU1603.md), [NU1604](./errors-and-warnings/NU1604.md), [NU1605](./errors-and-warnings/NU1605.md), [NU1606](./errors-and-warnings/NU1108.md), [NU1607](./errors-and-warnings/NU1107.md) |
 | Resolver conflict warnings | [NU1608](./errors-and-warnings/NU1608.md) |
 | Package fallback warnings | [NU1701](./errors-and-warnings/NU1701.md), [NU1702](./errors-and-warnings/NU1702.md), [NU1703](./errors-and-warnings/NU1703.md)|

@@ -0,0 +1,26 @@
+---
+title: NuGet Warning NU1508
+description: NU1508 warning code
+author: zivkan
+ms.author: zivkan
+ms.date: 08/10/2024
+ms.topic: reference
+f1_keywords: 
+  - "NU1508"
+---
+
+# NuGet Warning NU1508
+
+## Scenario 1
+
+> Duplicate 'NuGetAuditSuppress' items found. Remove the duplicate items or use the Update functionality to ensure a consistent restore behavior. The duplicate 'NuGetAuditSuppress' items are: https://contoso.test/cve/1 , https://contoso.test/cve/1 .
+
+### Issue
+
+Sometimes when adding `NuGetAuditSuppress` items, you may end up adding an item for a particular package multiple times.
+
+MSBuild projects commonly import multiple `.props` and `.targets` files, so the duplicates might not be in the same file, but may be in included files, such as `Directory.Build.props`, `Directory.Packages.props`, or `Directory.Build.targets`.
+
+### Solution
+
+Remove the duplicate item, so that it's included exactly once.
@@ -47,14 +47,7 @@ For example, `<NuGetAuditLevel>high</NuGetAuditLevel>`.
 
 If you would like to suppress a specific advisory, add an MSBuild [NuGetAuditSuppress](../../concepts/Auditing-Packages.md#excluding-advisories) item.
 For example `<NuGetAuditSuppress Include="https://github.com/advisories/GHSA-g3q9-xf95-8hp5" />`.
+`NuGetAuditSuppress` is available from [VS 17.11 and .NET 8.0.400 SDK](../../release-notes/NuGet-6.11.md) for projects using `PackageReference`, and from [VS 17.12](../../release-notes/NuGet-6.12.md) for projects using `packages.config`.
 
 If you do not want NuGet to check for packages with known vulnerabilities during restore, add `<NuGetAudit>false</NuGetAudit>` inside a `<PropertyGroup>` in your project file, or a [`Directory.Build.props` file](/visualstudio/msbuild/customize-by-directory).
 If you would like to run NuGet Audit on developer machines, but disable it on CI pipelines, you can take advantage of MSBuild importing environment variables, and create a NuGetAudit environment variable set to `false` in your pipeline definition.
-
-> [!NOTE]
-> The initial release of NuGetAudit [does not provide a way to suppress specific advisories (URLs)](https://github.com/NuGet/Home/issues/11926).
-> It is a feature we intend on adding based on prioritization of other improvements.
->
-> As a mitigation, you can add an appropriate `NoWarn` to your `PackageReference` declarations.
-> For example, `<PackageReference Include="Contoso.Library" Version="1.0.0" NoWarn="NU1901" />`.
-> However, be aware that this will prevent new vulnerabilities of the same severity from being reported to you.
@@ -147,6 +147,7 @@ Lists all known package sources. The order is ignored during restore operations
 
 Lists all known audit sources, which [NuGet Audit](../concepts/Auditing-Packages.md#running-a-security-audit-with-restore) will use during restore.
 If no audit sources are provided, restore will use package sources and suppress [NU1905](../reference/errors-and-warnings/NU1905.md).
+`auditSources` was added to [NuGet 6.12](../release-notes/NuGet-6.12.md).
 
 Audit sources support the same attributes as `packageSources` (`protocolVersion`, `allowInsecureConnections`), and sources that require authentication are configured with `packageSourceCredentials`, the same way as `packageSources`.
 

@@ -0,0 +1,22 @@
+---
+title: NuGet 6.12 Release Notes
+description: Release notes for NuGet 6.12 including new features, bug fixes, and DCRs.
+author: zivkan
+ms.date: 8/19/2024
+ms.topic: conceptual
+---
+# NuGet 6.12 Release Notes
+
+<!-- This is intentionally not yet added to TOC.md. When release notes are added for the GA release, add this file to TOC.md -->
+
+NuGet distribution vehicles:
+
+| NuGet version | Available in Visual Studio version | Available in .NET SDK(s) |
+|:---|:---|:---|
+| [**6.12**](https://nuget.org/downloads) | [Visual Studio 2022 version 17.12](https://visualstudio.microsoft.com/downloads/) | [9.0.1xx](https://dotnet.microsoft.com/download/dotnet/9.0)<sup>1</sup> |
+
+<sup>1</sup> Installed with Visual Studio 2022 with any .NET workload
+
+## Not yet released
+
+This version of NuGet is in preview and these release notes will be updated when it is released.