diff --git a/docs/TOC.md b/docs/TOC.md index 9efbb2f86..a1cc9d343 100644 --- a/docs/TOC.md +++ b/docs/TOC.md @@ -344,6 +344,7 @@ ### [Known Issues](release-notes/known-issues.md) ### NuGet 6.x +#### [NuGet 6.12](release-notes/NuGet-6.12.md) #### [NuGet 6.11](release-notes/NuGet-6.11.md) #### [NuGet 6.10](release-notes/NuGet-6.10.md) #### [NuGet 6.9](release-notes/NuGet-6.9.md) diff --git a/docs/concepts/Auditing-Packages.md b/docs/concepts/Auditing-Packages.md index d05323ad8..ce331a686 100644 --- a/docs/concepts/Auditing-Packages.md +++ b/docs/concepts/Auditing-Packages.md @@ -102,8 +102,8 @@ It is available for packages.config from [Visual Studio 17.12 and NuGet 6.12](.. | [NU1905](../reference/errors-and-warnings/NU1905.md) | An audit source does not provide a vulnerability database | You can customize your build to treat these warnings as errors to [treat warnings as errors, or treat warnings not as errors](/dotnet/csharp/language-reference/compiler-options/errors-warnings#warningsaserrors-and-warningsnotaserrors). -For example, if you're already using `` to treat all (C#, NuGet, MSBuild, etc) warnings as errors, you can use `NU1901;NU1902;NU1903;NU1904` to prevent vulnerabilities discovered in the future from breaking your build. -Alternatively, if you want to keep low and moderate vulnerabilities as warnings, but treat high and critical vulnerabilities as errors, and you're not using `TreatWarningsAsErrors`, you can use `NU1903;NU1904`. +For example, if you're already using `` to treat all (C#, NuGet, MSBuild, etc) warnings as errors, you can use `$(WarningsNotAsErrors);NU1901;NU1902;NU1903;NU1904` to prevent vulnerabilities discovered in the future from breaking your build. +Alternatively, if you want to keep low and moderate vulnerabilities as warnings, but treat high and critical vulnerabilities as errors, and you're not using `TreatWarningsAsErrors`, you can use `$(WarningsAsErrors);NU1903;NU1904`. > [!NOTE] > MSBuild properties for message severity such as `NoWarn` and `TreatWarningsAsErrors` are not supported for packages.config projects. @@ -130,8 +130,8 @@ If security vulnerabilities are found and updates are available for the package, If a known vulnerability exists in a top-level package's transitive dependencies, you have these options: - Add the fixed package version as a direct package reference. **Note:** Be sure to remove this reference when a new package version update becomes available and be sure to maintain the defined attributes for the expected behavior. -- Use [Central Package Management with the transitive pinning functionality](https://learn.microsoft.com/nuget/consume-packages/Central-Package-Management#transitive-pinning). -- [Suppress the advisory](https://learn.microsoft.com/nuget/concepts/auditing-packages#excluding-advisories) until it can be addressed. +- Use [Central Package Management with the transitive pinning functionality](../consume-packages/Central-Package-Management.md#transitive-pinning). +- [Suppress the advisory](#excluding-advisories) until it can be addressed. - File an issue in the top-level package's tracker to request an update. ### Security vulnerabilities found with no updates diff --git a/docs/reference/errors-and-warnings/NU1011.md b/docs/reference/errors-and-warnings/NU1011.md index cdd4e9567..9e966a2e5 100644 --- a/docs/reference/errors-and-warnings/NU1011.md +++ b/docs/reference/errors-and-warnings/NU1011.md @@ -15,7 +15,7 @@ f1_keywords: ### Issue -`` items cannot contain floating versions. NuGet's central package management (CPM) is considered an enterprise-level feature which provides easier version +By default, `` items cannot contain floating versions. NuGet's central package management (CPM) is considered an enterprise-level feature which provides easier version management at scale as well as deterministic and secure restores. The use of floating versions introduces the possibility for a bad package to be introduced into your build after it has been pushed to a feed. This can lead to a situation where you made no changes in your repository but suddenly something is broken and there is no way for you to get back into a good state without removing the floating version or pushing a newer version of the package which is fixed. Using non-floating versions means that every upgrade @@ -30,4 +30,11 @@ commit in your repository. ### Solution -Change the floating version to a [non floating version range](../../concepts/Package-Versioning.md#version-ranges). +It is recommended to change the floating version to a [non floating version range](../../concepts/Package-Versioning.md#version-ranges). If that is not possible, you can enable +floating versions with CPM by setting an MSBuild property: + +```xml + + true + +``` diff --git a/docs/reference/nuspec.md b/docs/reference/nuspec.md index fa9c09c6c..da7370ef6 100644 --- a/docs/reference/nuspec.md +++ b/docs/reference/nuspec.md @@ -825,11 +825,11 @@ C#-specific content for net45 and up /contentFiles/cs/net45/sample.cs ``` -Empty folders can use `.` to opt out of providing content for certain combinations of language and TxM, for example: +Empty folders can use `_._` to opt out of providing content for certain combinations of language and TxM, for example: ``` /contentFiles/vb/any/code.vb -/contentFiles/cs/any/. +/contentFiles/cs/any/_._ ``` #### Example contentFiles section diff --git a/docs/release-notes/NuGet-6.12.md b/docs/release-notes/NuGet-6.12.md index 17b55019b..6808aa972 100644 --- a/docs/release-notes/NuGet-6.12.md +++ b/docs/release-notes/NuGet-6.12.md @@ -2,12 +2,10 @@ title: NuGet 6.12 Release Notes description: Release notes for NuGet 6.12 including new features, bug fixes, and DCRs. author: zivkan -ms.date: 8/19/2024 ms.topic: conceptual --- -# NuGet 6.12 Release Notes - +# NuGet 6.12 Release Notes NuGet distribution vehicles: @@ -17,6 +15,147 @@ NuGet distribution vehicles: 1 Installed with Visual Studio 2022 with any .NET workload -## Not yet released +## Known Issues + +* Project and package in the same graph with the same name but different dependencies may lead to incorrect versions of the dependencies of that id [#13888](https://github.com/NuGet/Home/issues/13888) +* VS PM UI shows warning icon about package vulnerability even after upgrade [#13866](https://github.com/NuGet/Home/issues/13866) +* dotnet nuget why reports missing argument, even though it ran [#13908](https://github.com/NuGet/Home/issues/13908) + +## Summary: What's New in 6.12.1 + +NuGet 6.12.1 is available in Visual Studio 17.12.0 and the .NET 9.0.101 SDK. + +### Issues fixed in this release + +* Deserializing an empty version range in a package dependency fails in .NET SDK 9.0.100-rc.2 [#13869](https://github.com/NuGet/Home/issues/13869) + +## Summary: What's New in 6.12 + +NuGet 6.12.0 is available in the .NET 9.0.100 SDK. + +* Add new graph resolution algorithm for better performance with large graphs - [#13692](https://github.com/NuGet/Home/issues/13692) + +* Owner profile hyperlinks needed in Details Pane of PM UI - [#13686](https://github.com/NuGet/Home/issues/13686) + +* Audit security vulnerabilities without adding nuget.org as package source - [#12698](https://github.com/NuGet/Home/issues/12698) + +* Deprecate SHA-1 fingerprints usage in NuGet Sign commands in favor of SHA-2 family fingerprints [#13891](https://github.com/NuGet/Home/issues/13891) + +* Deprecate http usage: Promote from warning to error - [#13289](https://github.com/NuGet/Home/issues/13289) + +### Breaking changes + +* NuGetAudit should check transitive packages by default when the .NET 9 SDK is installed [#13293](https://github.com/NuGet/Home/issues/13293) + +* Change NuGetAuditMode default to all for non-SDK style projects - [#13584](https://github.com/NuGet/Home/issues/13584) + +### Issues fixed in this release + +* Bubble-up Known Vulnerability Indicators in Solution Explorer for Transitive Packages - [#13636](https://github.com/NuGet/Home/issues/13636) + +* Enable `dotnet nuget why` on non-SDK style projects - [#13576](https://github.com/NuGet/Home/issues/13576) + +* NuGetAuditSuppress for packages.config - [#13575](https://github.com/NuGet/Home/issues/13575) + +* Enable Transitive Dependencies for Solution-level in Visual Studio - [#13216](https://github.com/NuGet/Home/issues/13216) + +* Roll-out new breaking change process for SDK tools, respect SdkAnalysisLevel - [#13309](https://github.com/NuGet/Home/issues/13309) + +* Add property for toggling the to the previous NuGet resolver: RestoreUseLegacyDependencyResolver - [#13700](https://github.com/NuGet/Home/issues/13700) + +* Reduce allocations in TokenSegment.TryMatch - [#12728](https://github.com/NuGet/Home/issues/12728) + +* Use `SDKAnalysisLevel` in restore "https everywhere: promote from warning to error" - [#13546](https://github.com/NuGet/Home/issues/13546) + +* tweak wording of NU1603 - [#13446](https://github.com/NuGet/Home/issues/13446) + +* Default Package icon shown even when embedded icon file exists on disk - [#13766](https://github.com/NuGet/Home/issues/13766) + +* Navigation telemetry for hyperlinks: License, ReportAbuse, Readme, ProjectUrl - [#13749](https://github.com/NuGet/Home/issues/13749) + +* Navigation telemetry for Owner Profile URLs in PM UI - [#13738](https://github.com/NuGet/Home/issues/13738) + +* PM UI should show transitive path - [#13574](https://github.com/NuGet/Home/issues/13574) + +* NuGetVersion should use a factory to intern parsed versions - [#13532](https://github.com/NuGet/Home/issues/13532) + +* Remove NuGet.Packaging.Core code - [#13385](https://github.com/NuGet/Home/issues/13385) + +* PM UI transitive dependencies should display all transitive dependencies, not just ones brought in through packages directly installed in a project - [#13060](https://github.com/NuGet/Home/issues/13060) + +* Remove deprecated field "owners" from VS UI Details Pane - [#10666](https://github.com/NuGet/Home/issues/10666) + +* "Value cannot be null; Parameter name: source" displays in error list when clicking installed tab in PM UI - [#13801](https://github.com/NuGet/Home/issues/13801) + +* New dependency resolver does not properly handle missing package versions when using CPM - [#13788](https://github.com/NuGet/Home/issues/13788) + +* Saving PackageManagementFormat throws Nullable object must have a value. - [#13773](https://github.com/NuGet/Home/issues/13773) + +* ProjectReference causing PM UI to error with "Value cannot be null. Parameter name: frameworkIdentifier" - [#13737](https://github.com/NuGet/Home/issues/13737) + +* LockFileUtils.CreateLockFileTargetProject allocates a lot - [#13712](https://github.com/NuGet/Home/issues/13712) + +* ConvertToProjectPaths causes extra allocations due to yield usage - [#13677](https://github.com/NuGet/Home/issues/13677) + +* dotnet add package with CPM installs a different version than what gets restored - [#13657](https://github.com/NuGet/Home/issues/13657) + +* `dotnet list package` does not work if project is using central package management system, after upgrading to `.NET 8.0` - [#13632](https://github.com/NuGet/Home/issues/13632) + +* Add a log code NuGetAuditSuppress duplicate items - [#13620](https://github.com/NuGet/Home/issues/13620) + +* Solution Explorer search can be broken by skipped dataflow updates - [#13619](https://github.com/NuGet/Home/issues/13619) + +* Add nullability declarations to ResolverUtility and RemoteWalkContext - [#13617](https://github.com/NuGet/Home/issues/13617) + +* Use of Obsolete X509Certificate2 ctor - [#13612](https://github.com/NuGet/Home/issues/13612) + +* nuget restore warnings can't be suppressed with NoWarn in Visual Studio - [#13571](https://github.com/NuGet/Home/issues/13571) + +* Restore may write nulls to project.assets.json - [#13563](https://github.com/NuGet/Home/issues/13563) + +* VS 17.10 - Error building projects with CPM explicitly enabled if ManagePackageVersionsCentrally is set to false in Directory.Build.props - [#13560](https://github.com/NuGet/Home/issues/13560) + +* PERF: Version and VersionRange allocations are very prevalent in profiles of Roslyn solution load - [#13559](https://github.com/NuGet/Home/issues/13559) + +* PERF: LockFileFormat is filled completely when common callers only need some of the data - [#13558](https://github.com/NuGet/Home/issues/13558) + +* PERF: Unnecessary construction of LockFileItem.Properties dictionary - [#13557](https://github.com/NuGet/Home/issues/13557) + +* Narator does not read the value of `allowInsecureConnections` - [#13555](https://github.com/NuGet/Home/issues/13555) + +* NuGet fails because of invalid characters in User-Agent header - [#13531](https://github.com/NuGet/Home/issues/13531) + +* 'why' and 'config' command does not show up in 'dotnet nuget --help' output - [#13517](https://github.com/NuGet/Home/issues/13517) + +* allocation: nuget.protocol.dll!NuGet.Protocol.HttpCacheUtility+<CreateCacheFileAsync>d__.MoveNext|nuget.protocol.dll!NuGet.Protocol.PackageDependencyGroupConverter.ReadJson - [#13445](https://github.com/NuGet/Home/issues/13445) + +* Reduce allocations in ContentItemCollection - [#12657](https://github.com/NuGet/Home/issues/12657) + +* When a source isn't accessible, service index cannot be read issues suppress the internal message making it difficult to understand the root cause - [#12530](https://github.com/NuGet/Home/issues/12530) + +* [Bug]: Extra space at start of package description in tooltip - [#12105](https://github.com/NuGet/Home/issues/12105) + +* Map branch name from sourcelink to RepositoryBranch for NuGet pack - [#13625](https://github.com/NuGet/Home/issues/13625) + +[List of commits in this release](https://github.com/NuGet/NuGet.Client/compare/6.12.1.1...6.11.1.2) + +### Community contributions + +Thank you to all the contributors who helped make this NuGet release awesome! -This version of NuGet is in preview and these release notes will be updated when it is released. +* [akoeplinger](https://github.com/NuGet/NuGet.Client/pull/6005) + * [6005](https://github.com/NuGet/NuGet.Client/pull/6005) Improve build.sh and fixes for building on arm64 macOS + * [5956](https://github.com/NuGet/NuGet.Client/pull/5956) Add System.Formats.Asn1 into Version.Details.xml + * [5911](https://github.com/NuGet/NuGet.Client/pull/5911) Don't use obsolete X509Certificate2 constructor on net9.0 +* [ToddGrun](https://github.com/NuGet/NuGet.Client/pull/5862) + * [5862](https://github.com/NuGet/NuGet.Client/pull/5862) Reduce allocations for version / versionranges + * [5857](https://github.com/NuGet/NuGet.Client/pull/5857) Reduce memory allocations during solution load in VS + * [5861](https://github.com/NuGet/NuGet.Client/pull/5861) Defer LockFileItem.Properties dictionary construction until needed +* [KirillOsenkov](https://github.com/NuGet/NuGet.Client/pull/6008) + * [6008](https://github.com/NuGet/NuGet.Client/pull/6008) Always debug RestoreTask and RestoreEx when environment variable is set +* [vernou](https://github.com/NuGet/NuGet.Client/pull/5982) + * [5982](https://github.com/NuGet/NuGet.Client/pull/5982) Fix restore when a package is installed with a version specified in CPM +* [mthalman](https://github.com/NuGet/NuGet.Client/pull/5959) + * [5959](https://github.com/NuGet/NuGet.Client/pull/5959) Allow override of System.Formats.Asn1 package version +* [MattKotsenas](https://github.com/NuGet/NuGet.Client/pull/5923) + * [5923](https://github.com/NuGet/NuGet.Client/pull/5923) Map SourceBranchName from sourcelink to RepositoryBranch for NuGet pack diff --git a/docs/release-notes/NuGet-6.13.md b/docs/release-notes/NuGet-6.13.md new file mode 100644 index 000000000..825f7b406 --- /dev/null +++ b/docs/release-notes/NuGet-6.13.md @@ -0,0 +1,28 @@ +--- +title: NuGet 6.13 Release Notes +description: Release notes for NuGet 6.13 including new features, bug fixes, and DCRs. +author: zivkan +ms.topic: conceptual +--- +# NuGet 6.13 Release Notes + + + +NuGet distribution vehicles: + +| NuGet version | Available in Visual Studio version | Available in .NET SDK(s) | +|:---|:---|:---| +| [**6.13**](https://nuget.org/downloads) | [Visual Studio 2022 version 17.13](https://visualstudio.microsoft.com/downloads/) | [9.0.2xx](https://dotnet.microsoft.com/download/dotnet/9.0)1 | + +1 Installed with Visual Studio 2022 with any .NET workload + +## Not yet released + +This version of NuGet is in preview and these release notes will be updated when it is released.