Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merge main to live #3351

Merged
merged 5 commits into from
Nov 12, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions docs/TOC.md
Original file line number Diff line number Diff line change
Expand Up @@ -344,6 +344,7 @@
### [Known Issues](release-notes/known-issues.md)

### NuGet 6.x
#### [NuGet 6.12](release-notes/NuGet-6.12.md)
#### [NuGet 6.11](release-notes/NuGet-6.11.md)
#### [NuGet 6.10](release-notes/NuGet-6.10.md)
#### [NuGet 6.9](release-notes/NuGet-6.9.md)
Expand Down
8 changes: 4 additions & 4 deletions docs/concepts/Auditing-Packages.md
Original file line number Diff line number Diff line change
Expand Up @@ -102,8 +102,8 @@ It is available for packages.config from [Visual Studio 17.12 and NuGet 6.12](..
| [NU1905](../reference/errors-and-warnings/NU1905.md) | An audit source does not provide a vulnerability database |

You can customize your build to treat these warnings as errors to [treat warnings as errors, or treat warnings not as errors](/dotnet/csharp/language-reference/compiler-options/errors-warnings#warningsaserrors-and-warningsnotaserrors).
For example, if you're already using `<TreatWarningsAsErrors>` to treat all (C#, NuGet, MSBuild, etc) warnings as errors, you can use `<WarningsNotAsErrors>NU1901;NU1902;NU1903;NU1904</WarningsNotAsErrors>` to prevent vulnerabilities discovered in the future from breaking your build.
Alternatively, if you want to keep low and moderate vulnerabilities as warnings, but treat high and critical vulnerabilities as errors, and you're not using `TreatWarningsAsErrors`, you can use `<WarningsAsErrors>NU1903;NU1904</WarningsAsErrors>`.
For example, if you're already using `<TreatWarningsAsErrors>` to treat all (C#, NuGet, MSBuild, etc) warnings as errors, you can use `<WarningsNotAsErrors>$(WarningsNotAsErrors);NU1901;NU1902;NU1903;NU1904</WarningsNotAsErrors>` to prevent vulnerabilities discovered in the future from breaking your build.
Alternatively, if you want to keep low and moderate vulnerabilities as warnings, but treat high and critical vulnerabilities as errors, and you're not using `TreatWarningsAsErrors`, you can use `<WarningsAsErrors>$(WarningsAsErrors);NU1903;NU1904</WarningsAsErrors>`.

> [!NOTE]
> MSBuild properties for message severity such as `NoWarn` and `TreatWarningsAsErrors` are not supported for packages.config projects.
Expand All @@ -130,8 +130,8 @@ If security vulnerabilities are found and updates are available for the package,
If a known vulnerability exists in a top-level package's transitive dependencies, you have these options:

- Add the fixed package version as a direct package reference. **Note:** Be sure to remove this reference when a new package version update becomes available and be sure to maintain the defined attributes for the expected behavior.
- Use [Central Package Management with the transitive pinning functionality](https://learn.microsoft.com/nuget/consume-packages/Central-Package-Management#transitive-pinning).
- [Suppress the advisory](https://learn.microsoft.com/nuget/concepts/auditing-packages#excluding-advisories) until it can be addressed.
- Use [Central Package Management with the transitive pinning functionality](../consume-packages/Central-Package-Management.md#transitive-pinning).
- [Suppress the advisory](#excluding-advisories) until it can be addressed.
- File an issue in the top-level package's tracker to request an update.

### Security vulnerabilities found with no updates
Expand Down
11 changes: 9 additions & 2 deletions docs/reference/errors-and-warnings/NU1011.md
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@ f1_keywords:

### Issue

`<PackageVersion />` items cannot contain floating versions. NuGet's central package management (CPM) is considered an enterprise-level feature which provides easier version
By default, `<PackageVersion />` items cannot contain floating versions. NuGet's central package management (CPM) is considered an enterprise-level feature which provides easier version
management at scale as well as deterministic and secure restores. The use of floating versions introduces the possibility for a bad package to be introduced into your build
after it has been pushed to a feed. This can lead to a situation where you made no changes in your repository but suddenly something is broken and there is no way for you to
get back into a good state without removing the floating version or pushing a newer version of the package which is fixed. Using non-floating versions means that every upgrade
Expand All @@ -30,4 +30,11 @@ commit in your repository.

### Solution

Change the floating version to a [non floating version range](../../concepts/Package-Versioning.md#version-ranges).
It is recommended to change the floating version to a [non floating version range](../../concepts/Package-Versioning.md#version-ranges). If that is not possible, you can enable
floating versions with CPM by setting an MSBuild property:

```xml
<PropertyGroup>
<CentralPackageFloatingVersionsEnabled>true</CentralPackageFloatingVersionsEnabled>
</PropertyGroup>
```
4 changes: 2 additions & 2 deletions docs/reference/nuspec.md
Original file line number Diff line number Diff line change
Expand Up @@ -825,11 +825,11 @@ C#-specific content for net45 and up
/contentFiles/cs/net45/sample.cs
```

Empty folders can use `.` to opt out of providing content for certain combinations of language and TxM, for example:
Empty folders can use `_._` to opt out of providing content for certain combinations of language and TxM, for example:

```
/contentFiles/vb/any/code.vb
/contentFiles/cs/any/.
/contentFiles/cs/any/_._
```

#### Example contentFiles section
Expand Down
149 changes: 144 additions & 5 deletions docs/release-notes/NuGet-6.12.md
Original file line number Diff line number Diff line change
Expand Up @@ -2,12 +2,10 @@
title: NuGet 6.12 Release Notes
description: Release notes for NuGet 6.12 including new features, bug fixes, and DCRs.
author: zivkan
ms.date: 8/19/2024
ms.topic: conceptual
---
# NuGet 6.12 Release Notes

<!-- This is intentionally not yet added to TOC.md. When release notes are added for the GA release, add this file to TOC.md -->
# NuGet 6.12 Release Notes

NuGet distribution vehicles:

Expand All @@ -17,6 +15,147 @@ NuGet distribution vehicles:

<sup>1</sup> Installed with Visual Studio 2022 with any .NET workload

## Not yet released
## Known Issues

* Project and package in the same graph with the same name but different dependencies may lead to incorrect versions of the dependencies of that id [#13888](https://github.com/NuGet/Home/issues/13888)
* VS PM UI shows warning icon about package vulnerability even after upgrade [#13866](https://github.com/NuGet/Home/issues/13866)
* dotnet nuget why reports missing argument, even though it ran [#13908](https://github.com/NuGet/Home/issues/13908)

## Summary: What's New in 6.12.1

NuGet 6.12.1 is available in Visual Studio 17.12.0 and the .NET 9.0.101 SDK.

### Issues fixed in this release

* Deserializing an empty version range in a package dependency fails in .NET SDK 9.0.100-rc.2 [#13869](https://github.com/NuGet/Home/issues/13869)

## Summary: What's New in 6.12

NuGet 6.12.0 is available in the .NET 9.0.100 SDK.

* Add new graph resolution algorithm for better performance with large graphs - [#13692](https://github.com/NuGet/Home/issues/13692)

* Owner profile hyperlinks needed in Details Pane of PM UI - [#13686](https://github.com/NuGet/Home/issues/13686)

* Audit security vulnerabilities without adding nuget.org as package source - [#12698](https://github.com/NuGet/Home/issues/12698)

* Deprecate SHA-1 fingerprints usage in NuGet Sign commands in favor of SHA-2 family fingerprints [#13891](https://github.com/NuGet/Home/issues/13891)

* Deprecate http usage: Promote from warning to error - [#13289](https://github.com/NuGet/Home/issues/13289)

### Breaking changes

* NuGetAudit should check transitive packages by default when the .NET 9 SDK is installed [#13293](https://github.com/NuGet/Home/issues/13293)

* Change NuGetAuditMode default to all for non-SDK style projects - [#13584](https://github.com/NuGet/Home/issues/13584)

### Issues fixed in this release

* Bubble-up Known Vulnerability Indicators in Solution Explorer for Transitive Packages - [#13636](https://github.com/NuGet/Home/issues/13636)

* Enable `dotnet nuget why` on non-SDK style projects - [#13576](https://github.com/NuGet/Home/issues/13576)

* NuGetAuditSuppress for packages.config - [#13575](https://github.com/NuGet/Home/issues/13575)

* Enable Transitive Dependencies for Solution-level in Visual Studio - [#13216](https://github.com/NuGet/Home/issues/13216)

* Roll-out new breaking change process for SDK tools, respect SdkAnalysisLevel - [#13309](https://github.com/NuGet/Home/issues/13309)

* Add property for toggling the to the previous NuGet resolver: RestoreUseLegacyDependencyResolver - [#13700](https://github.com/NuGet/Home/issues/13700)

* Reduce allocations in TokenSegment.TryMatch - [#12728](https://github.com/NuGet/Home/issues/12728)

* Use `SDKAnalysisLevel` in restore "https everywhere: promote from warning to error" - [#13546](https://github.com/NuGet/Home/issues/13546)

* tweak wording of NU1603 - [#13446](https://github.com/NuGet/Home/issues/13446)

* Default Package icon shown even when embedded icon file exists on disk - [#13766](https://github.com/NuGet/Home/issues/13766)

* Navigation telemetry for hyperlinks: License, ReportAbuse, Readme, ProjectUrl - [#13749](https://github.com/NuGet/Home/issues/13749)

* Navigation telemetry for Owner Profile URLs in PM UI - [#13738](https://github.com/NuGet/Home/issues/13738)

* PM UI should show transitive path - [#13574](https://github.com/NuGet/Home/issues/13574)

* NuGetVersion should use a factory to intern parsed versions - [#13532](https://github.com/NuGet/Home/issues/13532)

* Remove NuGet.Packaging.Core code - [#13385](https://github.com/NuGet/Home/issues/13385)

* PM UI transitive dependencies should display all transitive dependencies, not just ones brought in through packages directly installed in a project - [#13060](https://github.com/NuGet/Home/issues/13060)

* Remove deprecated field "owners" from VS UI Details Pane - [#10666](https://github.com/NuGet/Home/issues/10666)

* "Value cannot be null; Parameter name: source" displays in error list when clicking installed tab in PM UI - [#13801](https://github.com/NuGet/Home/issues/13801)

* New dependency resolver does not properly handle missing package versions when using CPM - [#13788](https://github.com/NuGet/Home/issues/13788)

* Saving PackageManagementFormat throws Nullable object must have a value. - [#13773](https://github.com/NuGet/Home/issues/13773)

* ProjectReference causing PM UI to error with "Value cannot be null. Parameter name: frameworkIdentifier" - [#13737](https://github.com/NuGet/Home/issues/13737)

* LockFileUtils.CreateLockFileTargetProject allocates a lot - [#13712](https://github.com/NuGet/Home/issues/13712)

* ConvertToProjectPaths causes extra allocations due to yield usage - [#13677](https://github.com/NuGet/Home/issues/13677)

* dotnet add package with CPM installs a different version than what gets restored - [#13657](https://github.com/NuGet/Home/issues/13657)

* `dotnet list package` does not work if project is using central package management system, after upgrading to `.NET 8.0` - [#13632](https://github.com/NuGet/Home/issues/13632)

* Add a log code NuGetAuditSuppress duplicate items - [#13620](https://github.com/NuGet/Home/issues/13620)

* Solution Explorer search can be broken by skipped dataflow updates - [#13619](https://github.com/NuGet/Home/issues/13619)

* Add nullability declarations to ResolverUtility and RemoteWalkContext - [#13617](https://github.com/NuGet/Home/issues/13617)

* Use of Obsolete X509Certificate2 ctor - [#13612](https://github.com/NuGet/Home/issues/13612)

* nuget restore warnings can't be suppressed with NoWarn in Visual Studio - [#13571](https://github.com/NuGet/Home/issues/13571)

* Restore may write nulls to project.assets.json - [#13563](https://github.com/NuGet/Home/issues/13563)

* VS 17.10 - Error building projects with CPM explicitly enabled if ManagePackageVersionsCentrally is set to false in Directory.Build.props - [#13560](https://github.com/NuGet/Home/issues/13560)

* PERF: Version and VersionRange allocations are very prevalent in profiles of Roslyn solution load - [#13559](https://github.com/NuGet/Home/issues/13559)

* PERF: LockFileFormat is filled completely when common callers only need some of the data - [#13558](https://github.com/NuGet/Home/issues/13558)

* PERF: Unnecessary construction of LockFileItem.Properties dictionary - [#13557](https://github.com/NuGet/Home/issues/13557)

* Narator does not read the value of `allowInsecureConnections` - [#13555](https://github.com/NuGet/Home/issues/13555)

* NuGet fails because of invalid characters in User-Agent header - [#13531](https://github.com/NuGet/Home/issues/13531)

* 'why' and 'config' command does not show up in 'dotnet nuget --help' output - [#13517](https://github.com/NuGet/Home/issues/13517)

* allocation: nuget.protocol.dll!NuGet.Protocol.HttpCacheUtility+&lt;CreateCacheFileAsync&gt;d__.MoveNext|nuget.protocol.dll!NuGet.Protocol.PackageDependencyGroupConverter.ReadJson - [#13445](https://github.com/NuGet/Home/issues/13445)

* Reduce allocations in ContentItemCollection - [#12657](https://github.com/NuGet/Home/issues/12657)

* When a source isn't accessible, service index cannot be read issues suppress the internal message making it difficult to understand the root cause - [#12530](https://github.com/NuGet/Home/issues/12530)

* [Bug]: Extra space at start of package description in tooltip - [#12105](https://github.com/NuGet/Home/issues/12105)

* Map branch name from sourcelink to RepositoryBranch for NuGet pack - [#13625](https://github.com/NuGet/Home/issues/13625)

[List of commits in this release](https://github.com/NuGet/NuGet.Client/compare/6.12.1.1...6.11.1.2)

### Community contributions

Thank you to all the contributors who helped make this NuGet release awesome!

This version of NuGet is in preview and these release notes will be updated when it is released.
* [akoeplinger](https://github.com/NuGet/NuGet.Client/pull/6005)
* [6005](https://github.com/NuGet/NuGet.Client/pull/6005) Improve build.sh and fixes for building on arm64 macOS
* [5956](https://github.com/NuGet/NuGet.Client/pull/5956) Add System.Formats.Asn1 into Version.Details.xml
* [5911](https://github.com/NuGet/NuGet.Client/pull/5911) Don't use obsolete X509Certificate2 constructor on net9.0
* [ToddGrun](https://github.com/NuGet/NuGet.Client/pull/5862)
* [5862](https://github.com/NuGet/NuGet.Client/pull/5862) Reduce allocations for version / versionranges
* [5857](https://github.com/NuGet/NuGet.Client/pull/5857) Reduce memory allocations during solution load in VS
* [5861](https://github.com/NuGet/NuGet.Client/pull/5861) Defer LockFileItem.Properties dictionary construction until needed
* [KirillOsenkov](https://github.com/NuGet/NuGet.Client/pull/6008)
* [6008](https://github.com/NuGet/NuGet.Client/pull/6008) Always debug RestoreTask and RestoreEx when environment variable is set
* [vernou](https://github.com/NuGet/NuGet.Client/pull/5982)
* [5982](https://github.com/NuGet/NuGet.Client/pull/5982) Fix restore when a package is installed with a version specified in CPM
* [mthalman](https://github.com/NuGet/NuGet.Client/pull/5959)
* [5959](https://github.com/NuGet/NuGet.Client/pull/5959) Allow override of System.Formats.Asn1 package version
* [MattKotsenas](https://github.com/NuGet/NuGet.Client/pull/5923)
* [5923](https://github.com/NuGet/NuGet.Client/pull/5923) Map SourceBranchName from sourcelink to RepositoryBranch for NuGet pack
28 changes: 28 additions & 0 deletions docs/release-notes/NuGet-6.13.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
---
title: NuGet 6.13 Release Notes
description: Release notes for NuGet 6.13 including new features, bug fixes, and DCRs.
author: zivkan
ms.topic: conceptual
---
# NuGet 6.13 Release Notes

<!--
This is intentionally not yet added to TOC.md.
When this version is ready for release:
1. Rename this file to the next version
2. Change the version strings in this file to the next version
3. Use the release tool to create the real release notes for the version ready for release
4. Add the release notes to TOC.yml
-->

NuGet distribution vehicles:

| NuGet version | Available in Visual Studio version | Available in .NET SDK(s) |
|:---|:---|:---|
| [**6.13**](https://nuget.org/downloads) | [Visual Studio 2022 version 17.13](https://visualstudio.microsoft.com/downloads/) | [9.0.2xx](https://dotnet.microsoft.com/download/dotnet/9.0)<sup>1</sup> |

<sup>1</sup> Installed with Visual Studio 2022 with any .NET workload

## Not yet released

This version of NuGet is in preview and these release notes will be updated when it is released.