NuGet · zivkan · Dec 3, 2024 · Dec 2, 2024 · Dec 3, 2024
@@ -43,13 +43,10 @@ We recommend that audit is configured at a repository level.
 
 | MSBuild Property | Default | Possible values | Notes |
 |------------------|---------|-----------------|-------|
-| NuGetAuditMode | all | `direct` and `all` | If you'd like to audit top-level dependencies only, you can set the value to `direct`. NuGetAuditMode is not applicable for packages.config projects.  |
+| NuGetAuditMode | direct | `direct` and `all` | If you'd like to audit top-level dependencies only, you can set the value to `direct`. NuGetAuditMode is not applicable for packages.config projects.  |
 | NuGetAuditLevel | low | `low`, `moderate`, `high`, and `critical` | The minimum severity level to report. If you'd like to see `moderate`, `high`, and `critical` advisories (exclude `low`), set the value to `moderate` |
 | NuGetAudit | true | `true` and `false` | If you wish to not receive security audit reports, you can opt-out of the experience entirely by setting the value to `false` |
 
-Note: In .NET 8, the default value of NuGetAuditMode is `direct`.
-Therefore, setting [SdkAnalysisLevel](/dotnet/core/project-sdk/msbuild-props#sdkanalysislevel) to `8.0.400` changes the default value of NuGetAuditMode accordingly.
-
 #### Audit Sources
 
 Restore downloads a server's [`VulnerabilityInfo` resource](../api/vulnerability-info.md) to check against the list of packages each project is using.

@@ -12,10 +12,51 @@ f1_keywords:
 
 # NuGet Warning NU1604
 
+## Missing Package Version
+
+> Project dependency 'PackageA' does not contain an inclusive lower bound. Include a lower bound in the dependency version to ensure consistent restore results.
+
+### Issue
+
+A project dependency doesn't define a version.
+
+This means that restore used the lowest available version.
+Each restore will float downwards trying to find a lower version that can be used.
+This means that restore goes online to check all sources each time instead of using the packages that already exist in the user package folder.
+
+### Solution
+
+Find the `PackageReference` item that does not define the `Version` attribute and add it:
+
+For example change from:
+
+> `<PackageReference Include="PackageA" />`
+
+to:
+
+> `<PackageReference Include="PackageA" Version="9.0.0" />`
+
+If the project is using [NuGet's Central Package Management (CPM)](../../consume-packages/Central-Package-Management.md), you need to update the `<PackageVersion />` item in `Directory.Packages.props` and change from:
+
+> `<PackageVersion Include="PackageA" />`
+
+to:
+> `<PackageVersion Include="PackageA" Version="9.0.0" />`
+
+If a version is specified in a `<PackageVersion />` item and you still receive this warning, verify you've correctly [onboarded to central package management](../../consume-packages/Central-Package-Management.md#enabling-central-package-management).
+
+> [!Note]
+> When using CPM and the file `Directory.Packages.props` is invalid, NU1604 is raised.
+
+## Missing Inclusive Lower Bound
+
 > Project dependency 'PackageA' (&lt;= 9.0.0) does not contain an inclusive lower bound. Include a lower bound in the dependency version to ensure consistent restore results.
 
 ### Issue
-A project dependency doesn't define a lower bound.<br/><br/>This means that restore did not find the *best match*. Each restore will float downwards trying to find a lower version that can be used. This means that restore goes online to check all sources each time instead of using the packages that already exist in the user package folder.
+A project dependency doesn't define a lower bound.
+
+This means that restore did not find the *best match*. Each restore will float downwards trying to find a lower version that can be used.
+This means that restore goes online to check all sources each time instead of using the packages that already exist in the user package folder.
 
 ### Solution
 Update the project's `PackageReference` `Version` attribute to include a lower bound.
@@ -32,3 +73,10 @@ or
 > `<PackageReference Version="9.0.0" />`
 
 which implies a lower bound.
+
+If the project is using [NuGet's Central Package Management (CPM)](../../consume-packages/Central-Package-Management.md), you need to update the `<PackageVersion />` item in `Directory.Packages.props` and change from:
+
+> `<PackageVersion Include="PackageA" Version="(9.0.0, )" />`
+
+to:
+> `<PackageVersion Include="PackageA" Version="9.0.0" />`
@@ -7,6 +7,9 @@ ms.topic: conceptual
 
 # NuGet 6.12 Release Notes
 
+> [!NOTE]
+> In response to developers' feedback to ensure builds continuity when updating to .NET SDK 9, we have reverted the default value of NuGetAuditMode to `direct` in Visual Studio 17.12.3 and .NET 9.0.101.
+
 NuGet distribution vehicles:
 
 | NuGet version | Available in Visual Studio version | Available in .NET SDK(s) |