NuGet Warnings NU1901, NU1902, NU1903, NU1904

warning NU1902: Package 'NuGet.Protocol' 5.11.2 has a known moderate severity vulnerability, https://github.com/advisories/GHSA-g3q9-xf95-8hp5

The warning code changes depending on the known vulnerability severity level:

Warning Code Severity
NU1901 low
NU1902 moderate
NU1903 high
NU1904 critical

Issue

A package restored for your project has a known vulnerability.

For more information, see the documentation on auditing packages.

Solution

We have a blog post with more discussion about our recommended actions when your project uses a package with a known vulnerability, and tools that can help.

Upgrading to a newer version of the package is likely to resolve the warning. If your project does not reference the package directly (it's a transitive package), dotnet nuget why can be used to understand which package caused it to be included in your project. You can check the URL provided by the vulnerability advisory to see what versions of the package have been fixed, or check your configured package source(s) to see what versions of the package are available. Visual Studio's package manager UI can show which package versions are affected and which do not have known vulnerabilities.

If these warnings are causing restore to fail because you are using TreatWarningsAsErrors, you can add <WarningsNotAsErrors>NU1901;NU1902;NU1903;NU1904</WarningsNotAsErrors> to allow these codes to remain as warnings.

If you do not wish to be notified of vulnerabilities that are less severe than a level you are comfortable with, you can edit the project file and add an MSBuild property NuGetAuditLevel, with value set to low, moderate, high, or critical. For example, <NuGetAuditLevel>high</NuGetAuditLevel>.

If you would like to suppress a specific advisory, add an MSBuild NuGetAuditSuppress item. For example <NuGetAuditSuppress Include="https://github.com/advisories/GHSA-g3q9-xf95-8hp5" />. NuGetAuditSuppress is available from VS 17.11 and .NET 8.0.400 SDK for projects using PackageReference, and from VS 17.12 for projects using packages.config.

If you do not want NuGet to check for packages with known vulnerabilities during restore, add <NuGetAudit>false</NuGetAudit> inside a <PropertyGroup> in your project file, or a Directory.Build.props file. If you would like to run NuGet Audit on developer machines, but disable it on CI pipelines, you can take advantage of MSBuild importing environment variables, and create a NuGetAudit environment variable set to false in your pipeline definition.

In NuGet 6.12 (Visual Studio/MSBuild 17.12 and .NET 9.0.100 SDK), the default setting for NuGetAuditMode was changed to all. This means that NuGet will now report on transitive packages with known vulnerabilities. The value can be explicitly set to direct to revert back to .NET 8's default. Alternatively, the property SdkAnalysisLevel can be set to 8.0.400 to temporarily disable all new warnings and errors introduced in newer versions of the SDK. Specifically in this case, the default value of NuGetAuditMode is changed back to direct.