NuGet Warnings NU1901, NU1902, NU1903, NU1904
warning NU1902: Package 'NuGet.Protocol' 5.11.2 has a known moderate severity vulnerability, https://github.com/advisories/GHSA-g3q9-xf95-8hp5
The warning code changes depending on the known vulnerability severity level:
Warning Code | Severity |
---|---|
NU1901 | low |
NU1902 | moderate |
NU1903 | high |
NU1904 | critical |
Issue
A package restored for your project has a known vulnerability.
For more information, see the documentation on auditing packages.
Solution
We have a blog post with more discussion about our recommended actions when your project uses a package with a known vulnerability, and tools that can help.
Upgrading to a newer version of the package is likely to resolve the warning.
If your project does not reference the package directly (it's a transitive package), dotnet nuget why
can be used to understand which package caused it to be included in your project.
You can check the URL provided by the vulnerability advisory to see what versions of the package have been fixed, or check your configured package source(s) to see what versions of the package are available.
Visual Studio's package manager UI can show which package versions are affected and which do not have known vulnerabilities.
If these warnings are causing restore to fail because you are using TreatWarningsAsErrors
, you can add <WarningsNotAsErrors>NU1901;NU1902;NU1903;NU1904</WarningsNotAsErrors>
to allow these codes to remain as warnings.
If you do not wish to be notified of vulnerabilities that are less severe than a level you are comfortable with, you can edit the project file and add an MSBuild property NuGetAuditLevel
, with value set to low
, moderate
, high
, or critical
.
For example, <NuGetAuditLevel>high</NuGetAuditLevel>
.
If you would like to suppress a specific advisory, add an MSBuild NuGetAuditSuppress item.
For example <NuGetAuditSuppress Include="https://github.com/advisories/GHSA-g3q9-xf95-8hp5" />
.
NuGetAuditSuppress
is available from VS 17.11 and .NET 8.0.400 SDK for projects using PackageReference
, and from VS 17.12 for projects using packages.config
.
If you do not want NuGet to check for packages with known vulnerabilities during restore, add <NuGetAudit>false</NuGetAudit>
inside a <PropertyGroup>
in your project file, or a Directory.Build.props
file.
If you would like to run NuGet Audit on developer machines, but disable it on CI pipelines, you can take advantage of MSBuild importing environment variables, and create a NuGetAudit environment variable set to false
in your pipeline definition.
In NuGet 6.12 (Visual Studio/MSBuild 17.12 and .NET 9.0.100 SDK), the default setting for NuGetAuditMode
was changed to all
. This means that NuGet will now report on transitive packages with known vulnerabilities.
The value can be explicitly set to direct
to revert back to .NET 8's default. Alternatively, the property SdkAnalysisLevel
can be set to 8.0.400
to temporarily disable all new warnings and errors introduced in newer versions of the SDK. Specifically in this case, the default value of NuGetAuditMode
is changed back to direct
.