NuGet 6.12 Release Notes
Note
In response to developers' feedback to ensure builds continuity when updating to .NET SDK 9, we have reverted the default value of NuGetAuditMode to direct in Visual Studio 17.12.3 and .NET 9.0.101.
NuGet distribution vehicles:
| NuGet version | Available in Visual Studio version | Available in .NET SDK(s) |
|---|---|---|
| 6.12 | Visual Studio 2022 version 17.12 | 9.0.1xx1 |
1 Installed with Visual Studio 2022 with any .NET workload
Known Issues
- Project and package in the same graph with the same name but different dependencies may lead to incorrect versions of the dependencies of that id #13888
- VS PM UI shows warning icon about package vulnerability even after upgrade #13866
- dotnet nuget why reports missing argument, even though it ran #13908
Summary: What's New in 6.12.1
NuGet 6.12.1 is available in Visual Studio 17.12.0 and the .NET 9.0.101 SDK.
Issues fixed in this release
- Deserializing an empty version range in a package dependency fails in .NET SDK 9.0.100-rc.2 #13869
Summary: What's New in 6.12
NuGet 6.12.0 is available in the .NET 9.0.100 SDK.
Add new graph resolution algorithm for better performance with large graphs - #13692
NuGetAudit raises warnings for vulnerable transitive packages by default when the .NET 9 SDK is installed #13293
Change NuGetAuditMode default from direct to all, raising warnings for vulnerable transitive packages for non-SDK style projects - #13584
Audit security vulnerabilities without adding nuget.org as package source - #12698
Owner profile hyperlinks needed in Details Pane of PM UI - #13686
Deprecate SHA-1 fingerprints usage in NuGet Sign commands in favor of SHA-2 family fingerprints #13891
Bubble-up Known Vulnerability Indicators in Solution Explorer for Transitive Packages - #13636
Enable Transitive Dependencies and vulnerabilities for Solution-level in Visual Studio - #13216
Breaking changes
- Deprecate http usage: Promote from warning to error - #13289
Issues fixed in this release
Enable
dotnet nuget whyon non-SDK style projects - #13576NuGetAuditSuppress for packages.config - #13575
Roll-out new breaking change process for SDK tools, respect SdkAnalysisLevel - #13309
Add property for toggling the to the previous NuGet resolver: RestoreUseLegacyDependencyResolver - #13700
Reduce allocations in TokenSegment.TryMatch - #12728
Use
SDKAnalysisLevelin restore "https everywhere: promote from warning to error" - #13546tweak wording of NU1603 - #13446
Default Package icon shown even when embedded icon file exists on disk - #13766
Navigation telemetry for hyperlinks: License, ReportAbuse, Readme, ProjectUrl - #13749
Navigation telemetry for Owner Profile URLs in PM UI - #13738
PM UI should show transitive path - #13574
NuGetVersion should use a factory to intern parsed versions - #13532
Remove NuGet.Packaging.Core code - #13385
PM UI transitive dependencies should display all transitive dependencies, not just ones brought in through packages directly installed in a project - #13060
Remove deprecated field "owners" from VS UI Details Pane - #10666
"Value cannot be null; Parameter name: source" displays in error list when clicking installed tab in PM UI - #13801
New dependency resolver does not properly handle missing package versions when using CPM - #13788
Saving PackageManagementFormat throws Nullable object must have a value. - #13773
ProjectReference causing PM UI to error with "Value cannot be null. Parameter name: frameworkIdentifier" - #13737
LockFileUtils.CreateLockFileTargetProject allocates a lot - #13712
ConvertToProjectPaths causes extra allocations due to yield usage - #13677
dotnet add package with CPM installs a different version than what gets restored - #13657
dotnet list packagedoes not work if project is using central package management system, after upgrading to.NET 8.0- #13632Add a log code NuGetAuditSuppress duplicate items - #13620
Solution Explorer search can be broken by skipped dataflow updates - #13619
Add nullability declarations to ResolverUtility and RemoteWalkContext - #13617
Use of Obsolete X509Certificate2 ctor - #13612
nuget restore warnings can't be suppressed with NoWarn in Visual Studio - #13571
Restore may write nulls to project.assets.json - #13563
VS 17.10 - Error building projects with CPM explicitly enabled if ManagePackageVersionsCentrally is set to false in Directory.Build.props - #13560
PERF: Version and VersionRange allocations are very prevalent in profiles of Roslyn solution load - #13559
PERF: LockFileFormat is filled completely when common callers only need some of the data - #13558
PERF: Unnecessary construction of LockFileItem.Properties dictionary - #13557
Narator does not read the value of
allowInsecureConnections- #13555NuGet fails because of invalid characters in User-Agent header - #13531
'why' and 'config' command does not show up in 'dotnet nuget --help' output - #13517
allocation: nuget.protocol.dll!NuGet.Protocol.HttpCacheUtility+<CreateCacheFileAsync>d__.MoveNext|nuget.protocol.dll!NuGet.Protocol.PackageDependencyGroupConverter.ReadJson - #13445
Reduce allocations in ContentItemCollection - #12657
When a source isn't accessible, service index cannot be read issues suppress the internal message making it difficult to understand the root cause - #12530
[Bug]: Extra space at start of package description in tooltip - #12105
Map branch name from sourcelink to RepositoryBranch for NuGet pack - #13625
List of commits in this release
Community contributions
Thank you to all the contributors who helped make this NuGet release awesome!
- akoeplinger
- ToddGrun
- KirillOsenkov
- 6008 Always debug RestoreTask and RestoreEx when environment variable is set
- vernou
- 5982 Fix restore when a package is installed with a version specified in CPM
- mthalman
- 5959 Allow override of System.Formats.Asn1 package version
- MattKotsenas
- 5923 Map SourceBranchName from sourcelink to RepositoryBranch for NuGet pack