Edit

NuGet 6.4 Release Notes

  • Article

NuGet distribution vehicles:

NuGet version Available in Visual Studio version Available in .NET SDK(s)
6.4 Visual Studio 2022 version 17.4 7.0.1001
6.4.2 N/A 7.0.1071
6.4.3 Visual Studio 2022 version 17.4 7.0.1161

1 Installed with Visual Studio 17.4 with .NET Core workload

Summary: What's New in 6.4.3

  • [Security]: Microsoft Security Advisory CVE-2024-0057 | NuGet Client Security Feature bypass Vulnerability - #12653

Summary: What's New in 6.4.2

  • [Security]: Microsoft Security Advisory CVE-2023-29337 | NuGet Client Remote Code Execution Vulnerability - #12653

Note

There is a behavior breaking change on Linux. The temp folder location, where NuGet stores temporary files during its various operations, has changed from /tmp/NuGetScratch to /tmp/NuGetScratch<username>. E.g. for user User1, the temp folder will be /tmp/NuGetScratchUser1.

Summary: What's New in 6.4

  • Central package management is considered production ready and the preview message has been removed - #11950

  • Add ability to designate a package reference as used by every project in the repo - GlobalPackageReference #10159

  • Signed package verification is available for opt-in on Linux and macOS by setting the environment variable DOTNET_NUGET_SIGNATURE_VERIFICATION to true. - #12033, #11973

  • Improved performance while loading packages for all tabs in the Package Manager UI and solution restore - #11923

  • Prompts for authentication with Azure Artifacts package sources in Visual Studio indicate that it is for NuGet purposes and contain specific source information.

Issues fixed in this release

DCRs:

  • [DCR]: Static graph-based restore should handle an AggregateException from MSBuild - #12100

  • Signing: use separate fallback certificate bundles for code signing and timestamping - #12033

  • [DCR]: Central package management package source mapping should only look at configured feeds - #11951

  • [DCR]: Package Source Mapping API does not support saving - #11935

  • [DCR]: Plugin timeout defaults should be increased - #11793

  • Regenerate dgspec when customer triggers VS Feedback - #8605

Bugs:

  • Details for Installed MAUI packages are missing NuGet Project PM UI - #12130

  • Static graph restore supports long paths on Windows - #12121

  • TelemetryUtility.IsVsOfflineFeed fails to correctly identify the local feed with 64-bit windows - #12110

  • [Bug]: IVsPackageInstallerServices APIs sometimes throw ProjectNotNominatedException - #12103

  • [Bug]: The transitive package doesn’t show in “Installed” tab until reopening the solution - #12102

  • [Bug]: Incorrect check for feed count when logging NU1507 warning about not using package source mapping - #12095

  • [Bug]: User needs to login multiple times while executing dotnet list package from private feeds - #12090

  • [Bug]: Rename VS NuGet Options "Clear NuGet Cache(s)" button - #12076

  • nuget.exe help command has unlocalized strings - #12067

  • Remove unused localized resources in nuget.exe - #12066

  • [Bug]: NugetSDKResolver doesn't give detailed error messages when it fails - #12049

  • [Bug]: Package signature validation fails on Linux due to missing 'thawte_Primary_Root_CA' in codesignctl.pem - #12027

  • [Bug]: "An item with the same key has already been added" when migrating to CPM with ProjectDependencies in solution file - #12021

  • [Bug]: Build failures in dev branch due to renaming of parameter from cpvmEnabled to centralPackageTransitivePinningEnabled - #12020

  • [Bug]: [Bug Bash] Other versions will lose after selecting a version in the custom version drop-down box for a while - #11992

  • Remove extra layers of abstractions from IVsProjectAdapter, move RuntimeGraph specific methods from VSProject to LegacyPackageReferenceProject - #11980

  • Reduce redundant SolutionDirectory calculation, special-case template wizard solution directory retrieval - #11936

  • Make VS adapter ProjectDirectory sync, use IVsHierarchy only to generate the guids, avoid double casting VSProject4 - #11928

  • [Bug]: NuGet.VisualStudio.Implementation.Extensibility.VsPathContextProvider.TryCreateContext fault - #11918

  • [Bug]: Package version downgrade is not detected due to invalid transitive pinning - #11760

  • _CleanPackageFiles target fails sporadically when (re)building - #11710

  • Avoid calling CreateLockFileTargetLibrary twice when AssetTargetFallback is used - #11654

  • Package source mapping should check for duplicate node keys - #11573

  • VSSolutionManager.DoesNuGetSupportsAnyProjectAsync can exit at the first supported projec - #11555

  • Review all sync ServiceLocator calls and move to async where possible - #11203

  • [Bug Bash]The new designs of hovered-on menu between VS and NuGet are inconsistent - #10978

  • [Bug]: Metadata like PrivateAssets does not flow from parent to transitively pinned dependency in CPM - #10311

List of commits in this release

Community contributions

Thank you to all the contributors who helped make this NuGet release awesome!

  • kkirkfield
    • 4738 Fix issue with _CleanPackageFiles target failing on rebuild
  • MichaelSimons
    • 4737 Tweak ApplySourceBuildPatchFiles target to support virtual mono repo (VMR)
  • marcin-krystianc
    • 4611 Central transitive dependencies should be considered only for root nodes
  • Forgind
    • 4766 Return warnings to log when NuGet SDK resolver fails
  • lbussell
    • 4742 Update TFM to net7.0 for source-build