NuGet 4.9 Release Notes
NuGet distribution vehicles:
| NuGet version | Available in Visual Studio version | Available in .NET SDK(s) |
|---|---|---|
| 4.9.0 | Visual Studio 2017 version 15.9.0 | 2.1.500, 2.2.100 |
| 4.9.1 | n/a | n/a |
| 4.9.2 | Visual Studio 2017 version 15.9.4 | 2.1.502, 2.2.101 |
| 4.9.3 | Visual Studio 2017 version 15.9.6 | 2.1.504, 2.2.104 |
| 4.9.5 | n/a | n/a .NET Core 2.1 is out of support as of August 21, 2021 |
| 4.9.6 | n/a | n/a .NET Core 2.1 is out of support as of August 21, 2021 |
Summary: What's New in 4.9.6
- [Security]: Microsoft Security Advisory CVE-2022-41032 | .NET Elevation of Privilege Vulnerability - #12149
Summary: What's New in 4.9.5
- [Security]: Microsoft Security Advisory CVE-2022-30184 | .NET Information Disclosure Vulnerability - #11883
Summary: What's New in 4.9.0
Signing: Enable ClientPolicies to require use of a set of Trusted Authors and Repositories listed in NuGet.Config - #6961, blog post
create ".snupkg" files to contain symbols in pack -- enhance push to understand nuget protocol to accept snupkg files for symbol server - #6878, blog post
NuGet credential plugin V2 - #6642
Self-Contained NuGet Packages - License - #4628, announcement
Enable opt-in "GeneratePathProperty" metadata on a PackageReference to generate a per package MSBuild property to "Foo.Bar\1.0" directory - #6949
Improve customer success with NuGet operations - #7108
Enable repeatable package restores using a lock file - #5602, announcement, blog post
Issues fixed in this release
Warnings elevated to errors (via WarnAsErrors) raised by PackageExtraction should never leave extracted package around - #7445
Badly signed packages should not end up in the global packages folder - #7423
binding redirect generation should not skip facade assemblies - #7393
VersionRange Equals doesn't compare floating ranges - #7324
Restore: performance regression using new .NET Core 2.1 HTTP stack - #7314
Update of a Package should not modify PrivateAssets of a PackageReference - #7285
Signing: signing should fail if a package has too many package entries (>65534) - #7248
"dotnet nuget push" codepath should support the new credential provider - #7233
Support executing plugins with invariant culture (as happens in docker) - #7223
nuget sources add should not delete credentials from NuGet.config - #7200
installing a devDependency PackageReference should default to excludeassets=compile - #7084
fix migrator option to be displayed for all projects and show error if project is incompatible - #6958
"dotnet add package" should commit the restore it performs to the assets file - #6928
Signing: improve signing related error messages - #6906
[Test Failure][zh-TW]String "Package Manager Console" doesn't localize on Package Manager Console - #6381
Error message around "Unable to find project information" should be a little more specific inside VS - #5350
Unhelpful error message when incorrectly using nuspec version tag of nuget pack - #2714
DCR - Signing: support NuGet protocol: RepositorySignatures/4.9.0 resource - #7421
DCR - .nupkg.metadata file will now be created during package extraction - contains "content-hash" - #7283
DCR - Skip authenticode verification for plugins while executing on Mono - #7222
List of all issues fixed in this release 4.9.0
Summary: What's New in 4.9.1
- Add support for reading a writing to the nuget.config via a new command trusted-signers - #7480
Issues fixed in this release
Fix license link generation - #7515
Error codes regression for validating signatures - #7492
NuGet.Build.Tasks.Pack package does not have license information - #7379
List of all issues fixed in this release 4.9.1
Summary: What's New in 4.9.2
Issues fixed in this release
VS/dotnet.exe/nuget.exe/msbuild.exe restore doesn't use credentials when source name contains a whitespace - #7517
LicenseAcceptanceWindow and LicenseFileWindow Accessibility issues - #7452
Fix FormatException in DateTime.Parse from DateTimeConverter - #7539
List of all issues fixed in this release 4.9.2
Summary: What's New in 4.9.3
Issues fixed in this release
"Repeatable Package Restores Using a Lock File" Issues
Locked mode not working as hash is calculated incorrectly for previously cached packages - #7682
Restore resolves to a different version than defined in
packages.lock.jsonfile - #7667'--locked-mode / RestoreLockedMode' causes spurious Restore failures when ProjectReferences are involved - #7646
MSBuild SDK resolver tries to validate SHA for a SDK package which fails restore when using packages.lock.json - #7599
"Lock Down Your Dependencies Using Configurable Trust Policies" Issues
dotnet.exe should not evaluate trusted-signers while signed packages are not supported - #7574
Order of trustedSigners in config file affects trust evaluation - #7572
Can't implement ISettings [Caused by refactoring of settings APIs to support Trust Policies feature] - #7614
"Improved Debugging Experience" Issues
- Cannot publish symbol package for .NET Core Global Tool - #7632
"Self-Contained NuGet Packages - License" Issues
- Error building symbol .snupkg package when using embedded license file - #7591
List of all issues fixed in this release 4.9.3
Summary: What's New in 4.9.4
- Security Fix: Permissions on files created inside ~/.nuget are too open #7673 CVE-2019-0757
Known issues
dotnet nuget push --interactive gives an error on Mac. - #7519
Issue
The --interactive argument is not being forwarded by the dotnet cli and results in the error error: Missing value for option 'interactive'
Workaround
Run any other dotnet command with the interactive option such as dotnet restore --interactive and authenticate. The authentication then might be cached by the credential provider. Then run dotnet nuget push.
Packages in FallbackFolders installed by .NET Core SDK are custom installed, and fail signature validation. - #7414
Issue
When using dotnet.exe 2.x to restore a project that multi-targets netcoreapp 1.x and netcoreapp 2.x, the fallback folder is treated as a file feed. This means, when restoring, NuGet will pick the package from the fallback folder and try to install it into the global packages folder and do the usual signing validation which fails.
Workaround
Disable the usage of the fallback folder by setting the RestoreAdditionalProjectSources to nothing. <RestoreAdditionalProjectSources/> Use this with caution as it will cause a lot of packages to be downloaded from NuGet.org which otherwise would be have been restored from the fallback folder.