Edit

Share via

NuGet 6.3 Release Notes

  • Article

NuGet distribution vehicles:

NuGet version Available in Visual Studio version Available in .NET SDK(s)
6.3 Visual Studio 2022 version 17.3 6.0.4001
6.3.1 Visual Studio 2022 version 17.3 6.0.4021
6.3.3 N/A 6.0.4101
6.3.4 N/A 6.0.4191

1 Installed with Visual Studio 17.3 with.NET Core workload

Summary: What's New in 6.3.4

  • [Security]: Microsoft Security Advisory CVE-2024-0057 | NuGet Client Security Feature bypass Vulnerability - #12653

Summary: What's New in 6.3.3

  • [Security]: Microsoft Security Advisory CVE-2023-29337 | NuGet Client Remote Code Execution Vulnerability - #12653

Note

There is a behavior breaking change on Linux. The temp folder location, where NuGet stores temporary files during its various operations, has changed from /tmp/NuGetScratch to /tmp/NuGetScratch<username>. E.g. for user User1, the temp folder will be /tmp/NuGetScratchUser1.

Summary: What's New in 6.3.1

  • [Security]: Microsoft Security Advisory CVE-2022-41032 | .NET Elevation of Privilege Vulnerability - #12149

Summary: What's New in 6.3

  • [Feature] Allow to user to input custom (floating) versions through the PM UI - #9829 #3788

  • [Feature] NuGet warns when duplicate PackageReference, PackageVersion or PackageDownload items are specified - #9467 #9864

  • When using Central Package Management, Visual Studio no longer errors when installing packages and instead the project and central package management file are updated - #11828

  • NuGet.Common, NuGet.Configuration, NuGet.Frameworks, NuGet.Packaging.Extraction and NuGet.Versioning no longer support net45 or net40 - #11830

Issues fixed in this release

DCRs:

  • [DCR]: Print sources in NU1507 - #11715

  • [DCR]: Only cancel VS cred provider requests if VS is closing - #11970

  • For C++/CLI PackageReference projects, NuGet should ignore the TargetPlatformMoniker - #11808

  • [DCR]: Include caught exceptions as inner exceptions when rethrowing (in MsBuildUtility) - #11766

  • Specifying both -f ... and -r ... to dotnet build fails to restore if multiple frameworks are present in the project file - #11653

  • PackageSourceMapping public constructor - #11609

  • Add support for system and fallback certificate bundles - #11263

Bugs:

  • [Bug]: X.509 trust store isn't initialized in dotnet add package and SDK resolver code paths - #11956

  • Cache DTE service in VS Solution Manager - #11902

  • Nuget CPS references reader is forcing all vc projects to be fully loaded - #11877

  • Make dotnet package verification env var value comparison case insensitive - #11876

  • Using JsonTextWriter manually in LockFileFormat - #11870

  • Extra allocations in EqualityUtility - #11867

  • [Bug]: Boxing of structs to compute hashcode is causing excessive allocations - #11866

  • When restore raises an NU1301, build might fail with a project.assets.json doesn't have a target for 'net6.0-windows10.0.19041.0 like error that's a red herring - #11862

  • [Bug]: Package source option "All" appears unsorted in the in the list when using VS in non-English languages - #11857

  • [Bug]: [Bug Bash] The “Version” dropdown box is blank in “Consolidate” tab of solution-level PM UI - #11806

  • PackageDownload multiple versions doesn't work in Visual Studio. - #11798

  • [Bug]: Visual Studio restore sometimes sets originalTargetFrameworks incorrectly in project.assets.json - #11795

  • [Bug]: NuGet does not retry some HTTP timeouts - #11779

  • [Bug]: misspelling in RestoreCommandCannotDeterminePackagesFolder_deu - #11774

  • Update SPDX licenses to bb0099c - #11765

  • "Illegal characters in path" (Solution Directory) - #11764

  • NuGet Package Manager window causes persistent WPF frame rate spike due to a runaway animation - #11746

  • [Bug]: PM UI version list only shows a single latest version - #11734

  • Large number of allocations while processing package references - #11733

  • Unnecessary Allocations in SemanticVersion.ParseSections() - #11732

  • [Bug]: new warning for package source mappings doesn't pass a value for the resource string placeholder - #11709

  • [Bug]: Central package management breaks no-op restores - #11696

  • [Bug]: MsBuild version is not parsed correctly when -MsBuildPath option is passed to nuget.exe restore - #11689

  • [Bug]: Very slow restore or OOM when using NoWarn - #11669

  • [Bug]: Automatic credential plugin discovery is broken when 64 bit msbuild.exe is used by nuget.exe - #11623

  • [Bug]: Reduce memory allocation while detecting cycles or potential degrades in package versions during restore - #11614

  • Avoid JTF.Run wrapped property retrieval, use async methods instead. - #11199

  • .nupkg.metadata locked and being used by another process - #10882

  • Unexpected error “Your project file doesn’t list ‘win’ as a “RuntimeIdentifier”” occurs when building the solution after enabling “RestoreLockedMode” - #10590

  • NuGet.exe pack issues a warning (NU5128) when packing a project file - #8713

  • Transitive lock files (with wildcard) result in NU1004 - #8465

  • Enhance the experimentation infrastructure in NuGet code to support transitive dependencies - #10758