Edit

Share via

NuGet 6.6 Release Notes

  • Article

NuGet distribution vehicles:

NuGet version Available in Visual Studio version Available in .NET SDK(s)
6.6 Visual Studio 2022 version 17.6 7.0.3001
6.6.1 N/A 7.0.3041
6.6.2 Visual Studio 2022 version 17.6 7.0.3131

1 Installed with Visual Studio 2022 with .NET Core workload

Summary: What's New in 6.6.2

  • [Security]: Microsoft Security Advisory CVE-2024-0057 | NuGet Client Security Feature bypass Vulnerability - #12653

Summary: What's New in 6.6.1

  • [Security]: Microsoft Security Advisory CVE-2023-29337 | NuGet Client Remote Code Execution Vulnerability - #12653

Note

There is a behavior breaking change on Linux. The temp folder location, where NuGet stores temporary files during its various operations, has changed from /tmp/NuGetScratch to /tmp/NuGetScratch<username>. E.g. for user User1, the temp folder will be /tmp/NuGetScratchUser1.

Summary: What's New in 6.6

  • [Epic]: Central Package Management improvements for 17.6 - #12413

Issues fixed in this release

DCRs:

  • Static graph-based restore should always log an error on failure - #12372

Bugs:

  • Set CentralPackageVersionOverrideEnabled=false in project with CPM broke project restore - #12500

  • Static graph-based restore crashes on systems with alternate console encodings - #12373

  • GlobalPackageReference is not working for legacy-style csproj projects - #12368

  • WebSite projects opened from IIS fail to install packages - #12337

  • StackOverflow in SemanticVersion.ToString - #12330

  • Static graph restore failure when referencing unrestorable project - #12322

  • CPM opt in detection in VS and commandline is different - #12285

  • PrivateAssets flow incorrectly to transitively pinned centrally managed dependencies - #12270

  • Performance regression of NuGet restores in the sdk v7.0.100 due to calculation of "CentralTransitiveDependencyGroups" - #12269

  • [Bug]: NuGet.VisualStudio depends on package not existing on NuGet.org - #12164

  • [Bug]: Custom kernel breaks nuget - #11995

  • PackageSource: returns possibly incorrect hash code - #10276

List of commits in this release

Community contributions

Thank you to all the contributors who helped make this NuGet release awesome!

  • kant2002
    • 5103 Fix project restore when CentralPackageVersionOverrideEnabled=false
  • atamagaii
    • 5078 Changed english resource MsbuildPathNotExist to correctly describe th…
  • pombredanne
    • 5083 Fix minor typo
  • NikolaMilosavljevic
    • 5091 Trim away netframework targets in source-build
  • uweigand
    • 5046 Limit concurrent connections via NUGET_CONCURRENCY_LIMIT
  • marcin-krystianc
    • 4954 Improved performance of calculation of PrivateAssets for transitively pinned centrally managed dependencies
    • 4953 Effective PrivateAssets of centrally managed transitive dependencies should be an intersection of parent dependencies