NuGet 6.9 Release Notes

NuGet distribution vehicles:

¹ Installed with Visual Studio 2022 with any .NET workload

Summary: What's New in 6.9.1

• Support for dotnet search command (equivalent to nuget.exe list, later search) - #6060 #5138

• PM UI multi targeting experience is incomplete - support for updating and uninstalling conditional package versions - #4681

• [Security]: Microsoft Security Advisory CVE-2024-0057 | NuGet Client Security Feature bypass Vulnerability - #12653

Breaking changes

• Add nullable annotations to NuGet.LibraryModel - #12889

Issues fixed in this release

• NuGetAudit should not download vulnerabilities database when project does not use any packages - #13073

• Static graph-based restore should not enumerate every item's metadata - #13049

• Migrate NuGet.CommandLine.XPlat package search to use System.CommandLine - #13031

• Add --format, --verbosity , configfile options to dotnet package search - #12978

• Set NuGetAudit defaults in MSBuild - #12960

• RestoreTask: Control whether to embed files in the binlog - #12957

• Create NU Error Code for Package Source Mapping & GPF conflicts - #12953

• [DCR]: Allow floating versions with Central Package Management (CPM) - #10432

• Static Graph restore won't warn for invalid projects - #9300

• Rename no-cache to no-http-cache - #9180

• VS Package Manager Console should close Text View - #13104

• Vulnerability indicator shows up on dependent project if parent project has transitive vulnerabilities - #13068

• Conditional updating when all packages are conditioned is broken - #13034

• Perf issue in AssetsFileDependenciesDataSource - #13019

• The NuGetPackageSearchService.GetDeprecationMetadataAsync in NuGet.PackageManagement.VisualStudio is dead code - #13007

• Vulnerabilities filter shows incorrectly on “Brower” tab when the default tab was “Browse” instead of “Installed” for the previous opening of solution PM UI - #12974

• HTTP 401 after some time in VS - #12961

• [NuGet.Versioning] SemanticVersion.HasMetadata should indicate that Metadata is not null when true - #12949

• TelemetryUtility.ToJsonArrayOfTimingsInSeconds returns incorrect json array on locales having comma as decimal separator - #12915

• Static graph-based restore does not respect Interactive option when loading projects - #12907

• Vulnerabilities InfoBar link to Manage NuGet Packages is truncated - #12835

• NuGet.Build.Tasks caches CredentialProvider device flow timeout. - #12540

• "error: Sequence contains no matching element" when listing outdated packages - #12256

• [Bug]: Process argument string is too long when publishing in Visual Studio with static graph enabled - #11968

• [Bug]: PM UI cannot uninstall packages in multitargeting projects - #11914

• When a package is installed in the global packages folder, add details about the package location - #11447

• NuGet should handle duplicate nomination data better. - #8749

List of commits in this release

Community contributions

Thank you to all the contributors who helped make this NuGet release awesome!

• KirillOsenkov
  • Control embedding Restore files in binlog - 5494
  • Don't log task inputs and outputs when binary logger is enabled - 5498
• Erarndt
  • Unroll Linq usage in FilterDependencyProvidersForLibrary - 5535
  • Reduce allocations in calls to CreateGraphNode() - 5531
• dotnokato
  • Fix tests failing when run on systems with non-English language/locale settings - 5442
  • Fix incorrect json array returned for locales with comma as decimal separator in TelemetryUtility.ToJsonArrayOfTimingsInSeconds - 5441
• ellahathaway
  • Shorten source-build inner clone paths - 5543
• jasonmalinowski
  • Output a more debuggable message if a single value isn't specified - 5533
• mthalman
  • Target net9.0 for .NET source build - 5511
• NikolaMilosavljevic
  • Eliminate obsolete API warnings/errors in product source-build - 5496
• amis92
  • Add MemberNotNullWhen to SemanticVersion.HasMetadata - 5465