NuGet 6.2 Release Notes
NuGet distribution vehicles:
| NuGet version | Available in Visual Studio version | Available in .NET SDK(s) |
|---|---|---|
| 6.2.0 | Visual Studio 2022 version 17.2 | 6.0.3001 |
| 6.2.1 | Visual Studio 2022 version 17.2.4 | 6.0.3011 |
| 6.2.2 | Visual Studio 2022 version 17.2 | 6.0.3051 |
| 6.2.4 | N/A | 6.0.3131 |
1 Installed with Visual Studio 2022 with .NET Core workload
Summary: What's New in 6.2.4
- [Security]: Microsoft Security Advisory CVE-2023-29337 | NuGet Client Remote Code Execution Vulnerability - #12653
Note
There is a behavior breaking change on Linux. The temp folder location, where NuGet stores temporary files during its various operations, has changed from /tmp/NuGetScratch to /tmp/NuGetScratch<username>. E.g. for user User1, the temp folder will be /tmp/NuGetScratchUser1.
Summary: What's New in 6.2.2
- [Security]: Microsoft Security Advisory CVE 2022-41032 | .NET Elevation of Privilege Vulnerability - #12149
Summary: What's New in 6.2.1
- [Security]: Microsoft Security Advisory CVE 2022-30184 | .NET Information Disclosure Vulnerability - #11883
Summary: What's New in 6.2
Add TFM for .NET nanoFramework - #10800
[Feature]: Require package source mapping when using CPM - #11505
[Feature]: Allow overriding a centrally defined package version - #11516
[Feature]: Add IVsNuGetProjectUpdateEvents in Visual Studio, reporting of restore changes for PackageReference based projects. - #9782 - See documentation
Project A referencing package B via AssetTargetFallback, doesn't use that same AssetTargetFallback to pull B's dependency package C - #5957 - More information
Issues fixed in this release
DCRs:
Make LocalPackageFileCache methods virtual - #10325
NuGetScratch lock files are not cleaned up - #10679
AutoCompleteResourceV3 does not use the supplied logger - #11272
Add Author to the tooltip for a package in the packages list of PM UI - #11499
Remove unused code NU5049 - #11598
Bugs:
Revert mitigation of missing nuget.org when other tools create nuget.config #11616
Add support for grouping to the InfiniteScrollList, allowing it to be enabled or disabled - #10748
Make the InfiniteScrollList grouping sections expandable and collapsible - #10749
Read and store the transitive origins of a package while reading installed packages from assets file - #10751
Add caching of the transitive dependencies data pulled from the lockfile (assets file) - #10752
Surface the transitive packages and its transitive origins through the search layer - #11486
NuGet.exe list from local packages folder does not work with the AllVersion flag - #4537
Errors due to missing/failing sources are inconsistently shown in solution explorer vs the error list - #7245
Arrow keys in NuGet PM UI Sources editing doesn't change order of persistence - #8315
PackageReference ungracefully handles duplicate Runtime Identifiers in csproj PackageReference - #9290
RestoreIgnoreFailedSources=true still gives warnings - #9765
Introduce a warning for null/empty version range (new or reuse NU1604) - #9767
NuGet again throwing exceptions "authors is required" "description is required", ignoring csproj/nuspec replacement tokens - #9954
[Bug]: Package extraction sometimes fails with "file in use by another process" - #11373
Add progress reporting during package installation - #11432
[Bug]: Reduce string allocations in restore code path - #11475
[Responsiveness] RestoreOperationLogger blocking large number of thread pool threads trying to get access to the output window pane - #11501
[Responsiveness] Package Management UI can consume large number of threads all searching the disk, it needs to run from long running thread - #11570
[Responsiveness] Package Management UI can consume large number of threads all searching the disk (up to 316 threads), use cancellation token at subroutines - #11599
[Bug]: NU1004 in Visual Studio, but not command line (lock files in locked mode) - #11639
[Bug]: new warning for package source mappings doesn't pass a value for the resource string placeholder - #11709
List of commits in this release
Community contributions
Thank you to all the contributors who helped make this NuGet release awesome!
| Who | PRs | Issues |
|---|---|---|
| MarkKharitonov | 4511 | [Feature]: Add support for a dedicated environment variable providing the NuGetScratch path. - #11671 |
| mfkl | 4222 | A better cache clean-up and expiration policy - #4980 |
| dfederm | 4504 | Static Graph restore uses Project.FromFile + Project.CreateInstance instead of ProjectInstance.FromFile directly - #11675 |
| crummel | 4404 | [main] Backport source-build patches to repos. #2708 |
| mjolka | 4475 | Very slow restore when using NoWarn in single project that has lots of dependents - #11222 |
| marcin-krystianc | 4488 | dotnet integration pack test IL issue - #11454 |
| marcin-krystianc | 4025 | Restore fails with NU1106 for solution that uses StaticGraph and CPVM - #10327; [Feature]: Add option to allow versions of transitive dependencies to be overridden - #10389 |
| davkean | 4483 | Remove unneeded allocations when parsing assets file #11648 |
| reynoldsbd | 4458 | [Bug]: Race Condition Creating Plugin Log Files - #11517 |
| tintoy | 4287 | AutoCompleteResourceV3 does not use the supplied logger - #11272 |
| davkean | 4440 | Improve VS and NuGet performance by making some methods non-asynchronous - #11816 |
| davkean | 4439 | Redundant calls to get VsHierarchy in NuGet VS code - #11817 |
| davkean | 4432 | Avoid double-checking for supported projects - #11554 |
| dfederm | 4393 | [Bug]: Static graph restore binlog doesn't log task inputs - #11484 |
| drewnoakes | 4390 | Show package .props and .targets files in Solution Explorer #7838 |
| drewnoakes | 4386 | Solution Explorer search is not showing package contents - #7834 |
| marcin-krystianc | 4186 | [Regression]: Performance regression for cold restores in .NET 5.0.x #11031 |
| joperator | 4389 | [Bug]: Errors NU3028 and NU3037 when restoring NuGet packages on FreeBSD - #11481 |
| AndreiTimisescu | 3779 | Make LocalPackageFileCache methods virtual - #10325 |
| tmds | 4123 | NuGetScratch lock files are not cleaned up - #10679 |
Feedback welcome
Your feedback is important to us. If there are any problems with this release, check our GitHub Issues and Visual Studio Developer Community for existing issues. For new issues within NuGet, please report a GitHub Issue. For general NuGet experience issues, let us know via the Report a Problem option found in your favorite IDE under Help > Report a Problem.