Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
HTTP warnings promoted to errors in
Starting in .NET 10 Preview 4, HTTP warnings generated by dotnet package list, dotnet package search, and related APIs are now treated as errors by default.
Version introduced
.NET 10 Preview 4
Previous behavior
Previously, when using HTTP sources, the tools displayed a warning, such as:
You are running the 'list package' operation with an 'HTTP' source, 'http://api.source/index.json'. Non-HTTPS access will be removed in a future version. Consider migrating to an 'HTTPS' source.
The operation continued without interruption.
New behavior
The tools now treat HTTP sources as errors by default. To allow HTTP sources, explicitly set allowInsecureConnections="true" in nuget.config.
Type of breaking change
This is a behavioral change.
Reason for change
This change improves security by blocking insecure HTTP sources by default. It aligns with secure-by-default practices to protect users from potential vulnerabilities.
Recommended action
Migrate to HTTPS sources to avoid the error. To continue using HTTP sources, update your nuget.config file to include the following setting:
<add key="allowInsecureConnections" value="true" />
Affected APIs
dotnet package listdotnet package searchNuGet.Protocol.Core.Types.PackageUpdateResource.PushAsyncNuGet.Protocol.Core.Types.PackageUpdateResource.Delete
Collaborate with us on GitHub
The source for this content can be found on GitHub, where you can also create and review issues and pull requests. For more information, see our contributor guide.
