NuGet Warnings NU1901, NU1902, NU1903, NU1904
warning NU1902: Package 'NuGet.Protocol' 5.11.2 has a known moderate severity vulnerability, https://github.com/advisories/GHSA-g3q9-xf95-8hp5
The warning code changes depending on the known vulnerability severity level:
| Warning Code | Severity |
|---|---|
| NU1901 | low |
| NU1902 | moderate |
| NU1903 | high |
| NU1904 | critical |
Issue
A package restored for your project has a known vulnerability.
For more information, see the documentation on auditing packages.
Solution
Upgrading to a newer version of the package is likely to resolve the warning. You can check the URL provided by the vulnerability advisory to see what versions of the package have been fixed, or check your configured package source(s) to see what versions of the package are available. Visual Studio's package manager UI can show which package versions are affected and which do not have known vulnerabilities.
If you do not wish to be notified of vulnerabilities that are less severe than a level you are comfortable with, you can edit the project file and add an MSBuild property NuGetAuditLevel, with value set to low, moderate, high, or critical.
For example, <NuGetAuditLevel>high</NuGetAuditLevel>.
If these warnings are causing restore to fail because you are using TreatWarningsAsErrors, you can add <WarningsNotAsErrors>NU1901;NU1902;NU1903;NU1904</WarningsNotAsErrors> to allow these codes to remain as warnings.
If you do not want NuGet to check for packages with known vulnerabilities during restore, add <NuGetAudit>false</NuGetAudit> inside a <PropertyGroup> in your project file, or a Directory.Build.props file.
Note
The initial release of NuGetAudit does not provide a way to suppress specific advisories (URLs). It is a feature we intend on adding based on prioritization of other improvements.
As a mitigation, you can add an appropriate NoWarn to your PackageReference declarations.
For example, <PackageReference Include="Contoso.Library" Version="1.0.0" NoWarn="NU1901" />.
However, be aware that this will prevent new vulnerabilities of the same severity from being reported to you.
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for