NuGet 4.7 Release Notes

Visual Studio 2017 15.7 RTW comes with NuGet 4.7.0.

Summary: What's New in 4.7.0

Summary: What's New in 4.7.2

  • Security Fix: Permissions on files created inside ~/.nuget are too open #7673 CVE-2019-0757

Summary: What's New in 4.7.3

  • Security Fix: Files inside of NUPKGs can have a relative path above the NUPKG directory #7906

Known issues

The Migrate packages.config to PackageReference... option is not available in the right-click context menu


When a project is first opened, NuGet may not have initialized until a NuGet operation is performed. This causes the migration option to not show up in the right-click context menu on packages.config or References.


Perform any one of the following NuGet actions:

  • Open the Package Manager UI - Right-click on References and select Manage NuGet Packages...
  • Open the Package Manager Console - From Tools > NuGet Package Manager, select Package Manager Console
  • Run NuGet restore - Right-click on the solution node in the Solution Explorer and select Restore NuGet Packages
  • Build the project which also triggers NuGet restore

You should now be able to see the migration option. Note that this option is not supported and will not show up for ASP.NET and C++ project types.

Issues with .NET Standard 2.0 with .NET Framework & NuGet

.NET Standard & its tooling was designed such that projects targeting .NET Framework 4.6.1 can consume NuGet packages & projects targeting .NET Standard 2.0 or earlier. This document summarizes the issues around that scenario, the plan for addressing them, and workarounds you can deploy with today's state of the tooling.

Top issues fixed in this release


  • NuGet runs into a deadlock in .Net Core project system (new regression). - #6733
  • Pack: PackagePath is constructed incorrectly if TfmSpecificPackageFile is used with globbing paths - #6726
  • Pack: web api project cannot create package unless ispackable is explicitly set. - #6156
  • VS UI and PMC take 30min to see new package (nuget.exe sees it right away) - #6657
  • Signing: SignatureUtility.GetCertificateChain(...) does not check all chain statuses - #6565
  • Signing: improve DER GeneralizedTime handling - #6564
  • Signing: VS does not show a NU3002 error when installing a tampered package - #6337
  • lockFile.GetLibrary is case sensitive - #6500
  • Install/update restore code and Restore code paths are not consistent - #3471
  • Solution PackageManager Version ComboBox can select separator via keyboard - #2606
  • Unable to load the service index for source<id> ---> System.Net.Http.HttpRequestException: Response status code does not indicate success: 403 (Forbidden) - #2530


  • Emit X-NuGet-Session-Id header to correlate across requests [feature proposal] - #5330
  • Expose a way to wait on running restore operation running in Visual Studio via IVs apis. - #6029
  • NuGet.exe -NoServiceEndpoint will avoid appending service url suffix - #6586
  • add commit hash to informational version - #6492
  • Signing: enable removal of repository signature/countersignature - #6646
  • Signing: API for stripping repository signature/countersignature - #6589
  • Log source information in VS - #6527
  • Filter /tools on only TFM and RID, so the settings XML can be put in /tools folder - #6197
  • Warn when Pack command excludes a file that starts with . - #3308

List of all issues fixed in this release