NuGet 4.8 Release Notes

Visual Studio 2017 15.8 RTW comes with NuGet 4.8 functionality.

Command line versions of the same functionality are also available:

Summary: What's New in 4.8.0

  • NuGet.exe now supports longfilenames on Windows 10 - #6937
  • Authentication plugins now work across MsBuild, DotNet.exe, NuGet.exe and Visual Studio, including cross platform. The first generation of authentication plugins were not supported in MsBuild, DotNet.exe. Note: VS 2017 15.9 Preview builds have a VSTS authentication plugin included. #6486
  • MsBuild's SDK Resolver now builds as part of NuGet and installs with NuGet tools for VS. This will avoid versions getting out sync. #6799
  • PackageReference now supports DevelopmentDependency metadata - #4125

Summary: What's New in 4.8.2

  • Security Fix: Permissions on files created inside ~/.nuget are too open #7673 CVE-2019-0757

Known issues

Installing signed packages on a CI machine or in an offline environment takes longer than usual


If the machine has restricted internet access (such as a build machine in a CI/CD scenario), installing/restoring a signed nuget package will result a warning (NU3028) since the revocation servers are not reachable. This is expected. However, in some cases, this may have unintended concequences such as the package install/restore taking longer than usual.


Update to Visual Studio 15.8.4 and NuGet.exe 4.8.1 where we introduced an environment variable to switch the revocation check mode. Setting the NUGET_CERT_REVOCATION_MODE environment variable to offline will force NuGet to check the revocation status of the certificate only against the cached certificate revocation list, and NuGet will not attempt to reach revocation servers. When the revocation check mode is set to offline, the warning will be downgraded to an info.


It is not recommended to switch the revocation check mode to offline under normal cirumstances. Doing so will cause NuGet to skip online revocation check and perform only an offline revocation check against the cached certificate revocation list which may be out of date. This means packages where the signing certificate may have been revoked, will continue to be installed/restored, which otherwise would have failed revocation check and would not have been installed.

The Migrate packages.config to PackageReference... option is not available in the right-click context menu


When a project is first opened, NuGet may not have initialized until a NuGet operation is performed. This causes the migration option to not show up in the right-click context menu on packages.config or References.


Perform any one of the following NuGet actions:

  • Open the Package Manager UI - Right-click on References and select Manage NuGet Packages...
  • Open the Package Manager Console - From Tools > NuGet Package Manager, select Package Manager Console
  • Run NuGet restore - Right-click on the solution node in the Solution Explorer and select Restore NuGet Packages
  • Build the project which also triggers NuGet restore

You should now be able to see the migration option. Note that this option is not supported and will not show up for ASP.NET and C++ project types. Note: This has been fixed in VS 2017 15.9 Preview 3

Issues fixed in this release



  • Signing: Installing signed package in offline environment #7008 -- Fixed in 4.8.1
  • Signing: incorrect URL check - #7174
  • Signing: check package integrity in RepositorySignatureVerifier when package is repository countersigned - #6926
  • "Package Integrity check failed." should have package ID in message (and error code) - #6944
  • Repository signed package verification allows packages signed by different certificate - #6884
  • NuGet - Signing - Timestamp URL can not be https:// ? - #6871
  • Don't NullRef in NuSpec packing scenario, also improve options - #6866
  • Memory is invalid while updating signer info when adding timestamp to countersignature - #6840
  • Signing: remove CTL exceptions - #6794
  • Signing: contentUrl MUST be HTTPS - #6777
  • Signing: SignedPackageVerifierSettings.VSClientDefaultPolicy is unused - #6601


  • restore and build should not be needed when using dotnet.exe to pack nuspec - #6866
  • Allow empty replacement tokens in NuspecProperties - #6722
  • PackTask throws NullReferenceException when NuspecProperties is specified - #4649


  • [Accessibility] String ‘Prerelease’ under package button is covered by its package description in PM UI - #4504
  • [Accessibility] Package source drop down and settings button truncated when selecting ‘Microsoft Visual Studio Offline Packages’ in PM UI - #4502

Powershell Management Console (PMC)

  • Update-Package ignores PackageReference version range - #6775
  • Update-Package -reinstall solution wide issue - #3127
  • Update-Package [packagename] -reinstall reinstalls all packages instead of just the named one - #737
  • Can update to unlisted NuGet package from the Package Manager Console - #4553


  • To fix NuGet update self NuGet.Commandline nupkg should not be semver2.0 - #7116
  • Improve experiences with NU1107 install failures - #7107
  • The serialization of GetAuthenticationCredentialRequest is incorrect - #6983
  • NuGet Visual Studio AsyncPackage fails to load when initialized off the UI thread - #6976
  • Restore is reporting misleading errors stating project.json is needed - #6959
  • Package manager UI : preview changes, ok button not automatically useable by keyboard - #6893
  • RestoreSources are ignored for project with p2p references - #6776
  • Creating unit test project using .NET Framework template will open older project model with packages.config - #6736
  • allow project reference to override package dependency - #6536
  • Expose NoDefaultExcludes in MSBuild task - #6450
  • Status message for "Clear All NuGet Cache(s)" can be hidden on window resize - #5938

List of all issues fixed in this release