NuGet 4.9 Release Notes

NuGet distribution vehicles:

NuGet version Available in Visual Studio version Available in .NET SDK(s)
4.9.0 Visual Studio 2017 version 15.9.0 2.1.500, 2.2.100
4.9.1 n/a n/a
4.9.2 Visual Studio 2017 version 15.9.4 2.1.502, 2.2.101
4.9.3 Visual Studio 2017 version 15.9.6 2.1.504, 2.2.104
4.9.5 n/a n/a .NET Core 2.1 is out of support as of August 21, 2021

Summary: What's New in 4.9.5

  • [Security]: Microsoft Security Advisory CVE 2022-30184 | .NET Information Disclosure Vulnerability - #11883

Summary: What's New in 4.9.0

  • Signing: Enable ClientPolicies to require use of a set of Trusted Authors and Repositories listed in NuGet.Config - #6961, blog post

  • create ".snupkg" files to contain symbols in pack -- enhance push to understand nuget protocol to accept snupkg files for symbol server - #6878, blog post

  • NuGet credential plugin V2 - #6642

  • Self-Contained NuGet Packages - License - #4628, announcement

  • Enable opt-in "GeneratePathProperty" metadata on a PackageReference to generate a per package MSBuild property to "Foo.Bar\1.0" directory - #6949

  • Improve customer success with NuGet operations - #7108

  • Enable repeatable package restores using a lock file - #5602, announcement, blog post

Issues fixed in this release

  • Warnings elevated to errors (via WarnAsErrors) raised by PackageExtraction should never leave extracted package around - #7445

  • Badly signed packages should not end up in the global packages folder - #7423

  • binding redirect generation should not skip facade assemblies - #7393

  • VersionRange Equals doesn't compare floating ranges - #7324

  • Restore: performance regression using new .NET Core 2.1 HTTP stack - #7314

  • Update of a Package should not modify PrivateAssets of a PackageReference - #7285

  • Signing: signing should fail if a package has too many package entries (>65534) - #7248

  • "dotnet nuget push" codepath should support the new credential provider - #7233

  • Support executing plugins with invariant culture (as happens in docker) - #7223

  • nuget sources add should not delete credentials from NuGet.config - #7200

  • installing a devDependency PackageReference should default to excludeassets=compile - #7084

  • fix migrator option to be displayed for all projects and show error if project is incompatible - #6958

  • "dotnet add package" should commit the restore it performs to the assets file - #6928

  • Signing: improve signing related error messages - #6906

  • [Test Failure][zh-TW]String "Package Manager Console" doesn't localize on Package Manager Console - #6381

  • Error message around "Unable to find project information" should be a little more specific inside VS - #5350

  • Unhelpful error message when incorrectly using nuspec version tag of nuget pack - #2714

  • DCR - Signing: support NuGet protocol: RepositorySignatures/4.9.0 resource - #7421

  • DCR - .nupkg.metadata file will now be created during package extraction - contains "content-hash" - #7283

  • DCR - Skip authenticode verification for plugins while executing on Mono - #7222

List of all issues fixed in this release 4.9.0

Summary: What's New in 4.9.1

  • Add support for reading a writing to the nuget.config via a new command trusted-signers - #7480

Issues fixed in this release

  • Fix license link generation - #7515

  • Error codes regression for validating signatures - #7492

  • NuGet.Build.Tasks.Pack package does not have license information - #7379

List of all issues fixed in this release 4.9.1

Summary: What's New in 4.9.2

Issues fixed in this release

  • VS/dotnet.exe/nuget.exe/msbuild.exe restore doesn't use credentials when source name contains a whitespace - #7517

  • LicenseAcceptanceWindow and LicenseFileWindow Accessibility issues - #7452

  • Fix FormatException in DateTime.Parse from DateTimeConverter - #7539

List of all issues fixed in this release 4.9.2

Summary: What's New in 4.9.3

Issues fixed in this release

"Repeatable Package Restores Using a Lock File" Issues

  • Locked mode not working as hash is calculated incorrectly for previously cached packages - #7682

  • Restore resolves to a different version than defined in packages.lock.json file - #7667

  • '--locked-mode / RestoreLockedMode' causes spurious Restore failures when ProjectReferences are involved - #7646

  • MSBuild SDK resolver tries to validate SHA for a SDK package which fails restore when using packages.lock.json - #7599

"Lock Down Your Dependencies Using Configurable Trust Policies" Issues

  • dotnet.exe should not evaluate trusted-signers while signed packages are not supported - #7574

  • Order of trustedSigners in config file affects trust evaluation - #7572

  • Can't implement ISettings [Caused by refactoring of settings APIs to support Trust Policies feature] - #7614

"Improved Debugging Experience" Issues

  • Cannot publish symbol package for .NET Core Global Tool - #7632

"Self-Contained NuGet Packages - License" Issues

  • Error building symbol .snupkg package when using embedded license file - #7591

List of all issues fixed in this release 4.9.3

Summary: What's New in 4.9.4

  • Security Fix: Permissions on files created inside ~/.nuget are too open #7673 CVE-2019-0757

Known issues

dotnet nuget push --interactive gives an error on Mac. - #7519


The --interactive argument is not being forwarded by the dotnet cli and results in the error error: Missing value for option 'interactive'


Run any other dotnet command with the interactive option such as dotnet restore --interactive and authenticate. The authentication then might be cached by the credential provider. Then run dotnet nuget push.

Packages in FallbackFolders installed by .NET Core SDK are custom installed, and fail signature validation. - #7414


When using dotnet.exe 2.x to restore a project that multi-targets netcoreapp 1.x and netcoreapp 2.x, the fallback folder is treated as a file feed. This means, when restoring, NuGet will pick the package from the fallback folder and try to install it into the global packages folder and do the usual signing validation which fails.


Disable the usage of the fallback folder by setting the RestoreAdditionalProjectSources to nothing. <RestoreAdditionalProjectSources/> Use this with caution as it will cause a lot of packages to be downloaded from which otherwise would be have been restored from the fallback folder.