NuGet 6.2 Release Notes

NuGet distribution vehicles:

NuGet version Available in Visual Studio version Available in .NET SDK(s)
6.2.0 Visual Studio 2022 version 17.2 6.0.3001
6.2.1 Visual Studio 2022 version 17.2.4 6.0.3011
6.2.2 Visual Studio 2022 version 17.2 6.0.3051
6.2.4 N/A 6.0.3131

1 Installed with Visual Studio 2022 with .NET Core workload

Summary: What's New in 6.2.4

  • [Security]: Microsoft Security Advisory CVE-2023-29337 | NuGet Client Remote Code Execution Vulnerability - #12653


There is a behavior breaking change on Linux. The temp folder location, where NuGet stores temporary files during its various operations, has changed from /tmp/NuGetScratch to /tmp/NuGetScratch<username>. E.g. for user User1, the temp folder will be /tmp/NuGetScratchUser1.

Summary: What's New in 6.2.2

  • [Security]: Microsoft Security Advisory CVE 2022-41032 | .NET Elevation of Privilege Vulnerability - #12149

Summary: What's New in 6.2.1

  • [Security]: Microsoft Security Advisory CVE 2022-30184 | .NET Information Disclosure Vulnerability - #11883

Summary: What's New in 6.2

  • Add TFM for .NET nanoFramework - #10800

  • [Feature]: Require package source mapping when using CPM - #11505

  • [Feature]: Allow overriding a centrally defined package version - #11516

  • [Feature]: Add IVsNuGetProjectUpdateEvents in Visual Studio, reporting of restore changes for PackageReference based projects. - #9782 - See documentation

  • Project A referencing package B via AssetTargetFallback, doesn't use that same AssetTargetFallback to pull B's dependency package C - #5957 - More information

Issues fixed in this release


  • Make LocalPackageFileCache methods virtual - #10325

  • NuGetScratch lock files are not cleaned up - #10679

  • AutoCompleteResourceV3 does not use the supplied logger - #11272

  • Add Author to the tooltip for a package in the packages list of PM UI - #11499

  • Remove unused code NU5049 - #11598


  • Revert mitigation of missing when other tools create nuget.config #11616

  • Add support for grouping to the InfiniteScrollList, allowing it to be enabled or disabled - #10748

  • Make the InfiniteScrollList grouping sections expandable and collapsible - #10749

  • Read and store the transitive origins of a package while reading installed packages from assets file - #10751

  • Add caching of the transitive dependencies data pulled from the lockfile (assets file) - #10752

  • Surface the transitive packages and its transitive origins through the search layer - #11486

  • NuGet.exe list from local packages folder does not work with the AllVersion flag - #4537

  • Errors due to missing/failing sources are inconsistently shown in solution explorer vs the error list - #7245

  • Arrow keys in NuGet PM UI Sources editing doesn't change order of persistence - #8315

  • PackageReference ungracefully handles duplicate Runtime Identifiers in csproj PackageReference - #9290

  • RestoreIgnoreFailedSources=true still gives warnings - #9765

  • Introduce a warning for null/empty version range (new or reuse NU1604) - #9767

  • NuGet again throwing exceptions "authors is required" "description is required", ignoring csproj/nuspec replacement tokens - #9954

  • [Bug]: Package extraction sometimes fails with "file in use by another process" - #11373

  • Add progress reporting during package installation - #11432

  • [Bug]: Reduce string allocations in restore code path - #11475

  • [Responsiveness] RestoreOperationLogger blocking large number of thread pool threads trying to get access to the output window pane - #11501

  • [Responsiveness] Package Management UI can consume large number of threads all searching the disk, it needs to run from long running thread - #11570

  • [Responsiveness] Package Management UI can consume large number of threads all searching the disk (up to 316 threads), use cancellation token at subroutines - #11599

  • [Bug]: NU1004 in Visual Studio, but not command line (lock files in locked mode) - #11639

  • [Bug]: new warning for package source mappings doesn't pass a value for the resource string placeholder - #11709

List of commits in this release

Community contributions

Thank you to all the contributors who helped make this NuGet release awesome!

Who PRs Issues
MarkKharitonov 4511 [Feature]: Add support for a dedicated environment variable providing the NuGetScratch path. - #11671
mfkl 4222 A better cache clean-up and expiration policy - #4980
dfederm 4504 Static Graph restore uses Project.FromFile + Project.CreateInstance instead of ProjectInstance.FromFile directly - #11675
crummel 4404 [main] Backport source-build patches to repos. #2708
mjolka 4475 Very slow restore when using NoWarn in single project that has lots of dependents - #11222
marcin-krystianc 4488 dotnet integration pack test IL issue - #11454
marcin-krystianc 4025 Restore fails with NU1106 for solution that uses StaticGraph and CPVM - #10327; [Feature]: Add option to allow versions of transitive dependencies to be overridden - #10389
davkean 4483 Remove unneeded allocations when parsing assets file #11648
reynoldsbd 4458 [Bug]: Race Condition Creating Plugin Log Files - #11517
tintoy 4287 AutoCompleteResourceV3 does not use the supplied logger - #11272
davkean 4440 Improve VS and NuGet performance by making some methods non-asynchronous - #11816
davkean 4439 Redundant calls to get VsHierarchy in NuGet VS code - #11817
davkean 4432 Avoid double-checking for supported projects - #11554
dfederm 4393 [Bug]: Static graph restore binlog doesn't log task inputs - #11484
drewnoakes 4390 Show package .props and .targets files in Solution Explorer #7838
drewnoakes 4386 Solution Explorer search is not showing package contents - #7834
marcin-krystianc 4186 [Regression]: Performance regression for cold restores in .NET 5.0.x #11031
joperator 4389 [Bug]: Errors NU3028 and NU3037 when restoring NuGet packages on FreeBSD - #11481
AndreiTimisescu 3779 Make LocalPackageFileCache methods virtual - #10325
tmds 4123 NuGetScratch lock files are not cleaned up - #10679

Feedback welcome

Your feedback is important to us. If there are any problems with this release, check our GitHub Issues and Visual Studio Developer Community for existing issues. For new issues within NuGet, please report a GitHub Issue. For general NuGet experience issues, let us know via the Report a Problem option found in your favorite IDE under Help > Report a Problem.