| title | description | author | ms.author | ms.date | ms.topic |
|---|---|---|---|---|---|
NuGet 4.9 RTM Release Notes |
Release notes for NuGet 4.9 including known issues, bug fixes, new features, and DCRs. |
JonDouglas |
jodou |
11/20/2018 |
conceptual |
NuGet distribution vehicles:
| NuGet version | Available in Visual Studio version | Available in .NET SDK(s) |
|---|---|---|
| 4.9.0 | Visual Studio 2017 version 15.9.0 | 2.1.500, 2.2.100 |
| 4.9.1 | n/a | n/a |
| 4.9.2 | Visual Studio 2017 version 15.9.4 | 2.1.502, 2.2.101 |
| 4.9.3 | Visual Studio 2017 version 15.9.6 | 2.1.504, 2.2.104 |
| 4.9.5 | n/a | n/a .NET Core 2.1 is out of support as of August 21, 2021 |
| 4.9.6 | n/a | n/a .NET Core 2.1 is out of support as of August 21, 2021 |
- [Security]: Microsoft Security Advisory CVE-2022-41032 | .NET Elevation of Privilege Vulnerability - #12149
- [Security]: Microsoft Security Advisory CVE-2022-30184 | .NET Information Disclosure Vulnerability - #11883
-
Signing: Enable ClientPolicies to require use of a set of Trusted Authors and Repositories listed in NuGet.Config - #6961, blog post
-
create ".snupkg" files to contain symbols in pack -- enhance push to understand nuget protocol to accept snupkg files for symbol server - #6878, blog post
-
NuGet credential plugin V2 - #6642
-
Self-Contained NuGet Packages - License - #4628, announcement
-
Enable opt-in "GeneratePathProperty" metadata on a PackageReference to generate a per package MSBuild property to "Foo.Bar\1.0" directory - #6949
-
Improve customer success with NuGet operations - #7108
-
Enable repeatable package restores using a lock file - #5602, announcement, blog post
-
Warnings elevated to errors (via WarnAsErrors) raised by PackageExtraction should never leave extracted package around - #7445
-
Badly signed packages should not end up in the global packages folder - #7423
-
binding redirect generation should not skip facade assemblies - #7393
-
VersionRange Equals doesn't compare floating ranges - #7324
-
Restore: performance regression using new .NET Core 2.1 HTTP stack - #7314
-
Update of a Package should not modify PrivateAssets of a PackageReference - #7285
-
Signing: signing should fail if a package has too many package entries (>65534) - #7248
-
"dotnet nuget push" codepath should support the new credential provider - #7233
-
Support executing plugins with invariant culture (as happens in docker) - #7223
-
nuget sources add should not delete credentials from NuGet.config - #7200
-
installing a devDependency PackageReference should default to excludeassets=compile - #7084
-
fix migrator option to be displayed for all projects and show error if project is incompatible - #6958
-
"dotnet add package" should commit the restore it performs to the assets file - #6928
-
Signing: improve signing related error messages - #6906
-
[Test Failure][zh-TW]String "Package Manager Console" doesn't localize on Package Manager Console - #6381
-
Error message around "Unable to find project information" should be a little more specific inside VS - #5350
-
Unhelpful error message when incorrectly using nuspec version tag of nuget pack - #2714
-
DCR - Signing: support NuGet protocol: RepositorySignatures/4.9.0 resource - #7421
-
DCR - .nupkg.metadata file will now be created during package extraction - contains "content-hash" - #7283
-
DCR - Skip authenticode verification for plugins while executing on Mono - #7222
List of all issues fixed in this release 4.9.0
- Add support for reading a writing to the nuget.config via a new command trusted-signers - #7480
-
Fix license link generation - #7515
-
Error codes regression for validating signatures - #7492
-
NuGet.Build.Tasks.Pack package does not have license information - #7379
List of all issues fixed in this release 4.9.1
-
VS/dotnet.exe/nuget.exe/msbuild.exe restore doesn't use credentials when source name contains a whitespace - #7517
-
LicenseAcceptanceWindow and LicenseFileWindow Accessibility issues - #7452
-
Fix FormatException in DateTime.Parse from DateTimeConverter - #7539
List of all issues fixed in this release 4.9.2
-
Locked mode not working as hash is calculated incorrectly for previously cached packages - #7682
-
Restore resolves to a different version than defined in
packages.lock.jsonfile - #7667 -
'--locked-mode / RestoreLockedMode' causes spurious Restore failures when ProjectReferences are involved - #7646
-
MSBuild SDK resolver tries to validate SHA for a SDK package which fails restore when using packages.lock.json - #7599
-
dotnet.exe should not evaluate trusted-signers while signed packages are not supported - #7574
-
Order of trustedSigners in config file affects trust evaluation - #7572
-
Can't implement ISettings [Caused by refactoring of settings APIs to support Trust Policies feature] - #7614
- Cannot publish symbol package for .NET Core Global Tool - #7632
- Error building symbol .snupkg package when using embedded license file - #7591
List of all issues fixed in this release 4.9.3
- Security Fix: Permissions on files created inside ~/.nuget are too open #7673 CVE-2019-0757
dotnet nuget push --interactive gives an error on Mac. - #7519
The --interactive argument is not being forwarded by the dotnet cli and results in the error error: Missing value for option 'interactive'
Run any other dotnet command with the interactive option such as dotnet restore --interactive and authenticate. The authentication then might be cached by the credential provider. Then run dotnet nuget push.
Packages in FallbackFolders installed by .NET Core SDK are custom installed, and fail signature validation. - #7414
When using dotnet.exe 2.x to restore a project that multi-targets netcoreapp 1.x and netcoreapp 2.x, the fallback folder is treated as a file feed. This means, when restoring, NuGet will pick the package from the fallback folder and try to install it into the global packages folder and do the usual signing validation which fails.
Disable the usage of the fallback folder by setting the RestoreAdditionalProjectSources to nothing. <RestoreAdditionalProjectSources/> Use this with caution as it will cause a lot of packages to be downloaded from NuGet.org which otherwise would be have been restored from the fallback folder.