From e813422e6f0ba1abfeb204a51fd2b0a04c10c6f2 Mon Sep 17 00:00:00 2001 From: Jeff Kluge Date: Mon, 2 Dec 2024 15:24:28 -0800 Subject: [PATCH 1/2] Update NU1604.md (#3350) --- docs/reference/errors-and-warnings/NU1604.md | 50 +++++++++++++++++++- 1 file changed, 49 insertions(+), 1 deletion(-) diff --git a/docs/reference/errors-and-warnings/NU1604.md b/docs/reference/errors-and-warnings/NU1604.md index 5fef4363c..2c132af48 100644 --- a/docs/reference/errors-and-warnings/NU1604.md +++ b/docs/reference/errors-and-warnings/NU1604.md @@ -12,10 +12,51 @@ f1_keywords: # NuGet Warning NU1604 +## Missing Package Version + +> Project dependency 'PackageA' does not contain an inclusive lower bound. Include a lower bound in the dependency version to ensure consistent restore results. + +### Issue + +A project dependency doesn't define a version. + +This means that restore used the lowest available version. +Each restore will float downwards trying to find a lower version that can be used. +This means that restore goes online to check all sources each time instead of using the packages that already exist in the user package folder. + +### Solution + +Find the `PackageReference` item that does not define the `Version` attribute and add it: + +For example change from: + +> `` + +to: + +> `` + +If the project is using [NuGet's Central Package Management (CPM)](../../consume-packages/Central-Package-Management.md), you need to update the `` item in `Directory.Packages.props` and change from: + +> `` + +to: +> `` + +If a version is specified in a `` item and you still receive this warning, verify you've correctly [onboarded to central package management](../../consume-packages/Central-Package-Management.md#enabling-central-package-management). + +> [!Note] +> When using CPM and the file `Directory.Packages.props` is invalid, NU1604 is raised. + +## Missing Inclusive Lower Bound + > Project dependency 'PackageA' (<= 9.0.0) does not contain an inclusive lower bound. Include a lower bound in the dependency version to ensure consistent restore results. ### Issue -A project dependency doesn't define a lower bound.

This means that restore did not find the *best match*. Each restore will float downwards trying to find a lower version that can be used. This means that restore goes online to check all sources each time instead of using the packages that already exist in the user package folder. +A project dependency doesn't define a lower bound. + +This means that restore did not find the *best match*. Each restore will float downwards trying to find a lower version that can be used. +This means that restore goes online to check all sources each time instead of using the packages that already exist in the user package folder. ### Solution Update the project's `PackageReference` `Version` attribute to include a lower bound. @@ -32,3 +73,10 @@ or > `` which implies a lower bound. + +If the project is using [NuGet's Central Package Management (CPM)](../../consume-packages/Central-Package-Management.md), you need to update the `` item in `Directory.Packages.props` and change from: + +> `` + +to: +> `` From 0d3df96e26048d1eb540c9befdf9bd45070d62dd Mon Sep 17 00:00:00 2001 From: Olia Gavrysh <31997351+OliaG@users.noreply.github.com> Date: Tue, 3 Dec 2024 11:35:29 -0800 Subject: [PATCH 2/2] Updated messaging according to reverting Audit default mode. (#3364) * Updated messaging according to reverting Audit default mode. * Update docs/release-notes/NuGet-6.12.md Co-authored-by: Andy Zivkovic --------- Co-authored-by: Andy Zivkovic --- docs/concepts/Auditing-Packages.md | 5 +---- docs/release-notes/NuGet-6.12.md | 3 +++ 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/docs/concepts/Auditing-Packages.md b/docs/concepts/Auditing-Packages.md index c0ad794bb..873c7b345 100644 --- a/docs/concepts/Auditing-Packages.md +++ b/docs/concepts/Auditing-Packages.md @@ -43,13 +43,10 @@ We recommend that audit is configured at a repository level. | MSBuild Property | Default | Possible values | Notes | |------------------|---------|-----------------|-------| -| NuGetAuditMode | all | `direct` and `all` | If you'd like to audit top-level dependencies only, you can set the value to `direct`. NuGetAuditMode is not applicable for packages.config projects. | +| NuGetAuditMode | direct | `direct` and `all` | If you'd like to audit top-level dependencies only, you can set the value to `direct`. NuGetAuditMode is not applicable for packages.config projects. | | NuGetAuditLevel | low | `low`, `moderate`, `high`, and `critical` | The minimum severity level to report. If you'd like to see `moderate`, `high`, and `critical` advisories (exclude `low`), set the value to `moderate` | | NuGetAudit | true | `true` and `false` | If you wish to not receive security audit reports, you can opt-out of the experience entirely by setting the value to `false` | -Note: In .NET 8, the default value of NuGetAuditMode is `direct`. -Therefore, setting [SdkAnalysisLevel](/dotnet/core/project-sdk/msbuild-props#sdkanalysislevel) to `8.0.400` changes the default value of NuGetAuditMode accordingly. - #### Audit Sources Restore downloads a server's [`VulnerabilityInfo` resource](../api/vulnerability-info.md) to check against the list of packages each project is using. diff --git a/docs/release-notes/NuGet-6.12.md b/docs/release-notes/NuGet-6.12.md index 2da03291e..90ff0d250 100644 --- a/docs/release-notes/NuGet-6.12.md +++ b/docs/release-notes/NuGet-6.12.md @@ -7,6 +7,9 @@ ms.topic: conceptual # NuGet 6.12 Release Notes +> [!NOTE] +> In response to developers' feedback to ensure builds continuity when updating to .NET SDK 9, we have reverted the default value of NuGetAuditMode to `direct` in Visual Studio 17.12.3 and .NET 9.0.101. + NuGet distribution vehicles: | NuGet version | Available in Visual Studio version | Available in .NET SDK(s) |