Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Publish main to live #3365

Merged
merged 2 commits into from
Dec 3, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 1 addition & 4 deletions docs/concepts/Auditing-Packages.md
Original file line number Diff line number Diff line change
Expand Up @@ -43,13 +43,10 @@ We recommend that audit is configured at a repository level.

| MSBuild Property | Default | Possible values | Notes |
|------------------|---------|-----------------|-------|
| NuGetAuditMode | all | `direct` and `all` | If you'd like to audit top-level dependencies only, you can set the value to `direct`. NuGetAuditMode is not applicable for packages.config projects. |
| NuGetAuditMode | direct | `direct` and `all` | If you'd like to audit top-level dependencies only, you can set the value to `direct`. NuGetAuditMode is not applicable for packages.config projects. |
| NuGetAuditLevel | low | `low`, `moderate`, `high`, and `critical` | The minimum severity level to report. If you'd like to see `moderate`, `high`, and `critical` advisories (exclude `low`), set the value to `moderate` |
| NuGetAudit | true | `true` and `false` | If you wish to not receive security audit reports, you can opt-out of the experience entirely by setting the value to `false` |

Note: In .NET 8, the default value of NuGetAuditMode is `direct`.
Therefore, setting [SdkAnalysisLevel](/dotnet/core/project-sdk/msbuild-props#sdkanalysislevel) to `8.0.400` changes the default value of NuGetAuditMode accordingly.

#### Audit Sources

Restore downloads a server's [`VulnerabilityInfo` resource](../api/vulnerability-info.md) to check against the list of packages each project is using.
Expand Down
50 changes: 49 additions & 1 deletion docs/reference/errors-and-warnings/NU1604.md
Original file line number Diff line number Diff line change
Expand Up @@ -12,10 +12,51 @@ f1_keywords:

# NuGet Warning NU1604

## Missing Package Version

> Project dependency 'PackageA' does not contain an inclusive lower bound. Include a lower bound in the dependency version to ensure consistent restore results.

### Issue

A project dependency doesn't define a version.

This means that restore used the lowest available version.
Each restore will float downwards trying to find a lower version that can be used.
This means that restore goes online to check all sources each time instead of using the packages that already exist in the user package folder.

### Solution

Find the `PackageReference` item that does not define the `Version` attribute and add it:

For example change from:

> `<PackageReference Include="PackageA" />`

to:

> `<PackageReference Include="PackageA" Version="9.0.0" />`

If the project is using [NuGet's Central Package Management (CPM)](../../consume-packages/Central-Package-Management.md), you need to update the `<PackageVersion />` item in `Directory.Packages.props` and change from:

> `<PackageVersion Include="PackageA" />`

to:
> `<PackageVersion Include="PackageA" Version="9.0.0" />`

If a version is specified in a `<PackageVersion />` item and you still receive this warning, verify you've correctly [onboarded to central package management](../../consume-packages/Central-Package-Management.md#enabling-central-package-management).

> [!Note]
> When using CPM and the file `Directory.Packages.props` is invalid, NU1604 is raised.

## Missing Inclusive Lower Bound

> Project dependency 'PackageA' (&lt;= 9.0.0) does not contain an inclusive lower bound. Include a lower bound in the dependency version to ensure consistent restore results.

### Issue
A project dependency doesn't define a lower bound.<br/><br/>This means that restore did not find the *best match*. Each restore will float downwards trying to find a lower version that can be used. This means that restore goes online to check all sources each time instead of using the packages that already exist in the user package folder.
A project dependency doesn't define a lower bound.

This means that restore did not find the *best match*. Each restore will float downwards trying to find a lower version that can be used.
This means that restore goes online to check all sources each time instead of using the packages that already exist in the user package folder.

### Solution
Update the project's `PackageReference` `Version` attribute to include a lower bound.
Expand All @@ -32,3 +73,10 @@ or
> `<PackageReference Version="9.0.0" />`

which implies a lower bound.

If the project is using [NuGet's Central Package Management (CPM)](../../consume-packages/Central-Package-Management.md), you need to update the `<PackageVersion />` item in `Directory.Packages.props` and change from:

> `<PackageVersion Include="PackageA" Version="(9.0.0, )" />`

to:
> `<PackageVersion Include="PackageA" Version="9.0.0" />`
3 changes: 3 additions & 0 deletions docs/release-notes/NuGet-6.12.md
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,9 @@ ms.topic: conceptual

# NuGet 6.12 Release Notes

> [!NOTE]
> In response to developers' feedback to ensure builds continuity when updating to .NET SDK 9, we have reverted the default value of NuGetAuditMode to `direct` in Visual Studio 17.12.3 and .NET 9.0.101.

NuGet distribution vehicles:

| NuGet version | Available in Visual Studio version | Available in .NET SDK(s) |
Expand Down
Loading