Announcing NuGet 6.10

The NuGet Team

May 21st, 20246 0

NuGet 6.10 is included in Visual Studio 2022 and .NET 8.0 out of the box. You can also download NuGet 6.10 for Windows, macOS, and Linux as a standalone executable.

In NuGet 6.10, we introduce some exciting new features and bug fixes, such as a new dotnet nuget config command, vulnerability auditing in packages.config, and improvements to cached credentials. For more information, and a detailed list of all changes, see our release notes.

NuGet 6.10 Highlights

New features in NuGet 6.10:

dotnet nuget config command

You can now run the dotnet nuget config command with paths, get, set, and unset sub-commands to easily configure and understand your NuGet environment. Here’s a few scenarios using this command:

  • dotnet nuget config paths – will list all of the NuGet.config files associated with a current working directory.
  • dotnet nuget config get all --show-path – will list all of the configuration settings and their respective file path.
  • dotnet nuget config set signatureValidationMode require – will set the signatureValidationMode property to require in your NuGet.config file.
  • dotnet nuget config unset signatureValidationMode – will unset the signatureValidationMode property in your NuGet.config file.

Vulnerability auditing in packages.config

You can now audit for known security vulnerabilities in packages.config projects. You’ll see a familiar experience as you saw with <PackageReference> last year, but for any project that hasn’t migrated from packages.config quite yet:

Improvements to cached credentials

When authenticating to a private NuGet package source, there can be a retry loop after a 401 Unauthorized challenge occurs instead of a 403 Forbidden, causing unnecessary delays and potential strain on internal services. In these cases, NuGet will now verify if cached credentials work before asking for new ones, decreasing the frequency of cache invalidation and excess user prompts.

Thank you to @leong-desco for discovering this issue!

Closing

NuGet 6.10 comes with some exciting new features and bug fixes that will continue to improve your experience managing packages in your .NET projects!

On behalf of the NuGet team and the entire .NET community, we’d like to express our sincere gratitude to all the community contributors who have generously given their time and expertise to improve NuGet this release. Thank you.

For more details on NuGet 6.10, see our official release notes.

Feedback

Your feedback is important to us. If there are any problems with this release, check our GitHub Issues and Visual Studio Developer Community for existing issues. For new issues within NuGet, please report a GitHub Issue. For general NuGet experience issues, let us know via the Report a Problem option found in your favorite IDE under Help > Report a Problem.

The NuGet Team

Read next

6 comments

Leave a comment

  • ozbobWA 1

    which forum should I post this CPM query?
    I have two solutions with one shared core project. I upgrade one solution’s projects to use CPM(Central Project Management), but when I go back to the first solution, when I complie the error is similar to: ‘missing version in referenced package’.
    At the moment one CPM’dproject in a solution is an issue, especially on dotnet6, with a dotnetstandard2.0 CPM’d shared project, and even more so when the core project is also shared with older framework4.8 projects.

    • Cédric Vernou 0

      Sound like a bug.

      You can open a issue in the repos NuGet/Home.
      Before, can you check the issue don’t exist?
      CPM Bug

  • Richard Deeming 1

    I’m guessing the “improvements to cached credentials” are why my cached credentials suddenly stopped working yesterday afternoon, and required me to obtain a new PAT, even though the existing one doesn’t expire for several months. 🤦‍♂️

    • Richard Deeming 0

      OK, this is getting beyond a joke!

      Having generated a new PAT 3 DAYS AGO, the dotnet nuget command line is now telling me that I need to generate another one.

      None of my PATs have expired. There is clearly a serious bug in the latest version of the tool.

    • Richard Deeming 0

      And five days later, exactly the same problem again.

      Did nobody test this update?!

  • Jules César 0

    Many packages relying on expired certificates, is this on purpose, backdoors?

    Eg. System.Text.Encoding 4.3.0, widely used.
    0E5F38F57DC1BCC806D8494F4F90FBCEDD988B46760709CBEEC6F4219AA6157D
    Expired on: 4/14/2021
    Root Untrusted

Feedback usabilla icon