Announcing NuGet 6.0 – Source Mapping, Package Vulnerabilities, Faster Solution Load, Oh My!

>>> Shared from Original Post The NuGet Blog

NuGet 6.0 – Source Mapping, Package Vulnerabilities, Faster Solution Load, Oh My!

NuGet 6.0 is included in Visual Studio 2022 and .NET 6.0 out of the box. You can also download NuGet 6.0 for Windows, macOS, and Linux as a standalone executable.

NuGet 6.0 is one of many releases in our .NET unification journey. Our NuGet tooling helps developers discover new .NET packages to use for their .NET applications, while making package management easier during your daily development.

NuGet 6.0 Highlights

There are many new features in NuGet 6.0:

.NET 6 Support

NuGet 6.0 is the first release to offer full authoring and restoring support for NuGet packages targeting .NET 6.0. You can now target the following target frameworks:

  • net6.0
  • net6.0-windows
  • net6.0-android
  • net6.0-ios
  • net6.0-macos
  • net6.0-maccatalyst
  • net6.0-tvos
  • net6.0-tizen

Image dotnet

If you aren’t familiar with the .NET 6.0 targets today or what it will look like in the future, don’t forget to check out the .NET 6.0 TFM spec.

Source Mapping

Earlier this year, many package managers became aware of dependency confusion attacks in which a user can be tricked into installing a malicious dependency instead of the one they intended to. To fortify your software supply chain against these attacks, the NuGet team has developed a new feature that allows you to map your dependencies to specific sources. Below is an example of how you can use source mapping to protect your projects.

<!-- Define a global packages folder for your repository. -->
<!-- This is where installed packages will be stored locally. -->
<config>
  <add key="globalPackagesFolder" value="globalPackagesFolder" />
</config>

<!-- Define my package sources, nuget.org and contoso.com. -->
<!-- `clear` ensures no additional sources are inherited from another config file. -->
<packageSources>
  <clear />
  <!-- `key` can be any identifier for your source. -->
  <add key="nuget.org" value="https://api.nuget.org/v3/index.json" />
  <add key="contoso.com" value="https://contoso.com/packages/" />
</packageSources>

<!-- Define mappings by adding package ID patterns beneath the target source. -->
<!-- Contoso.* packages will be restored from contoso.com, everything else from nuget.org. -->
<packageSourceMapping>
  <!-- key value for <packageSource> should match key values from <packageSources> element -->
  <packageSource key="nuget.org">
    <package pattern="*" />
  </packageSource>
  <packageSource key="contoso.com">
    <package pattern="Contoso.*" />
  </packageSource>
</packageSourceMapping>

You can read more about source mapping in our documentation. To secure your software supply chain, you can also read our documentation on the topic.

Package Vulnerabilities in Visual Studio

When using the NuGet Package Manager within Visual Studio, you will now see package vulnerabilities for your packages including details such as the number and severity of vulnerabilities as well as direct links to learn more about the advisories.

Image vulnerability

Retry & Backoff Behavior

There is now a NUGET_ENABLE_EXPERIMENTAL_HTTP_RETRY flag to improve the retry & backoff behavior of NuGet clients such as increasing the maximum amount of retries and increasing the delay for a more resilient experience when encountering a weaker internet connection.

Exclude Default File Extensions

You can now use the MSBuild flag <AllowedOutputExtensionsInPackageBuildOutputFolder> to edit the file extensions included in the build output of your package. This gives you more control over the extensions being included in your build output folder.

Improved Deprecation Information in Visual Studio

Deprecated packages in Visual Studio now include a link to the suggested alternate package to use. You can use this feature to quickly browse and install packages that are actively maintained.

Image deprecation

Add a Package README in Visual Studio

You can now add a package README.md file directly within Visual Studio. A README helps communicate important information about your package. It is often the first item a visitor will see when visiting your package on NuGet.org. README files typically include information on:

  • What the package does
  • Why the package is useful
  • How users can get started with the package
  • Where users can get help or contribute to your package

You can read more about adding a README to your NuGet package on our blog.

Faster Solution Load & Branch Switching in Visual Studio

In Visual Studio 2022, NuGet has redefined the contract between NuGet package restore and common Visual Studio components to improve performance for large solutions by only calling restore once instead of multiple times. This improves the time it takes for background processes to complete significantly.

Install Visual Studio 2022 and let us know if you notice a faster experience when loading your large solutions or switching between branches!

Closing

NuGet 6.0 is a big release that should improve many aspects of your daily package management needs. We’ve added a bunch of new features to Visual Studio experiences, improved restore performance to solution load & branch switching, and added support to .NET 6!

We’re excited to see you use NuGet 6.0 & include it in your toolset for building amazing things with .NET.

For more details on NuGet 6.0, see our official release notes.

Feedback

Your feedback is important to us. If there are any problems with this release, check our GitHub Issues and Visual Studio Developer Community for existing issues. For new issues within NuGet, please report a GitHub Issue. For general NuGet experience issues, let us know via the Report a Problem option found in your favorite IDE under Help > Report a Problem.

The post Announcing NuGet 6.0 – Source Mapping, Package Vulnerabilities, Faster Solution Load, Oh My! appeared first on The NuGet Blog.

>>> Read the Full Story at The NuGet Blog