Merge pull request #3296 from NuGet/main

Author: kartheekp-ms

.github/workflows/stale-issues.yml

@@ -26,9 +26,9 @@ jobs:
           close-issue-message: 'This issue is closed. If you feel this issue has been closed in error, please submit a new comment on the issue, and we will review it.'
           stale-issue-label: 'stale'
           close-issue-label: 'auto-close'
-          exempt-issue-labels: 'exempt'
+          exempt-issue-labels: 'exempt,P1'
           remove-stale-when-updated: true
           days-before-close: 14
-          days-before-issue-stale: 180
+          days-before-issue-stale: 90
           days-before-pr-stale: -1
-          operations-per-run: 500
+          operations-per-run: 500

.openpublishing.redirection.json

@@ -364,6 +364,26 @@
             "source_path": "docs/tools/ps-ref-update-package.md",
             "redirect_url": "/nuget/reference/ps-reference/ps-ref-update-package",
             "redirect_document_id": false
+        },
+        {
+            "source_path": "docs/reference/errors-and-warnings/NU1901.md",
+            "redirect_url": "/nuget/reference/errors-and-warnings/NU1901-NU1904",
+            "redirect_document_id": false
+        },
+        {
+            "source_path": "docs/reference/errors-and-warnings/NU1902.md",
+            "redirect_url": "/nuget/reference/errors-and-warnings/NU1901-NU1904",
+            "redirect_document_id": false
+        },
+        {
+            "source_path": "docs/reference/errors-and-warnings/NU1903.md",
+            "redirect_url": "/nuget/reference/errors-and-warnings/NU1901-NU1904",
+            "redirect_document_id": false
+        },
+        {
+            "source_path": "docs/reference/errors-and-warnings/NU1904.md",
+            "redirect_url": "/nuget/reference/errors-and-warnings/NU1901-NU1904",
+            "redirect_document_id": false
         }
     ]
 }

docs/TOC.md

@@ -339,6 +339,8 @@
 ### [Known Issues](release-notes/known-issues.md)
 
 ### NuGet 6.x
+#### [NuGet 6.10](release-notes/NuGet-6.10.md)
+#### [NuGet 6.9](release-notes/NuGet-6.9.md)
 #### [NuGet 6.8](release-notes/NuGet-6.8.md)
 #### [NuGet 6.7](release-notes/NuGet-6.7.md)
 #### [NuGet 6.6](release-notes/NuGet-6.6.md)

docs/api/_data/repository-signatures-index.json

@@ -20,6 +20,16 @@
       "notBefore": "2021-02-16T00:00:00.0000000Z",
       "notAfter": "2024-05-15T23:59:59.0000000Z",
       "contentUrl": "https://api.nuget.org/v3-index/repository-signatures/certificates/5a2901d6ada3d18260b9c6dfe2133c95d74b9eef6ae0e5dc334c8454d1477df4.crt"
+    },
+    {
+      "fingerprints": {
+        "2.16.840.1.101.3.4.2.1": "1f4b311d9acc115c8dc8018b5a49e00fce6da8e2855f9f014ca6f34570bc482d"
+      },
+      "subject": "CN=NuGet.org Repository by Microsoft, O=NuGet.org Repository by Microsoft, L=Redmond, S=Washington, C=US",
+      "issuer": "CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O=\"DigiCert, Inc.\", C=US",
+      "notBefore": "2024-02-23T00:00:00.0000000Z",
+      "notAfter": "2027-05-18T23:59:59.0000000Z",
+      "contentUrl": "https://api.nuget.org/v3-index/repository-signatures/certificates/1f4b311d9acc115c8dc8018b5a49e00fce6da8e2855f9f014ca6f34570bc482d.crt"
     }
   ]
 }

docs/api/repository-signatures-resource.md

@@ -110,7 +110,7 @@ All hash values must be lowercase, hex-encoded string representations of the has
 ### Sample request
 
 ```
-GET https://api.nuget.org/v3-index/repository-signatures/index.json
+GET https://api.nuget.org/v3-index/repository-signatures/5.0.0/index.json
 ```
 
 ### Sample response

docs/api/search-query-service-resource.md

@@ -111,7 +111,7 @@ versions       | array of objects           | yes      | All of the versions of
 authors        | string or array of strings | no       | 
 iconUrl        | string                     | no       | 
 licenseUrl     | string                     | no       | 
-owners         | string or array of strings | no       | 
+owners         | string or array of strings | no       | A string represents a single owner's username
 projectUrl     | string                     | no       | 
 registration   | string                     | no       | The absolute URL to the associated [registration index](registration-base-url-resource.md#registration-index)
 summary        | string                     | no       | 

docs/concepts/Auditing-Packages.md

@@ -16,7 +16,10 @@ This involves identifying vulnerabilities, evaluating risks, and making recommen
 The audit can include a review of the packages themselves, as well as any dependencies and their associated risks.
 The goal of the audit is to identify and mitigate any security vulnerabilities that could be exploited by attackers, such as code injection or cross-site scripting attacks.
 
-NuGet Audit is available starting from NuGet 6.8, the .NET 8 SDK (8.0.100), and Visual Studio 2022 17.8.
+| Project Type | NuGet | .NET SDK | Visual Studio |
+|--------------|-------|----------|---------------|
+| PackageReference | 6.8 |  .NET 8 SDK (8.0.100) | Visual Studio 2022 17.8 |
+| packages.config | 6.10 | N/A | Visual Studio 2022 17.10 |
 
 ## Running a security audit with `restore`
 
@@ -28,16 +31,8 @@ A description of your dependencies is checked against a report of known vulnerab
 > NuGet.org's V3 URL is one such example (https://api.nuget.org/v3/index.json), but note that NuGet.org's V2 endpoint does not.
 
 1. On the command line, navigate to your project or solution directory.
-1. Ensure your project or solution contains a `.csproj` file.
-1. Type `dotnet restore` or `restore` using your preferred tooling (i.e. MSBuild, NuGet.exe, etc).
-1. Review the audit report and address the known security vulnerabilities.
-
-> [!NOTE]
-> At this time, NuGet does not audit `packages.config` projects.
-
-## Reviewing and acting on the security audit report
-
-Running `dotnet restore` will produce a report of security vulnerabilities with the affected package name, the severity of the vulnerability, and a link to the advisory for more details.
+1. Run `restore` using your preferred tooling (i.e. dotnet, MSBuild, NuGet.exe, VisualStudio etc).
+1. Review the warnings and address the known security vulnerabilities.
 
 ### Security vulnerabilities found with updates
 
@@ -79,30 +74,16 @@ On NuGet.org, you can navigate to the package details page and click `Report pac
 If no security vulnerabilities are found, this means that packages with known vulnerabilities were not found in your package graph at the present moment of time you checked.
 Since the advisory database can be updated at any time, we recommend regularly checking your `dotnet restore` output and ensuring the same in your continuous integration process.
 
-### Setting a security audit mode
-
-By default, a security audit is done for top-level dependencies.
-In the case that you'd like to audit both top-level and transitive dependencies, you can set the `<NuGetAuditMode>` MSBuild property to the desired mode in which auditing will run.
-Possible values are `direct` and `all`.
-For example if you wanted to audit all dependencies for security advisories, you can set the following:
-
-```xml
-<NuGetAuditMode>all</NuGetAuditMode>
-```
+### Configuring NuGet audit
 
-> [!NOTE]
-> Visual Studio 2022 17.8 does not support changing audit mode for SDK style packages.
-> It works from 17.9 Preview 2.
-
-### Setting a security audit level
-
-In cases where you only care about a certain threshold of a security advisory severity, you can set the `<NuGetAuditLevel>` MSBuild property to the desired level in which auditing will fail.
-Possible values are `low`, `moderate`, `high`, and `critical`.
-For example if you only want to see `moderate`, `high`, and `critical` advisories, you can set the following:
+Audit can be configured via MSBuild properties in a `.csproj` or MSBuild file being evaluated as part of your project.
+We recommend that audit is configured at a repository level.
 
-```xml
-<NuGetAuditLevel>moderate</NuGetAuditLevel>
-```
+| MSBuild Property | Default | Possible values | Notes |
+|------------------|---------|-----------------|-------|
+| NuGetAuditMode | direct | `direct` and `all` | If you'd like to audit both top-level and transitive dependencies, you can set the value to `all`. NuGetAuditMode is not applicable for packages.config projects |
+| NuGetAuditLevel | low | `low`, `moderate`, `high`, and `critical` | If you'd like to see `moderate`, `high`, and `critical` advisories, set the value to `moderate` |
+| NuGetAudit | true | `true` and `false` | If you wish to not receive security audit reports, you can opt-out of the experience entirely by setting the value to `false` |
 
 ### Excluding advisories
 
@@ -123,13 +104,8 @@ You can customize your build to treat these warnings as errors to [treat warning
 For example, if you're already using `<TreatWarningsAsErrors>` to treat all (C#, NuGet, MSBuild, etc) warnings as errors, you can use `<WarningsNotAsErrors>NU1901;NU1902;NU1903;NU1904</WarningsNotAsErrors>` to prevent vulnerabilities discovered in the future from breaking your build.
 Alternatively, if you want to keep low and moderate vulnerabilities as warnings, but treat high and critical vulnerabilities as errors, and you're not using `TreatWarningsAsErrors`, you can use `<WarningsAsErrors>NU1903;NU1904</WarningsAsErrors>`.
 
-### Disabling security auditing
-
-At any time you wish to not receive security audit reports, you can opt-out of the experience entirely by setting the following MSBuild property in a `.csproj` or MSBuild file being evaluated as part of your project:
-
-```xml
-<NuGetAudit>false</NuGetAudit>
-```
+> [!NOTE]
+> MSBuild properties for message severity such as `NoWarn` and `TreatWarningsAsErrors` are not supported for packages.config projects.
 
 ## Summary
 

docs/concepts/Dependency-Resolution.md

@@ -112,6 +112,21 @@ In some cases, it's not possible to meet all version requirements. As shown belo
 
 In these situations, the top-level consumer (the application or package) should add its own direct dependency on Package B so that the [Direct dependency wins](#direct-dependency-wins) rule applies.
 
+### Version ranges and prerelease versions with PackageReference
+
+It is not unusual for a package to have both stable and prerelease versions available.
+When resolving a dependency graph, NuGet decides whether to consider prerelease versions for a package based on a single rule:
+`If the project or any packages within the graph request a prerelease version of a package, then include both prerelease or stable versions, otherwise consider stable versions only.`
+
+In practice, under the lowest applicable rule, this means:
+
+| Version Range | Available versions | Selected version |
+|---------------|--------------------|------------------|
+| [1.0.0, 2.0.0) | 1.2.0-beta.1, 1.2.0, | 1.2.0 |
+| [1.0.0, 2.0.0-0) | 1.2.0-beta.1, 1.2.0, | 1.2.0-beta.1 |
+| [1.0.0, 2.0.0) | 1.2.0-beta.1, 2.0.0-beta.3 | None, [NU1103](../reference/errors-and-warnings/NU1103.md) is raised. |
+| [1.0.0, 2.0.0-rc) | 1.2.0-beta.1, 2.0.0-beta.3 | 1.2.0-beta.1 |
+
 ## Dependency resolution with packages.config
 
 With `packages.config`, a project's dependencies are written to `packages.config` as a flat list. Any dependencies of those packages are also written in the same list. When packages are installed, NuGet might also modify the `.csproj` file, `app.config`, `web.config`, and other individual files.
@@ -122,6 +137,11 @@ By default, NuGet 2.8 looks for the lowest patch version (see [NuGet 2.8 release
 
 The `packages.config` process for resolving dependencies gets complicated for larger dependency graphs. Each new package installation requires a traversal of the whole graph and raises the chance for version conflicts. When a conflict occurs, installation is stopped, leaving the project in an indeterminate state, especially with potential modifications to the project file itself. This is not an issue when using other package management formats.
 
+### Version ranges and prerelease versions with packages.config
+
+packages.config resolution does not allow mixing of stable and pre-release dependency in a graph.
+If a dependency is expressed with a range like `[1.0.0, 2.0.0)`, pre-release packages are not allowed in the graph.
+
 ## Managing dependency assets
 
 When using the PackageReference format, you can control which assets from dependencies flow into the top-level project. For details, see [PackageReference](../consume-packages/package-references-in-project-files.md#controlling-dependency-assets).

docs/concepts/Package-Versioning.md

@@ -95,6 +95,8 @@ Note that versions such as `1.0.1-rc.10` and `1.0.1-rc.2` are not parsable by ol
 If you use numerical suffixes with pre-release tags that might use double-digit numbers (or more), use leading zeroes as in beta01 and beta05 to ensure that they sort correctly when the numbers get larger.
 This recommendation only applies this schema.
 
+Despite the ordering shown above, NuGet does not always consider both stable & prerelease packages during dependency resolution. Those rules are detailed in [Dependency Resolution](./Dependency-Resolution.md).
+
 ---
 
 ## Version ranges

docs/consume-packages/configuring-nuget-behavior.md

@@ -114,14 +114,15 @@ Multiple `NuGet.Config` files allow you to store settings in different locations
 These settings collectively apply to any NuGet operation invoked from the command line or from Visual Studio, with settings that exist "closest" to a solution or the current folder taking precedence.
 If a command line tool is used on a project file, rather than a solution file, then the project directory is used as the "solution directory", which can lead to inconsistent behaviour when there is a `NuGet.Config` file in a subdirectory of the solution file.
 
-Specifically, NuGet loads settings from the different config files in the following order:
+Specifically, when a config file is not specified explicitly on the command line, NuGet loads settings from the different config files in the following order:
 
 1. The [`NuGetDefaults.Config` file](#nuget-defaults-file), which contains settings related only to package sources.
 1. The computer-level file.
 1. The user-level file.
-1. The file specified with `-configFile`.
 1. Files found in every folder in the path from the drive root to the current folder (where `nuget.exe` is invoked or the folder containing the Visual Studio solution). For example, if a command is invoked in `c:\A\B\C`, NuGet looks for and loads config files in `c:\`, then `c:\A`, then `c:\A\B`, and finally `c:\A\B\C`.
 
+When a config file is explicitly specified on the command line, for example `nuget -configFile my.config` or `dotnet restore --configfile my.config`, only the settings from the specified file will be used.
+
 As NuGet finds settings in these files, they are applied as follows:
 
 1. For single-item elements, NuGet replaced any previously-found value for the same key. This means that settings that are "closest" to the current folder or solution override any others found earlier. For example, the `defaultPushSource` setting in `NuGetDefaults.Config` is overridden if it exists in any other config file.