Merge pull request #3362 from NuGet/main

nkolev92 · web-flow · commit 96764b2f97b2 · 2024-11-19T10:17:14.000-08:00
Merge to live - 17.12 updates
diff --git a/.openpublishing.build.ps1 b/.openpublishing.build.ps1
diff --git a/docs/api/package-base-address-resource.md b/docs/api/package-base-address-resource.md
@@ -36,9 +36,9 @@ All URLs found in the package content resource support the HTTP methods `GET` an
 
 ## Enumerate package versions
 
-If the client knows a package ID and wants to discover which package versions the package source has available, the
-client can construct a predictable URL to enumerate all package versions. This list is meant to be a "directory
-listing" for the package content API mentioned below.
+If the client knows a package ID and wants to discover which package versions the package source has available, the client can construct a predictable URL to enumerate all package versions.
+Every version listed in this list must be available for download.
+This list is meant to be a "directory listing" for the package content API mentioned below.
 
 > [!Note]
 > This list contains both listed and unlisted package versions.
diff --git a/docs/reference/errors-and-warnings/NU1901-NU1904.md b/docs/reference/errors-and-warnings/NU1901-NU1904.md
@@ -52,5 +52,5 @@ For example `<NuGetAuditSuppress Include="https://github.com/advisories/GHSA-g3q
 If you do not want NuGet to check for packages with known vulnerabilities during restore, add `<NuGetAudit>false</NuGetAudit>` inside a `<PropertyGroup>` in your project file, or a [`Directory.Build.props` file](/visualstudio/msbuild/customize-by-directory).
 If you would like to run NuGet Audit on developer machines, but disable it on CI pipelines, you can take advantage of MSBuild importing environment variables, and create a NuGetAudit environment variable set to `false` in your pipeline definition.
 
-In NuGet 6.12 (Visual Studio/MSBuild 17.12 and .NET 9.0.100 SDK), NuGet changed the default for `NuGetAuditMode` to `all`, which means report on transitive packages with known vulnerabilities.
+In NuGet 6.12 (Visual Studio/MSBuild 17.12 and .NET 9.0.100 SDK), the default setting for `NuGetAuditMode` was changed to `all`. This means that NuGet will now report on transitive packages with known vulnerabilities.
 The value can be explicitly set to `direct` to revert back to .NET 8's default. Alternatively, [the property `SdkAnalysisLevel`](/dotnet/core/project-sdk/msbuild-props#sdkanalysislevel) can be set to `8.0.400` to temporarily disable all new warnings and errors introduced in newer versions of the SDK. Specifically in this case, the default value of `NuGetAuditMode` is changed back to `direct`. 
diff --git a/docs/release-notes/NuGet-6.12.md b/docs/release-notes/NuGet-6.12.md
@@ -35,30 +35,30 @@ NuGet 6.12.0 is available in the .NET 9.0.100 SDK.
 
 * Add new graph resolution algorithm for better performance with large graphs - [#13692](https://github.com/NuGet/Home/issues/13692)
 
-* Owner profile hyperlinks needed in Details Pane of PM UI - [#13686](https://github.com/NuGet/Home/issues/13686)
+* NuGetAudit raises warnings for vulnerable transitive packages by default when the .NET 9 SDK is installed [#13293](https://github.com/NuGet/Home/issues/13293)
+
+* Change NuGetAuditMode default from direct to all, raising warnings for vulnerable transitive packages for non-SDK style projects - [#13584](https://github.com/NuGet/Home/issues/13584)
 
 * Audit security vulnerabilities without adding nuget.org as package source - [#12698](https://github.com/NuGet/Home/issues/12698)
 
+* Owner profile hyperlinks needed in Details Pane of PM UI - [#13686](https://github.com/NuGet/Home/issues/13686)
+
 * Deprecate SHA-1 fingerprints usage in NuGet Sign commands in favor of SHA-2 family fingerprints [#13891](https://github.com/NuGet/Home/issues/13891)
 
-* Deprecate http usage: Promote from warning to error - [#13289](https://github.com/NuGet/Home/issues/13289)
+* Bubble-up Known Vulnerability Indicators in Solution Explorer for Transitive Packages - [#13636](https://github.com/NuGet/Home/issues/13636)
 
-### Breaking changes
+* Enable Transitive Dependencies and vulnerabilities for Solution-level in Visual Studio - [#13216](https://github.com/NuGet/Home/issues/13216)
 
-* NuGetAudit should check transitive packages by default when the .NET 9 SDK is installed [#13293](https://github.com/NuGet/Home/issues/13293)
+### Breaking changes
 
-* Change NuGetAuditMode default to all for non-SDK style projects - [#13584](https://github.com/NuGet/Home/issues/13584)
+* Deprecate http usage: Promote from warning to error - [#13289](https://github.com/NuGet/Home/issues/13289)
 
 ### Issues fixed in this release
 
-* Bubble-up Known Vulnerability Indicators in Solution Explorer for Transitive Packages - [#13636](https://github.com/NuGet/Home/issues/13636)
-
 * Enable `dotnet nuget why` on non-SDK style projects - [#13576](https://github.com/NuGet/Home/issues/13576)
 
 * NuGetAuditSuppress for packages.config - [#13575](https://github.com/NuGet/Home/issues/13575)
 
-* Enable Transitive Dependencies for Solution-level in Visual Studio - [#13216](https://github.com/NuGet/Home/issues/13216)
-
 * Roll-out new breaking change process for SDK tools, respect SdkAnalysisLevel - [#13309](https://github.com/NuGet/Home/issues/13309)
 
 * Add property for toggling the to the previous NuGet resolver: RestoreUseLegacyDependencyResolver - [#13700](https://github.com/NuGet/Home/issues/13700)
