Say what version of NuGet auditSources is available in config reference (#3334)

zivkan · web-flow · commit c8cb9d9cee60 · 2024-08-22T17:40:29.000+09:30
diff --git a/docs/concepts/Auditing-Packages.md b/docs/concepts/Auditing-Packages.md
@@ -22,11 +22,11 @@ We also have a [blog post](https://devblogs.microsoft.com/nuget/nugetaudit-2-0-e
 
 | NuGet | .NET SDK | Visual Studio | Feature |
 |-------|----------|---------------|---------|
-| 5.9 | .NET 5 SDK (5.0.200) | N/A | [`dotnet list package --vulnerable`](#dotnet-list-package---vulnerable) |
-| 6.8 | .NET 8 SDK (8.0.100) | Visual Studio 2022 17.8 | [NuGetAudit](#running-a-security-audit-with-restore) for PackageReference |
-| 6.10 | N/A | Visual Studio 2022 17.10 | [NuGetAudit](#running-a-security-audit-with-restore) for packages.config|
-| 6.11 | .NET 8 SDK (8.0.400) | Visual Studio 2022 17.11 | [NuGetAuditSuppress](#excluding-advisories) for PackageReference |
-| 6.12 | .NET 9 SDK (9.0.100) | Visual Studio 2022 17.12 | [Audit sources](#audit-sources). [NuGetAuditSuppress](#excluding-advisories) for packages.config. |
+| [5.9](../release-notes/NuGet-5.9.md) | .NET 5 SDK (5.0.200) | N/A | [`dotnet list package --vulnerable`](#dotnet-list-package---vulnerable) |
+| [6.8](../release-notes/NuGet-6.8.md) | .NET 8 SDK (8.0.100) | Visual Studio 2022 17.8 | [NuGetAudit](#running-a-security-audit-with-restore) for PackageReference |
+| [6.10](../release-notes/NuGet-6.10.md) | N/A | Visual Studio 2022 17.10 | [NuGetAudit](#running-a-security-audit-with-restore) for packages.config|
+| [6.11](../release-notes/NuGet-6.11.md) | .NET 8 SDK (8.0.400) | Visual Studio 2022 17.11 | [NuGetAuditSuppress](#excluding-advisories) for PackageReference |
+| [6.12](../release-notes/NuGet-6.12.md) | .NET 9 SDK (9.0.100) | Visual Studio 2022 17.12 | [Audit sources](#audit-sources). [NuGetAuditSuppress](#excluding-advisories) for packages.config. |
 
 ## Running a security audit with `restore`
 
@@ -48,7 +48,7 @@ We recommend that audit is configured at a repository level.
 | NuGetAuditLevel | low | `low`, `moderate`, `high`, and `critical` | The minimum severity level to report. If you'd like to see `moderate`, `high`, and `critical` advisories (exclude `low`), set the value to `moderate` |
 | NuGetAudit | true | `true` and `false` | If you wish to not receive security audit reports, you can opt-out of the experience entirely by setting the value to `false` |
 
-(1) NuGetAuditMode defaulted to `direct` when it was introduced in the .NET 8.0.100 SDK and VS 17.8. In .NET 9.0.100 SDK and VS 17.12 the default changed to `all`.
+(1) NuGetAuditMode defaulted to `direct` when it was introduced in [the .NET 8.0.100 SDK and VS 17.8](../release-notes/NuGet-6.8.md). In [.NET 9.0.100 SDK and VS 17.12](../release-notes/NuGet-6.12.md) the default changed to `all`.
 
 #### Audit Sources
 
@@ -70,7 +70,7 @@ Note that the [V2 protocol is deprecated](../nuget-org/overview-nuget-org.md#api
 </configuration>
 ```
 
-Audit sources are available from NuGet 6.12, .NET 9.0.100 SDK, and Visual Studio 2022 17.12.
+Audit sources are available from [NuGet 6.12, .NET 9.0.100 SDK, and Visual Studio 2022 17.12](../release-notes/NuGet-6.12.md).
 Prior to this version, NuGet Audit will only use package sources to download vulnerability information.
 Audit sources are not used by `dotnet list package --vulnerable` at this time.
 
@@ -87,8 +87,8 @@ Define a `NuGetAuditSuppress` item with the `Include=` metadata set to the advis
 
 Similar to the other NuGet audit configuration properties, `NuGetAuditSuppress` items can be defined at the project or repository level.
 
-`NuGetAuditSuppress` is available for PackageReference projects starting from NuGet 6.11, Visual Studio 17.11, and the .NET 8.0.400 SDK.
-It is available for packages.config with Visual Studio 17.12 and NuGet 6.12.
+`NuGetAuditSuppress` is available for PackageReference projects starting from [NuGet 6.11, Visual Studio 17.11, and the .NET 8.0.400 SDK](../release-notes/NuGet-6.11.md).
+It is available for packages.config from [Visual Studio 17.12 and NuGet 6.12](../release-notes/NuGet-6.12.md).
 
 ### Warning codes
 
diff --git a/docs/reference/errors-and-warnings/NU1901-NU1904.md b/docs/reference/errors-and-warnings/NU1901-NU1904.md
@@ -47,7 +47,7 @@ For example, `<NuGetAuditLevel>high</NuGetAuditLevel>`.
 
 If you would like to suppress a specific advisory, add an MSBuild [NuGetAuditSuppress](../../concepts/Auditing-Packages.md#excluding-advisories) item.
 For example `<NuGetAuditSuppress Include="https://github.com/advisories/GHSA-g3q9-xf95-8hp5" />`.
-`NuGetAuditSuppress` is available from VS 17.11 and .NET 8.0.400 SDK for projects using `PackageReference`, and from VS 17.12 for projects using `packages.config`.
+`NuGetAuditSuppress` is available from [VS 17.11 and .NET 8.0.400 SDK](../../release-notes/NuGet-6.11.md) for projects using `PackageReference`, and from [VS 17.12](../../release-notes/NuGet-6.12.md) for projects using `packages.config`.
 
 If you do not want NuGet to check for packages with known vulnerabilities during restore, add `<NuGetAudit>false</NuGetAudit>` inside a `<PropertyGroup>` in your project file, or a [`Directory.Build.props` file](/visualstudio/msbuild/customize-by-directory).
 If you would like to run NuGet Audit on developer machines, but disable it on CI pipelines, you can take advantage of MSBuild importing environment variables, and create a NuGetAudit environment variable set to `false` in your pipeline definition.
diff --git a/docs/reference/nuget-config-file.md b/docs/reference/nuget-config-file.md
@@ -147,6 +147,7 @@ Lists all known package sources. The order is ignored during restore operations
 
 Lists all known audit sources, which [NuGet Audit](../concepts/Auditing-Packages.md#running-a-security-audit-with-restore) will use during restore.
 If no audit sources are provided, restore will use package sources and suppress [NU1905](../reference/errors-and-warnings/NU1905.md).
+`auditSources` was added to [NuGet 6.12](../release-notes/NuGet-6.12.md).
 
 Audit sources support the same attributes as `packageSources` (`protocolVersion`, `allowInsecureConnections`), and sources that require authentication are configured with `packageSourceCredentials`, the same way as `packageSources`.
 
diff --git a/docs/release-notes/NuGet-6.12.md b/docs/release-notes/NuGet-6.12.md
@@ -0,0 +1,22 @@
+---
+title: NuGet 6.12 Release Notes
+description: Release notes for NuGet 6.12 including new features, bug fixes, and DCRs.
+author: zivkan
+ms.date: 8/19/2024
+ms.topic: conceptual
+---
+# NuGet 6.12 Release Notes
+
+<!-- This is intentionally not yet added to TOC.md. When release notes are added for the GA release, add this file to TOC.md -->
+
+NuGet distribution vehicles:
+
+| NuGet version | Available in Visual Studio version | Available in .NET SDK(s) |
+|:---|:---|:---|
+| [**6.12**](https://nuget.org/downloads) | [Visual Studio 2022 version 17.12](https://visualstudio.microsoft.com/downloads/) | [9.0.1xx](https://dotnet.microsoft.com/download/dotnet/9.0)<sup>1</sup> |
+
+<sup>1</sup> Installed with Visual Studio 2022 with any .NET workload
+
+## Not yet released
+
+This version of NuGet is in preview and these release notes will be updated when it is released.
