Add NuGet package ID validation breaking change documentation for .NET 10 RC 1

Co-authored-by: gewarren <[email protected]>

Author: Copilot

docs/core/compatibility/10.0.md

@@ -118,6 +118,7 @@ If you're migrating an app to .NET 10, the breaking changes listed here might af
 | [PrunePackageReference privatizes direct prunable references](sdk/10.0/prune-packagereference-privateassets.md) | Behavioral change | Preview 7 |
 | [HTTP warnings promoted to errors in `dotnet package list` and `dotnet package search`](sdk/10.0/http-warnings-to-errors.md) | Behavioral/source incompatible change | Preview 4 |
 | [NUGET_ENABLE_ENHANCED_HTTP_RETRY environment variable removed](sdk/10.0/nuget-enhanced-http-retry-removed.md) | Behavioral change | Preview 6 |
+| [NuGet logs an error for invalid package IDs](sdk/10.0/nuget-packageid-validation.md) | Behavioral change | RC 1 |
 
 ## Windows Forms
 

docs/core/compatibility/sdk/10.0/nuget-packageid-validation.md

@@ -0,0 +1,38 @@
+---
+title: "Breaking change: NuGet logs an error for invalid package IDs"
+description: "Learn about the breaking change in .NET 10 where NuGet validates package IDs when constructing URLs and throws exceptions for invalid formats."
+ms.date: 01/06/2025
+ai-usage: ai-assisted
+ms.custom: https://github.com/dotnet/docs/issues/47984
+---
+# NuGet logs an error for invalid package IDs
+
+NuGet now validates package IDs when they're used to create URLs in .NET 10. If a package ID isn't in the correct format, NuGet shows an error instead of continuing. This ensures only valid package IDs are used when constructing URLs.
+
+## Version introduced
+
+.NET 10 RC 1
+
+## Previous behavior
+
+Previously, NuGet resources that constructed URLs from package IDs did not validate the package ID format. Invalid or malformed package IDs could be used without triggering validation errors.
+
+## New behavior
+
+With the new change, any package ID used to construct a URL via NuGet resources is now validated. If the package ID does not conform to NuGet's expected format, an exception is thrown, and the URL is not constructed.
+
+## Type of breaking change
+
+This is a [behavioral change](../../categories.md#behavioral-change).
+
+## Reason for change
+
+This change introduces validation to ensure that only properly formatted package IDs are used when constructing URLs. The validation strengthens the code's security posture by reducing the risk of unsafe or unintended inputs being processed.
+
+## Recommended action
+
+If you need to bypass the new validation, you can set the environment variable `NUGET_DISABLE_PACKAGEID_VALIDATION` to `true` in your environment. This will disable the package ID validation logic and restore the previous behavior.
+
+## Affected APIs
+
+None.

docs/core/compatibility/toc.yml

@@ -138,6 +138,8 @@ items:
                 href: sdk/10.0/http-warnings-to-errors.md
               - name: NUGET_ENABLE_ENHANCED_HTTP_RETRY environment variable removed
                 href: sdk/10.0/nuget-enhanced-http-retry-removed.md
+              - name: NuGet logs an error for invalid package IDs
+                href: sdk/10.0/nuget-packageid-validation.md
           - name: Windows Forms
             items:
               - name: API obsoletions