News

.NET 9 Addresses NuGet Vulnerabilities in Preview 6

With new dev tooling security vulnerabilities publicized regularly, Microsoft's new .NET 9 Preview 6 addresses the problem in one specific area: NuGet packages used for sharing code libraries, tools and other assets in the .NET ecosystem.

NuGet vulnerabilities, or CVEs, are tracked here, and Microsoft has for years published mitigation guidance like "How to Scan NuGet Packages for Security Vulnerabilities."

The problems persist, however, and Microsoft is attacking them on many fronts, including dev tooling minutiae like NuGetAudit now raises warnings for vulnerabilities in transitive dependencies, an SDK update included in .NET 9 Preview 6, just released today (July 9).

"NuGetAudit, first added in .NET 8, provides warnings during restore if any packages used by your project have known vulnerabilities," Microsoft explained. "It requires a package source that provides a vulnerability database, so in practice you need to use https://api.nuget.org/v3/index.json as a package source, and we have plans to allow auditing without nuget.org as a package source. For more information on NuGet Audit, including all configuration options, see the documentation on NuGet Audit."

In the .NET 9 SDK in Preview 6, the default behavior of NuGetAudit has changed. Previously, only direct package references were reported by default (<NuGetAuditMode>direct</NuGetAuditMode>). Now the default is warnings on both direct and transitive packages (<NuGetAuditMode>all</NuGetAuditMode>) with known vulnerabilities.

The preview doesn't include much new major functionality or features, as Microsoft is nearing the final stages of .NET 9 development, which is scheduled for general availability in November.

The company publishes associated GitHub discussions about .NET 9 previews, with new ones including:

For those with an inclination to dig into the nitty-gritty details, more Microsoft guidance can be found in the release notes for different properties including:

The main dev effort can be tracked in What's new in .NET 9, last updated June 11. The company says it has a special focus on cloud-native apps and performance.

About the Author

David Ramel is an editor and writer at Converge 360.

comments powered by Disqus

Featured

  • VS Code Copilot Previews New GPT-4o AI Code Completion Model

    The 4o upgrade includes additional training on more than 275,000 high-quality public repositories in over 30 popular programming languages, said Microsoft-owned GitHub, which created the original "AI pair programmer" years ago.

  • Microsoft's Rust Embrace Continues with Azure SDK Beta

    "Rust's strong type system and ownership model help prevent common programming errors such as null pointer dereferencing and buffer overflows, leading to more secure and stable code."

  • Xcode IDE from Microsoft Archrival Apple Gets Copilot AI

    Just after expanding the reach of its Copilot AI coding assistant to the open-source Eclipse IDE, Microsoft showcased how it's going even further, providing details about a preview version for the Xcode IDE from archrival Apple.

  • Introduction to .NET Aspire

    Two Microsoft experts will present on the cloud-native application stack designed to simplify the development of distributed systems in .NET at the Visual Studio Live! developer conference coming to Las Vegas next month.

  • Microsoft Previews Copilot AI for Open-Source Eclipse IDE

    Catering to Java jockeys, Microsoft is yet again expanding the sprawling reach of its Copilot-branded AI assistants, previewing a coding tool for the open-source Eclipse IDE.

Most   Popular

Subscribe on YouTube

Upcoming Training Events

0 AM