Skip to content
Navigation Menu
{{ message }}
-
Notifications
You must be signed in to change notification settings - Fork 13
Expand file tree
/
Copy pathNuGet.json
More file actions
1 lines (1 loc) · 13.8 KB
/
Copy pathNuGet.json
File metadata and controls
1 lines (1 loc) · 13.8 KB
1
{"Data":{"Blog":{"FeedItems":[{"Title":"OpenSSF Scorecard for .NET and the NuGet ecosystem","PublishedOn":"2024-11-04T17:07:24+00:00","CommentsCount":0,"FacebookCount":0,"Summary":"OpenSSF Scorecard is a tool developed by the Open Source Security Foundation (OpenSSF) that provides automated security assessments for open-source projects. The primary goal of the Scorecard project...","Href":"https://devblogs.microsoft.com/nuget/openssf-scorecard-for-net-nuget/","RawContent":null},{"Title":"NuGetAudit 2.0: Elevating Security and Trust in Package Management","PublishedOn":"2024-07-17T19:37:50+00:00","CommentsCount":11,"FacebookCount":0,"Summary":"Introduction In November 2023 (NuGet 6.8, Visual Studio 17.8, .NET SDK 8.0.100), we released NuGet Audit. NuGet Audit provides warnings during restore when a package with a known vulnerability is used...","Href":"https://devblogs.microsoft.com/nuget/nugetaudit-2-0-elevating-security-and-trust-in-package-management/","RawContent":null},{"Title":"Building a Safer Future – How NuGet is Tackling Software Supply Chain Threats","PublishedOn":"2024-07-16T18:40:14+00:00","CommentsCount":0,"FacebookCount":0,"Summary":"Despite significant technological progress in addressing complex security threats, the key to preventing the next attack lies in adhering to fundamental security principles. It’s essential to...","Href":"https://devblogs.microsoft.com/nuget/building-a-safer-future-how-nuget-is-tackling-software-supply-chain-threats/","RawContent":null},{"Title":"Dark Mode Now Available on NuGet.org","PublishedOn":"2024-07-11T13:08:54+00:00","CommentsCount":6,"FacebookCount":0,"Summary":"We won’t keep you “in the dark” about this any longer… Dark Mode for NuGet.org is finally here! Your feedback has been invaluable in making this happen. We know that eye strain is a significant...","Href":"https://devblogs.microsoft.com/nuget/dark-mode-now-available-on-nuget-org/","RawContent":null},{"Title":"Announcing NuGet 6.10","PublishedOn":"2024-05-21T18:28:09+00:00","CommentsCount":8,"FacebookCount":0,"Summary":"NuGet 6.10 is included in Visual Studio 2022 and .NET 8.0 out of the box. You can also download NuGet 6.10 for Windows, macOS, and Linux as a standalone executable. In NuGet 6.10, we introduce some...","Href":"https://devblogs.microsoft.com/nuget/announcing-nuget-6-10/","RawContent":null},{"Title":"Announcing NuGet Commands in C# Dev Kit","PublishedOn":"2024-05-14T19:25:17+00:00","CommentsCount":6,"FacebookCount":0,"Summary":"With the April release of C# Dev Kit, you can now manage your NuGet packages directly from Visual Studio Code using the new commands in the command palette. To add a NuGet package to your project, use...","Href":"https://devblogs.microsoft.com/nuget/announcing-nuget-commands-in-c-dev-kit/","RawContent":null},{"Title":"The NuGet.org repository signing certificate will be updated as soon as April 8th, 2024","PublishedOn":"2024-03-14T02:04:17+00:00","CommentsCount":0,"FacebookCount":0,"Summary":"Action required: If you validate that packages are repository signed by NuGet.org using a NuGet client policy, NuGet.exe verify command, or the dotnet nuget verify command, please follow these steps...","Href":"https://devblogs.microsoft.com/nuget/the-nuget-org-repository-signing-certificate-will-be-updated-as-soon-as-april-8th-2024/","RawContent":null},{"Title":"Refining Your Search: Introducing NuGet.org’s Compatible Framework Filters","PublishedOn":"2024-03-12T20:05:53+00:00","CommentsCount":1,"FacebookCount":0,"Summary":"Last year, we introduced search by target frameworks on NuGet.org, allowing you to filter your search results based on the framework(s) that a package targets. We received plenty of great feedback...","Href":"https://devblogs.microsoft.com/nuget/refining-your-search-introducing-nuget-orgs-compatible-framework-filters/","RawContent":null},{"Title":"Announcing NuGet 6.9","PublishedOn":"2024-02-14T00:33:14+00:00","CommentsCount":5,"FacebookCount":0,"Summary":"NuGet 6.9 is included in Visual Studio 2022 and .NET 8.0 out of the box. You can also download NuGet 6.9 for Windows, macOS, and Linux as a standalone executable. In NuGet 6.9, we introduce some...","Href":"https://devblogs.microsoft.com/nuget/announcing-nuget-6-9/","RawContent":null},{"Title":"Introducing NuGetSolver: A Powerful Tool for Resolving NuGet Dependency Conflicts in Visual Studio","PublishedOn":"2024-01-16T18:54:55+00:00","CommentsCount":14,"FacebookCount":0,"Summary":"Managing dependencies on complex projects can be overwhelming. Developers often grapple with numerous direct and transitive dependencies across multiple projects. When different projects share...","Href":"https://devblogs.microsoft.com/nuget/introducing-nugetsolver-a-powerful-tool-for-resolving-nuget-dependency-conflicts-in-visual-studio/","RawContent":null}],"ResultType":"Feed"},"Gallery":{"Events":[{"Id":"45251307343","Type":"PullRequestEvent","CreatedAt":"2025-01-04T01:08:59","Actor":"mariaghiondea","Repository":"NuGet/NuGetGallery","Organization":"NuGet","RawContent":null,"RelatedAction":"merged","RelatedUrl":"https://github.com/NuGet/NuGetGallery/pull/10311","RelatedDescription":"Merged pull request \"Change references of “az416426.vo.msecndnet” to “js.monitor.azure.com”\" (#10311) at NuGet/NuGetGallery","RelatedBody":"Needed for CDN update. See https://github.com/microsoft/ApplicationInsights-JS/issues/2457 for full details."},{"Id":"45251306676","Type":"PullRequestEvent","CreatedAt":"2025-01-04T01:08:54","Actor":"mariaghiondea","Repository":"NuGet/NuGetGallery","Organization":"NuGet","RawContent":null,"RelatedAction":"merged","RelatedUrl":"https://github.com/NuGet/NuGetGallery/pull/10312","RelatedDescription":"Merged pull request \"Change references of “az416426.vo.msecndnet” to “js.monitor.azure.com”\" (#10312) at NuGet/NuGetGallery","RelatedBody":"Needed for CDN update. See microsoft/ApplicationInsights-JS#2457 for full details."},{"Id":"45250751444","Type":"PullRequestEvent","CreatedAt":"2025-01-04T00:18:45","Actor":"mariaghiondea","Repository":"NuGet/NuGetGallery","Organization":"NuGet","RawContent":null,"RelatedAction":"opened","RelatedUrl":"https://github.com/NuGet/NuGetGallery/pull/10312","RelatedDescription":"Opened pull request \"Change references of “az416426.vo.msecndnet” to “js.monitor.azure.com”\" (#10312) at NuGet/NuGetGallery","RelatedBody":"Needed for CDN update. See microsoft/ApplicationInsights-JS#2457 for full details."},{"Id":"45250691574","Type":"PullRequestEvent","CreatedAt":"2025-01-04T00:12:58","Actor":"mariaghiondea","Repository":"NuGet/NuGetGallery","Organization":"NuGet","RawContent":null,"RelatedAction":"opened","RelatedUrl":"https://github.com/NuGet/NuGetGallery/pull/10311","RelatedDescription":"Opened pull request \"Change references of “az416426.vo.msecndnet” to “js.monitor.azure.com”\" (#10311) at NuGet/NuGetGallery","RelatedBody":"Needed for CDN update. See https://github.com/microsoft/ApplicationInsights-JS/issues/2457 for full details."},{"Id":"45048806735","Type":"PullRequestEvent","CreatedAt":"2024-12-24T00:26:39","Actor":"joelverhagen","Repository":"NuGet/NuGetGallery","Organization":"NuGet","RawContent":null,"RelatedAction":"merged","RelatedUrl":"https://github.com/NuGet/NuGetGallery/pull/10306","RelatedDescription":"Merged pull request \"[OIDC 16] Add IFederatedCredentialValidator for additional token validation\" (#10306) at NuGet/NuGetGallery","RelatedBody":"Progress on https://github.com/NuGet/NuGetGallery/issues/10212.\r\nDepends on https://github.com/NuGet/NuGetGallery/pull/10305.\r\n\r\nThis adds a new abstraction called `IFederatedCredentialValidator` which allows us to inject custom token validation code (i.e. closed source, \"shim\" code) into the token validation pipeline.\r\n\r\n0 or more `IFederatedCredentialValidator` implementations can be used by the policy evaluator to perform additional validations on bearer tokens. These additional implementations come from the `add-ins` directory via MEF, much like existing shims.\r\n\r\nThe flow of validation BEFORE the change is like this:\r\n1. Parse the JWT\r\n2. Identify the issuer\r\n3. Perform an OSS issuer-specific validation, such as [`EntraIdTokenValidator`](https://github.com/NuGet/NuGetGallery/blob/7c81548db51ed543ff8f6558c1306571a6bb368a/src/NuGetGallery.Services/Authentication/Federated/EntraIdTokenValidator.cs)\r\n4. If the issuer says the token is good, then compare it to the given list of trust policies.\r\n\r\nThis PR adds a new step between 3 and 4 where the request headers (in particular the `Authorization` header) is passed to each `IFederatedCredentialValidator` to get additional token validation results. If either the built-in token validation or any additional `IFederatedCredentialValidator` says the token is bad, it will be rejected. \r\n\r\nWe pass all request headers, the detected issuer type (e.g. Entra ID vs. GitHub Actions), and _unvalidated_ claims to the `IFederatedCredentialValidator`. This essentially provides all the context we have to the shim at the time so it can make the most informed decision.\r\n\r\nAt no point will as \"valid\" result from an `IFederatedCredentialValidator` override a \"bad\" result from the built-in token validation. In other words, if there is an inconsistency between various validation flows, we fail close and reject the token. We will log a warning if any of the validators disagree on valid vs. invalid.\r\n\r\nA `IFederatedCredentialValidator` can return `NotApplicable` if the validator is only meant for a specific issuer. For example, `IFederatedCredentialValidator` might only know how to validate GitHub Actions tokens, not Entra ID tokens. The GitHub Actions example is for the future of course. Right now, the only supported issuer is Entra ID.\r\n\r\nI chose to plumb the request headers in from the service layer (and eventually from the controller action) instead of using the current `HttpContext` so that the flow of data was clearer. I would have preferred to only provide the bearer token to `IFederatedCredentialValidator` instead of all headers, but our internal token validation library expects all request headers, not just the bearer token.\r\n\r\nOur internal token validation shim uses a newer version of Microsoft.Extensions.Caching.Memory so I had to bump up the version to avoid runtime issues."},{"Id":"45042422735","Type":"PullRequestEvent","CreatedAt":"2024-12-23T17:48:21","Actor":"joelverhagen","Repository":"NuGet/NuGetGallery","Organization":"NuGet","RawContent":null,"RelatedAction":"merged","RelatedUrl":"https://github.com/NuGet/NuGetGallery/pull/10305","RelatedDescription":"Merged pull request \"[OIDC 15] Emit audit records during token exchange and policy admin\" (#10305) at NuGet/NuGetGallery","RelatedBody":"Progress on https://github.com/NuGet/NuGetGallery/issues/10212.\r\nDepends on https://github.com/NuGet/NuGetGallery/pull/10304.\r\n\r\nThis builds on a previous PR to actually emit new audit records from various \"write\" flows used in the OIDC feature. Most notibly, this provides an audit trail for admin actions on trust policies and an audit trail for token exchange.\r\n\r\nThe description of the audit entries in https://github.com/NuGet/NuGetGallery/pull/10291. This PR needs to come after our internal auditing library is updated to handle the new audit record shape. I have a PR opened for that but I won't link to it here since it is an internal repo."}],"ResultType":"GitHubEvent"},"Home":{"Events":[{"Id":"45248113316","Type":"IssuesEvent","CreatedAt":"2025-01-03T21:12:37","Actor":"jgonz120","Repository":"NuGet/Home","Organization":"NuGet","RawContent":null,"RelatedAction":"opened","RelatedUrl":"https://github.com/NuGet/Home/issues/14027","RelatedDescription":"Opened issue \"MEF Performance Improvement\" (#14027) at NuGet/Home","RelatedBody":"### NuGet Product(s) Affected\n\nVisual Studio Package Management UI\n\n### Current Behavior\n\nCurrently when opening the PM UI NuGet loads MEF objects which can cause a significant delay in displaying the window.\n\n### Desired Behavior\n\nWhen users go to open the PM UI we should immediately open the window and give a loading indication while the view is initialized.\n\n### Additional Context\n\nhttps://github.com/NuGet/NuGet.Client/pull/6190#discussion_r1891211636"},{"Id":"45231514218","Type":"IssuesEvent","CreatedAt":"2025-01-03T09:06:13","Actor":"microsoft-github-policy-service[bot]","Repository":"NuGet/Home","Organization":"NuGet","RawContent":null,"RelatedAction":"closed","RelatedUrl":"https://github.com/NuGet/Home/issues/13967","RelatedDescription":"Closed issue \"Issues with several nuget package but others work fine\" (#13967) at NuGet/Home","RelatedBody":"### NuGet Product Used\n\nNuGet.exe\n\n### Product Version\n\n6.5.0.154\n\n### Worked before?\n\nversion did not change\n\n### Impact\n\nIt's more difficult to complete my work\n\n### Repro Steps & Context\n\nThere seems to be a misleading error, and I can't figure out why my pushes are failing for some nuget packages.. when using the UI, it works, but not through the command line.. however, same API key works for other nuget packages.\r\n\r\nI created a new API key with * as glob pattern but still does not work. Besides, as mentioned, some packages did upload ok. The packages I'm uploading seems to be new (e.g. not just a new version).\n\n### Verbose Logs\n\n```shell\nnuget.exe push C:\\FTemp\\nuget\\package\\Atalasoft.dotImage.PdfReader.Multiprocessing.x86.11.5.0.4216.nupkg -Source https://www.nuget.org -Verbosity detailed\r\nPushing Atalasoft.dotImage.PdfReader.Multiprocessing.x86.11.5.0.4216.nupkg to the NuGet gallery (https://www.nuget.org)...\r\n PUT https://www.nuget.org/api/v2/package/\r\n Forbidden https://www.nuget.org/api/v2/package/ 472ms\r\nResponse status code does not indicate success: 403 (The specified API key is invalid, has expired, or does not have permission to access the specified package.).\n```\n"}],"ResultType":"GitHubEvent"},"Announcements":{"Events":[],"ResultType":"GitHubEvent"}},"RunOn":"2025-01-06T03:30:21.238159Z","RunDurationInMilliseconds":1003}
You can’t perform that action at this time.
