diff --git a/docs/core/compatibility/10.0.md b/docs/core/compatibility/10.0.md index e9ac7d2247509..3fdffca93ff48 100644 --- a/docs/core/compatibility/10.0.md +++ b/docs/core/compatibility/10.0.md @@ -56,14 +56,15 @@ If you're migrating an app to .NET 10, the breaking changes listed here might af ## SDK and MSBuild -| Title | Type of change | Introduced version | -|----------------------------------------------------------------------------------------------------------------------|---------------------|--------------------| -| [.NET CLI `--interactive` defaults to `true` in user scenarios](sdk/10.0/dotnet-cli-interactive.md) | Behavioral change | Preview 3 | -| [Default workload configuration from 'loose manifests' to 'workload sets' mode](sdk/10.0/default-workload-config.md) | Behavioral change | Preview 2 | -| [`dotnet restore` audits transitive packages](sdk/10.0/nugetaudit-transitive-packages.md) | Behavioral change | Preview 3 | -| [MSBUILDCUSTOMBUILDEVENTWARNING escape hatch removed](sdk/10.0/custom-build-event-warning.md) | Behavioral change | Preview 1 | -| [MSBuild custom culture resource handling](sdk/10.0/msbuild-custom-culture.md) | Behavioral change | Preview 1 | -| [NU1510 is raised for direct references pruned by NuGet](sdk/10.0/nu1510-pruned-references.md) | Source incompatible | Preview 1 | +| Title | Type of change | Introduced version | +|------------------------------------------------------------------------------------------------------------------------------|---------------------------------------|--------------------| +| [.NET CLI `--interactive` defaults to `true` in user scenarios](sdk/10.0/dotnet-cli-interactive.md) | Behavioral change | Preview 3 | +| [Default workload configuration from 'loose manifests' to 'workload sets' mode](sdk/10.0/default-workload-config.md) | Behavioral change | Preview 2 | +| [`dotnet restore` audits transitive packages](sdk/10.0/nugetaudit-transitive-packages.md) | Behavioral change | Preview 3 | +| [MSBUILDCUSTOMBUILDEVENTWARNING escape hatch removed](sdk/10.0/custom-build-event-warning.md) | Behavioral change | Preview 1 | +| [MSBuild custom culture resource handling](sdk/10.0/msbuild-custom-culture.md) | Behavioral change | Preview 1 | +| [NU1510 is raised for direct references pruned by NuGet](sdk/10.0/nu1510-pruned-references.md) | Source incompatible | Preview 1 | +| [HTTP warnings promoted to errors in `dotnet package list` and `dotnet package search`](sdk/10.0/http-warnings-to-errors.md) | Behavioral/source incompatible change | Preview 4 | ## Windows Forms diff --git a/docs/core/compatibility/sdk/10.0/http-warnings-to-errors.md b/docs/core/compatibility/sdk/10.0/http-warnings-to-errors.md new file mode 100644 index 0000000000000..2878a7d0042d1 --- /dev/null +++ b/docs/core/compatibility/sdk/10.0/http-warnings-to-errors.md @@ -0,0 +1,52 @@ +--- +title: "Breaking change - HTTP warnings promoted to errors in dotnet package list and dotnet package search" +description: "Learn about the breaking change in .NET 10 Preview 4 where HTTP warnings are promoted to errors in dotnet package operations." +ms.date: 5/9/2025 +ai-usage: ai-assisted +ms.custom: https://github.com/dotnet/docs/issues/45985 +--- + +# HTTP warnings promoted to errors in `dotnet package list` and `dotnet package search` + +Starting in .NET 10 Preview 4, HTTP warnings generated by `dotnet package list`, `dotnet package search`, and related APIs are now treated as errors by default. + +## Version introduced + +.NET 10 Preview 4 + +## Previous behavior + +Previously, when using HTTP sources, the tools displayed a warning, such as: + +```output +You are running the 'list package' operation with an 'HTTP' source, 'http://api.source/index.json'. Non-HTTPS access will be removed in a future version. Consider migrating to an 'HTTPS' source. +``` + +The operation continued without interruption. + +## New behavior + +The tools now treat HTTP sources as errors by default. To allow HTTP sources, explicitly set `allowInsecureConnections="true"` in *nuget.config*. + +## Type of breaking change + +This is a [behavioral change](../../categories.md#behavioral-change). + +## Reason for change + +This change improves security by blocking insecure HTTP sources by default. It aligns with secure-by-default practices to protect users from potential vulnerabilities. + +## Recommended action + +Migrate to HTTPS sources to avoid the error. To continue using HTTP sources, update your *nuget.config* file to include the following setting: + +```xml + +``` + +## Affected APIs + +- `dotnet package list` +- `dotnet package search` +- `NuGet.Protocol.Core.Types.PackageUpdateResource.PushAsync` +- `NuGet.Protocol.Core.Types.PackageUpdateResource.Delete` diff --git a/docs/core/compatibility/toc.yml b/docs/core/compatibility/toc.yml index 9a68a1eeca6c4..4f00c776c43b1 100644 --- a/docs/core/compatibility/toc.yml +++ b/docs/core/compatibility/toc.yml @@ -60,6 +60,8 @@ items: href: sdk/10.0/msbuild-custom-culture.md - name: NU1510 is raised for direct references pruned by NuGet href: sdk/10.0/nu1510-pruned-references.md + - name: HTTP warnings promoted to errors in 'dotnet package list' and 'dotnet package search' + href: sdk/10.0/http-warnings-to-errors.md - name: Windows Forms items: - name: API obsoletions @@ -1944,6 +1946,8 @@ items: href: sdk/10.0/msbuild-custom-culture.md - name: NU1510 is raised for direct references pruned by NuGet href: sdk/10.0/nu1510-pruned-references.md + - name: HTTP warnings promoted to errors in dotnet package list and dotnet package search + href: sdk/10.0/http-warnings-to-errors.md - name: .NET 9 items: - name: "`dotnet sln add` doesn't allow invalid file names"