From c40bbe34c5456be2a2a3181da030def0494da708 Mon Sep 17 00:00:00 2001 From: Cam Date: Fri, 9 May 2025 23:52:24 +0000 Subject: [PATCH 1/8] [Breaking change]: Promote HTTP Warnings to Errors in dotnet package list and dotnet package search Fixes #45985 --- docs/core/compatibility/10.0.md | 17 +++--- .../sdk/10.0/http-warnings-to-errors.md | 52 +++++++++++++++++++ docs/core/compatibility/toc.yml | 4 ++ 3 files changed, 65 insertions(+), 8 deletions(-) create mode 100644 docs/core/compatibility/sdk/10.0/http-warnings-to-errors.md diff --git a/docs/core/compatibility/10.0.md b/docs/core/compatibility/10.0.md index e9ac7d2247509..fb645d4223bfc 100644 --- a/docs/core/compatibility/10.0.md +++ b/docs/core/compatibility/10.0.md @@ -56,14 +56,15 @@ If you're migrating an app to .NET 10, the breaking changes listed here might af ## SDK and MSBuild -| Title | Type of change | Introduced version | -|----------------------------------------------------------------------------------------------------------------------|---------------------|--------------------| -| [.NET CLI `--interactive` defaults to `true` in user scenarios](sdk/10.0/dotnet-cli-interactive.md) | Behavioral change | Preview 3 | -| [Default workload configuration from 'loose manifests' to 'workload sets' mode](sdk/10.0/default-workload-config.md) | Behavioral change | Preview 2 | -| [`dotnet restore` audits transitive packages](sdk/10.0/nugetaudit-transitive-packages.md) | Behavioral change | Preview 3 | -| [MSBUILDCUSTOMBUILDEVENTWARNING escape hatch removed](sdk/10.0/custom-build-event-warning.md) | Behavioral change | Preview 1 | -| [MSBuild custom culture resource handling](sdk/10.0/msbuild-custom-culture.md) | Behavioral change | Preview 1 | -| [NU1510 is raised for direct references pruned by NuGet](sdk/10.0/nu1510-pruned-references.md) | Source incompatible | Preview 1 | +| Title | Type of change | Introduced version | +|--------------------------------------------------------------------------------------------------------------------------|---------------------|--------------------| +| [.NET CLI `--interactive` defaults to `true` in user scenarios](sdk/10.0/dotnet-cli-interactive.md) | Behavioral change | Preview 3 | +| [Default workload configuration from 'loose manifests' to 'workload sets' mode](sdk/10.0/default-workload-config.md) | Behavioral change | Preview 2 | +| [`dotnet restore` audits transitive packages](sdk/10.0/nugetaudit-transitive-packages.md) | Behavioral change | Preview 3 | +| [MSBUILDCUSTOMBUILDEVENTWARNING escape hatch removed](sdk/10.0/custom-build-event-warning.md) | Behavioral change | Preview 1 | +| [MSBuild custom culture resource handling](sdk/10.0/msbuild-custom-culture.md) | Behavioral change | Preview 1 | +| [NU1510 is raised for direct references pruned by NuGet](sdk/10.0/nu1510-pruned-references.md) | Source incompatible | Preview 1 | +| [HTTP warnings promoted to errors in dotnet package list and dotnet package search](sdk/10.0/http-warnings-to-errors.md) | Behavioral change | Preview 4 | ## Windows Forms diff --git a/docs/core/compatibility/sdk/10.0/http-warnings-to-errors.md b/docs/core/compatibility/sdk/10.0/http-warnings-to-errors.md new file mode 100644 index 0000000000000..d1588ce7b0ed4 --- /dev/null +++ b/docs/core/compatibility/sdk/10.0/http-warnings-to-errors.md @@ -0,0 +1,52 @@ +--- +title: "Breaking change - HTTP warnings promoted to errors in dotnet package list and dotnet package search" +description: "Learn about the breaking change in .NET 10 Preview 4 where HTTP warnings are promoted to errors in dotnet package operations." +ms.date: 5/9/2025 +ai-usage: ai-assisted +ms.custom: https://github.com/dotnet/docs/issues/45985 +--- + +# HTTP warnings promoted to errors in dotnet package list and dotnet package search + +Starting in .NET 10 Preview 4, HTTP warnings generated by `dotnet package list`, `dotnet package search`, and related APIs are now treated as errors by default. + +## Version introduced + +.NET 10 Preview 4 + +## Previous behavior + +Previously, when using HTTP sources, the tools displayed a warning, such as: + +```output +You are running the 'list package' operation with an 'HTTP' source, 'http://api.source/index.json'. Non-HTTPS access will be removed in a future version. Consider migrating to an 'HTTPS' source. +``` + +The operation continued without interruption. + +## New behavior + +The tools now treat HTTP sources as errors by default. To allow HTTP sources, explicitly set `allowInsecureConnections="true"` in *nuget.config*. + +## Type of breaking change + +This is a [behavioral change](../../categories.md#behavioral-change). + +## Reason for change + +This change improves security by blocking insecure HTTP sources by default. It aligns with secure-by-default practices to protect users from potential vulnerabilities. + +## Recommended action + +Migrate to HTTPS sources to avoid the error. To continue using HTTP sources, update your *nuget.config* file to include the following setting: + +```xml + +``` + +## Affected APIs + +-`dotnet package list` +- `dotnet package search` +- `NuGet.Protocol.Core.Types.PackageUpdateResource.PushAsync` +- `NuGet.Protocol.Core.Types.PackageUpdateResource.Delete` diff --git a/docs/core/compatibility/toc.yml b/docs/core/compatibility/toc.yml index 9a68a1eeca6c4..93bebe98d8da1 100644 --- a/docs/core/compatibility/toc.yml +++ b/docs/core/compatibility/toc.yml @@ -60,6 +60,8 @@ items: href: sdk/10.0/msbuild-custom-culture.md - name: NU1510 is raised for direct references pruned by NuGet href: sdk/10.0/nu1510-pruned-references.md + - name: HTTP warnings promoted to errors in dotnet package list and dotnet package search + href: sdk/10.0/http-warnings-to-errors.md - name: Windows Forms items: - name: API obsoletions @@ -1944,6 +1946,8 @@ items: href: sdk/10.0/msbuild-custom-culture.md - name: NU1510 is raised for direct references pruned by NuGet href: sdk/10.0/nu1510-pruned-references.md + - name: HTTP warnings promoted to errors in dotnet package list and dotnet package search + href: sdk/10.0/http-warnings-to-errors.md - name: .NET 9 items: - name: "`dotnet sln add` doesn't allow invalid file names" From c7f107576194c7fe334d7201bdb266f996e109c5 Mon Sep 17 00:00:00 2001 From: Cam Date: Fri, 9 May 2025 23:54:01 +0000 Subject: [PATCH 2/8] Fix formatting in HTTP warnings documentation for affected APIs section --- docs/core/compatibility/sdk/10.0/http-warnings-to-errors.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/core/compatibility/sdk/10.0/http-warnings-to-errors.md b/docs/core/compatibility/sdk/10.0/http-warnings-to-errors.md index d1588ce7b0ed4..baa96ea0a8916 100644 --- a/docs/core/compatibility/sdk/10.0/http-warnings-to-errors.md +++ b/docs/core/compatibility/sdk/10.0/http-warnings-to-errors.md @@ -46,7 +46,7 @@ Migrate to HTTPS sources to avoid the error. To continue using HTTP sources, upd ## Affected APIs --`dotnet package list` +- `dotnet package list` - `dotnet package search` - `NuGet.Protocol.Core.Types.PackageUpdateResource.PushAsync` - `NuGet.Protocol.Core.Types.PackageUpdateResource.Delete` From 9df3ccb63bc1dbc3ff034db4631f367b9c4c96aa Mon Sep 17 00:00:00 2001 From: Cam Soper Date: Mon, 12 May 2025 13:07:20 -0500 Subject: [PATCH 3/8] Update docs/core/compatibility/sdk/10.0/http-warnings-to-errors.md Co-authored-by: Genevieve Warren <24882762+gewarren@users.noreply.github.com> --- docs/core/compatibility/sdk/10.0/http-warnings-to-errors.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/core/compatibility/sdk/10.0/http-warnings-to-errors.md b/docs/core/compatibility/sdk/10.0/http-warnings-to-errors.md index baa96ea0a8916..2878a7d0042d1 100644 --- a/docs/core/compatibility/sdk/10.0/http-warnings-to-errors.md +++ b/docs/core/compatibility/sdk/10.0/http-warnings-to-errors.md @@ -6,7 +6,7 @@ ai-usage: ai-assisted ms.custom: https://github.com/dotnet/docs/issues/45985 --- -# HTTP warnings promoted to errors in dotnet package list and dotnet package search +# HTTP warnings promoted to errors in `dotnet package list` and `dotnet package search` Starting in .NET 10 Preview 4, HTTP warnings generated by `dotnet package list`, `dotnet package search`, and related APIs are now treated as errors by default. From 80657f815e6bd3d56b23c29ade7443b60e7b9c7a Mon Sep 17 00:00:00 2001 From: Cam Soper Date: Mon, 12 May 2025 13:07:49 -0500 Subject: [PATCH 4/8] Update docs/core/compatibility/10.0.md Co-authored-by: Genevieve Warren <24882762+gewarren@users.noreply.github.com> --- docs/core/compatibility/10.0.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/core/compatibility/10.0.md b/docs/core/compatibility/10.0.md index fb645d4223bfc..d6e33c78c9a5e 100644 --- a/docs/core/compatibility/10.0.md +++ b/docs/core/compatibility/10.0.md @@ -64,7 +64,7 @@ If you're migrating an app to .NET 10, the breaking changes listed here might af | [MSBUILDCUSTOMBUILDEVENTWARNING escape hatch removed](sdk/10.0/custom-build-event-warning.md) | Behavioral change | Preview 1 | | [MSBuild custom culture resource handling](sdk/10.0/msbuild-custom-culture.md) | Behavioral change | Preview 1 | | [NU1510 is raised for direct references pruned by NuGet](sdk/10.0/nu1510-pruned-references.md) | Source incompatible | Preview 1 | -| [HTTP warnings promoted to errors in dotnet package list and dotnet package search](sdk/10.0/http-warnings-to-errors.md) | Behavioral change | Preview 4 | +| [HTTP warnings promoted to errors in `dotnet package list` and `dotnet package search`](sdk/10.0/http-warnings-to-errors.md) | Behavioral change | Preview 4 | ## Windows Forms From 55f4d693c4fcae21764e131e4f176dab044c9798 Mon Sep 17 00:00:00 2001 From: Cam Soper Date: Mon, 12 May 2025 13:08:02 -0500 Subject: [PATCH 5/8] Update docs/core/compatibility/toc.yml Co-authored-by: Genevieve Warren <24882762+gewarren@users.noreply.github.com> --- docs/core/compatibility/toc.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/core/compatibility/toc.yml b/docs/core/compatibility/toc.yml index 93bebe98d8da1..4f00c776c43b1 100644 --- a/docs/core/compatibility/toc.yml +++ b/docs/core/compatibility/toc.yml @@ -60,7 +60,7 @@ items: href: sdk/10.0/msbuild-custom-culture.md - name: NU1510 is raised for direct references pruned by NuGet href: sdk/10.0/nu1510-pruned-references.md - - name: HTTP warnings promoted to errors in dotnet package list and dotnet package search + - name: HTTP warnings promoted to errors in 'dotnet package list' and 'dotnet package search' href: sdk/10.0/http-warnings-to-errors.md - name: Windows Forms items: From d045b5b49aa2cb7754028a54b12531a8f683ac34 Mon Sep 17 00:00:00 2001 From: Cam Date: Mon, 12 May 2025 18:42:34 +0000 Subject: [PATCH 6/8] Added source compatibility --- docs/core/compatibility/10.0.md | 18 +++++++++--------- .../sdk/10.0/http-warnings-to-errors.md | 5 ++++- 2 files changed, 13 insertions(+), 10 deletions(-) diff --git a/docs/core/compatibility/10.0.md b/docs/core/compatibility/10.0.md index d6e33c78c9a5e..3fdffca93ff48 100644 --- a/docs/core/compatibility/10.0.md +++ b/docs/core/compatibility/10.0.md @@ -56,15 +56,15 @@ If you're migrating an app to .NET 10, the breaking changes listed here might af ## SDK and MSBuild -| Title | Type of change | Introduced version | -|--------------------------------------------------------------------------------------------------------------------------|---------------------|--------------------| -| [.NET CLI `--interactive` defaults to `true` in user scenarios](sdk/10.0/dotnet-cli-interactive.md) | Behavioral change | Preview 3 | -| [Default workload configuration from 'loose manifests' to 'workload sets' mode](sdk/10.0/default-workload-config.md) | Behavioral change | Preview 2 | -| [`dotnet restore` audits transitive packages](sdk/10.0/nugetaudit-transitive-packages.md) | Behavioral change | Preview 3 | -| [MSBUILDCUSTOMBUILDEVENTWARNING escape hatch removed](sdk/10.0/custom-build-event-warning.md) | Behavioral change | Preview 1 | -| [MSBuild custom culture resource handling](sdk/10.0/msbuild-custom-culture.md) | Behavioral change | Preview 1 | -| [NU1510 is raised for direct references pruned by NuGet](sdk/10.0/nu1510-pruned-references.md) | Source incompatible | Preview 1 | -| [HTTP warnings promoted to errors in `dotnet package list` and `dotnet package search`](sdk/10.0/http-warnings-to-errors.md) | Behavioral change | Preview 4 | +| Title | Type of change | Introduced version | +|------------------------------------------------------------------------------------------------------------------------------|---------------------------------------|--------------------| +| [.NET CLI `--interactive` defaults to `true` in user scenarios](sdk/10.0/dotnet-cli-interactive.md) | Behavioral change | Preview 3 | +| [Default workload configuration from 'loose manifests' to 'workload sets' mode](sdk/10.0/default-workload-config.md) | Behavioral change | Preview 2 | +| [`dotnet restore` audits transitive packages](sdk/10.0/nugetaudit-transitive-packages.md) | Behavioral change | Preview 3 | +| [MSBUILDCUSTOMBUILDEVENTWARNING escape hatch removed](sdk/10.0/custom-build-event-warning.md) | Behavioral change | Preview 1 | +| [MSBuild custom culture resource handling](sdk/10.0/msbuild-custom-culture.md) | Behavioral change | Preview 1 | +| [NU1510 is raised for direct references pruned by NuGet](sdk/10.0/nu1510-pruned-references.md) | Source incompatible | Preview 1 | +| [HTTP warnings promoted to errors in `dotnet package list` and `dotnet package search`](sdk/10.0/http-warnings-to-errors.md) | Behavioral/source incompatible change | Preview 4 | ## Windows Forms diff --git a/docs/core/compatibility/sdk/10.0/http-warnings-to-errors.md b/docs/core/compatibility/sdk/10.0/http-warnings-to-errors.md index 2878a7d0042d1..b42cc4baf874b 100644 --- a/docs/core/compatibility/sdk/10.0/http-warnings-to-errors.md +++ b/docs/core/compatibility/sdk/10.0/http-warnings-to-errors.md @@ -30,7 +30,10 @@ The tools now treat HTTP sources as errors by default. To allow HTTP sources, ex ## Type of breaking change -This is a [behavioral change](../../categories.md#behavioral-change). +This is both a [behavioral change](../../categories.md#behavioral-change) and a [source incompatible change](../../categories.md#source-compatibility). + +> [!NOTE] +> While this change primarily affects the behavior of the `dotnet package`, it can also be considered a source incompatible change because it has the potential to break builds that rely on the previous behavior. ## Reason for change From c933715c9a03c61892d1b74c119ecc1a3ab0bdbd Mon Sep 17 00:00:00 2001 From: Cam Date: Mon, 12 May 2025 19:27:48 +0000 Subject: [PATCH 7/8] Fix formatting in note section of HTTP warnings documentation --- docs/core/compatibility/sdk/10.0/http-warnings-to-errors.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/core/compatibility/sdk/10.0/http-warnings-to-errors.md b/docs/core/compatibility/sdk/10.0/http-warnings-to-errors.md index b42cc4baf874b..b5e9e88f41348 100644 --- a/docs/core/compatibility/sdk/10.0/http-warnings-to-errors.md +++ b/docs/core/compatibility/sdk/10.0/http-warnings-to-errors.md @@ -33,7 +33,7 @@ The tools now treat HTTP sources as errors by default. To allow HTTP sources, ex This is both a [behavioral change](../../categories.md#behavioral-change) and a [source incompatible change](../../categories.md#source-compatibility). > [!NOTE] -> While this change primarily affects the behavior of the `dotnet package`, it can also be considered a source incompatible change because it has the potential to break builds that rely on the previous behavior. +> While this change primarily affects the behavior of the `dotnet package`, it can also be considered a source incompatible change because it has the potential to break builds that rely on the previous behavior. ## Reason for change From d6803ff270a791d09141212db2ca6483b8005371 Mon Sep 17 00:00:00 2001 From: Cam Date: Mon, 12 May 2025 19:58:25 +0000 Subject: [PATCH 8/8] Revert to just behavioral change --- docs/core/compatibility/sdk/10.0/http-warnings-to-errors.md | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/docs/core/compatibility/sdk/10.0/http-warnings-to-errors.md b/docs/core/compatibility/sdk/10.0/http-warnings-to-errors.md index b5e9e88f41348..2878a7d0042d1 100644 --- a/docs/core/compatibility/sdk/10.0/http-warnings-to-errors.md +++ b/docs/core/compatibility/sdk/10.0/http-warnings-to-errors.md @@ -30,10 +30,7 @@ The tools now treat HTTP sources as errors by default. To allow HTTP sources, ex ## Type of breaking change -This is both a [behavioral change](../../categories.md#behavioral-change) and a [source incompatible change](../../categories.md#source-compatibility). - -> [!NOTE] -> While this change primarily affects the behavior of the `dotnet package`, it can also be considered a source incompatible change because it has the potential to break builds that rely on the previous behavior. +This is a [behavioral change](../../categories.md#behavioral-change). ## Reason for change