Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CLI installs should not install unlisted packages #7466

Closed
anangaur opened this issue Nov 2, 2018 · 17 comments · Fixed by NuGet/NuGet.Client#3795
Closed

CLI installs should not install unlisted packages #7466

anangaur opened this issue Nov 2, 2018 · 17 comments · Fixed by NuGet/NuGet.Client#3795
Assignees
@heng-liu
Labels
Category:Quality Week Issues that should be considered for quality week Functionality:Install The install command in VS/nuget.exe Priority:2 Issues for the current backlog. Product:dotnet.exe Product:NuGet.exe NuGet.exe Type:Bug
Milestone
Sprint 180 - 2020...

Comments

@anangaur
Copy link
Member

anangaur commented Nov 2, 2018

NuGet should not install unlisted packages unless the version number is specified. So the following commands should not add an unlisted nuget package:

dotnet add package <packageID>

nuget install <packageID>
@PatoBeltran PatoBeltran added Priority:2 Issues for the current backlog. Product:NuGet.exe NuGet.exe Functionality:Install The install command in VS/nuget.exe labels Nov 28, 2018
@PatoBeltran PatoBeltran added this to the Backlog milestone Nov 28, 2018
@nkolev92
Copy link
Member

Do either of these actually end up installing unlisted packages?

@anangaur
Copy link
Member Author

Didn’t check recently but I guess this issue was filed because back then these did :) do you see a different behavior now?

@nkolev92
Copy link
Member

I was looking into related code and noticed a "possible" issue with this.

Looking at the code today, I'd expect them to have a different behavior, but I could be wrong.

Either way, this needs analyzed and fixed.

@matkoch matkoch mentioned this issue Oct 19, 2019
Closed
@matkoch
Copy link
Contributor

matkoch commented Oct 19, 2019

Confirming this behavior for 5.3.0.

@karann-msft
Copy link
Contributor

@matkoch can you help us understand your scenario and how this bug is causing an issue? I am asking so that I can help identify a workaround while we schedule a fix.

@nkolev92
Copy link
Member

Here's a helpful resource about what having an unlisted package currently means.

https://docs.microsoft.com/en-us/nuget/nuget-org/policies/deleting-packages

Focus on the following paragraphs from the linked page.

Unlisted packages don't appear on nuget.org or in the Visual Studio UI, and do not appear in search results. Unlisted packages, however, can still be downloaded and installed by using an exact version number, which supports package restore. In addition, unlisted packages may still be discovered in the following specific scenarios:

  • Package restore using floating versions (for example, 1.0.0-), if the latest available package matching the version or dependency constraints is an unlisted package.*
  • Replication of packages through the catalog (as the catalog also contains unlisted packages).

@matkoch
Copy link
Contributor

matkoch commented Oct 19, 2019 

> /usr/local/bin/mono /Users/matt/.nuget/packages/nuget.commandline/5.3.0/tools/NuGet.exe install Nuke.Docker -OutputDirectory /Users/matt/code/nuke/repositories/nuke-build/web/.tmp/packages -ExcludeVersion -DependencyVersion Ignore -Verbosity detailed
NuGet Version: 5.3.0.6251
Feeds used:
  https://www.myget.org/F/nukebuild/api/v3/index.json
  https://www.myget.org/F/nukebuild/api/v3/index.json
  https://api.nuget.org/v3/index.json
  /Users/matt/.nuget/packages

Installing package 'Nuke.Docker' to '/Users/matt/code/nuke/repositories/nuke-build/web/.tmp/packages'.
  GET https://api.nuget.org/v3/registration3-gz-semver2/nuke.docker/index.json
  OK https://api.nuget.org/v3/registration3-gz-semver2/nuke.docker/index.json 765ms
  GET https://www.myget.org/F/nukebuild/api/v3/registration1/nuke.docker/index.json
  NotFound https://www.myget.org/F/nukebuild/api/v3/registration1/nuke.docker/index.json 274ms
  GET https://www.myget.org/F/nukebuild/api/v3/registration1/nuke.docker/index.json
  NotFound https://www.myget.org/F/nukebuild/api/v3/registration1/nuke.docker/index.json 212ms
  GET https://www.myget.org/F/nukebuild/api/v3/registration1/nuke.docker/index.json
  CACHE https://api.nuget.org/v3/registration3-gz-semver2/nuke.docker/index.json
  NotFound https://www.myget.org/F/nukebuild/api/v3/registration1/nuke.docker/index.json 55ms
  GET https://www.myget.org/F/nukebuild/api/v3/registration1/nuke.docker/index.json
  NotFound https://www.myget.org/F/nukebuild/api/v3/registration1/nuke.docker/index.json 51ms
Resolved actions to install package 'Nuke.Docker.1.0.0'
Retrieving package 'Nuke.Docker 1.0.0' from 'nuget.org'.
Adding package 'Nuke.Docker.1.0.0' to folder '/Users/matt/code/nuke/repositories/nuke-build/web/.tmp/packages'
Added package 'Nuke.Docker.1.0.0' to folder '/Users/matt/code/nuke/repositories/nuke-build/web/.tmp/packages'
Added package 'Nuke.Docker.1.0.0' to folder '/Users/matt/code/nuke/repositories/nuke-build/web/.tmp/packages' from source 'https://api.nuget.org/v3/index.json'
Successfully installed 'Nuke.Docker 1.0.0' to /Users/matt/code/nuke/repositories/nuke-build/web/.tmp/packages
Executing nuget actions took 177.25 ms

1.0.0 is unlisted. The latest listed package is 0.4.0.

@matkoch
Copy link
Contributor

matkoch commented Nov 10, 2019

So?

@matkoch
Copy link
Contributor

matkoch commented Nov 17, 2019

Is anyone checking this out? I’m sorry to say, but how is this still not fixed after being reported a year ago?

@forki
Copy link

forki commented Nov 18, 2019 via email

@matkoch
Copy link
Contributor

matkoch commented Nov 25, 2019

@karann-msft @nkolev92 did you have a chance to look into that?

@matkoch
Copy link
Contributor

matkoch commented Dec 15, 2019

@karann-msft @nkolev92 any news?

@nkolev92 nkolev92 mentioned this issue Jan 30, 2020
Closed
@nkolev92 nkolev92 added Category:Quality Week Issues that should be considered for quality week Product:dotnet.exe and removed Triage:NeedsTriageDiscussion labels Feb 3, 2020
@alanwest
Copy link

alanwest commented Jun 9, 2020
edited

This is definitely still a problem when using dotnet add package. Any word on getting this fixed? One reason a package owner may unlist a package is due to security issues. Fixing this seems important from a security perspective.

@jonsequitur jonsequitur mentioned this issue Jul 21, 2020
Open
14 tasks
@nkolev92
Copy link
Member

The dotnet.exe side will be fixed NuGet/NuGet.Client#3480.

@anangaur
Copy link
Member Author

👏🏽👏🏽👏🏽

@donnie-msft
Copy link
Contributor

@nkolev92 I was just testing nuget.exe and already found this to be the case.
Considering you closed a PR for dotnet.exe, can this Issue be closed?

@heng-liu
Copy link
Contributor

Unlisted package still got installed when running NuGet.exe install .
Checked with @nkolev92 , fixing NuGet.exe is enough as dotnet.exe has been fixed.
He also provided following useful info:
Product change should be made at: https://github.com/NuGet/NuGet.Client/blob/dev/src/NuGet.Clients/NuGet.CommandLine/Commands/InstallCommand.cs#L289
Tests need to be added.
https://github.com/NuGet/NuGet.Client/blob/5a0d881d8cbb144de7bc0a03f40a6a633662d7d4/test/NuGet.Clients.Tests/NuGet.CommandLine.Test/FileSystemBackedV3MockServer.cs#L26 this type should be helpful.
The change that added that type has a sample test:
NuGet/NuGet.Client@9261fb9 https://github.com/NuGet/NuGet.Client/blob/5a0d881d8cbb144de7bc0a03f40a6a633662d7d4/test/NuGet.Clients.Tests/NuGet.CommandLine.Test/Common/SelfUpdaterTests.cs#L18-L48

@heng-liu heng-liu self-assigned this Nov 20, 2020
@heng-liu heng-liu mentioned this issue Dec 11, 2020
Merged
@rrelyea rrelyea changed the title NuGet should not install unlisted packages CLI installs should not install unlisted packages Dec 31, 2020
@zentron zentron mentioned this issue Feb 21, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@heng-liu heng-liu

Labels
Category:Quality Week Issues that should be considered for quality week Functionality:Install The install command in VS/nuget.exe Priority:2 Issues for the current backlog. Product:dotnet.exe Product:NuGet.exe NuGet.exe Type:Bug
Projects
None yet
Milestone
Sprint 180 - 2020.11.30
Development

Successfully merging a pull request may close this issue.

Do not install unlisted package in NuGet.exe NuGet/NuGet.Client
10 participants
@forki @PatoBeltran @nkolev92 @alanwest @matkoch @rrelyea @anangaur @karann-msft @heng-liu @donnie-msft