Skip to content

Update NuGet auditing details for dotnet restore #50367

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
meaghanlewis merged 2 commits into from
Dec 5, 2025
Merged

Update NuGet auditing details for dotnet restore #50367

meaghanlewis merged 2 commits into from
Dec 5, 2025

Conversation

@meaghanlewis
Copy link
Contributor

@meaghanlewis meaghanlewis commented Dec 5, 2025
edited by github-actions bot
Loading

Summary

This pull request updates the documentation for NuGet security auditing in the context of dotnet restore, focusing on new configuration options available in .NET 9 and clarifying how vulnerability data sources are specified.

NuGet security auditing configuration:

  • Added documentation for the new auditSources element in nuget.config, available starting in .NET 9, which allows specifying sources for vulnerability data separately from package sources. If no audit sources are defined, package sources are used by default.
  • Provided an updated example for listing NuGet.org as an audit source using the auditSources configuration block.
  • Clarified that NuGet audits any source as long as it provides the VulnerabilityInfo resource, and removed outdated information about package sources.

Contributes to #39212

Internal previews

📄 File 🔗 Preview link
docs/core/tools/dotnet-restore.md dotnet restore

@dotnetrepoman dotnetrepoman bot added this to the December 2025 milestone Dec 5, 2025
@meaghanlewis meaghanlewis requested a review from zivkan December 5, 2025 20:14
zivkan
zivkan approved these changes Dec 5, 2025
View reviewed changes
Copy link
Member

@zivkan zivkan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, thank you!

@meaghanlewis meaghanlewis marked this pull request as ready for review December 5, 2025 20:27
@meaghanlewis meaghanlewis requested a review from a team as a code owner December 5, 2025 20:27
Copilot AI review requested due to automatic review settings December 5, 2025 20:27
Copilot AI reviewed Dec 5, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates the NuGet security auditing documentation for dotnet restore to reflect new .NET 9 capabilities and improve clarity around vulnerability data source configuration.

Key changes:

  • Documents the new auditSources configuration element available in .NET 9 for specifying vulnerability data sources separately from package sources
  • Updates the example configuration to demonstrate the auditSources element instead of packageSources
  • Clarifies the fallback behavior when no audit sources are configured

gewarren
gewarren approved these changes Dec 5, 2025
View reviewed changes
@meaghanlewis @gewarren
Update docs/core/tools/dotnet-restore.md
f9ffec2 
Co-authored-by: Genevieve Warren <24882762+gewarren@users.noreply.github.com>
@meaghanlewis meaghanlewis merged commit 43918b9 into dotnet:main Dec 5, 2025
9 checks passed
@meaghanlewis meaghanlewis deleted the reword-nuget-audit-details branch December 5, 2025 22:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@zivkan zivkan zivkan approved these changes

@gewarren gewarren gewarren approved these changes

Assignees

No one assigned

Labels

dotnet-cli/subsvc dotnet-fundamentals/svc

Projects

None yet

Milestone

December 2025

Development

Successfully merging this pull request may close these issues.

3 participants

@meaghanlewis @zivkan @gewarren