Skip to content

[Breaking change]: Promote HTTP Warnings to Errors in dotnet package list and dotnet package search #45985

New issue
New issue
Closed
#46074
Closed
[Breaking change]: Promote HTTP Warnings to Errors in dotnet package list and dotnet package search#45985
#46074
Assignees
CamSoper
Labels
🏁 Release: .NET 10Work items for the .NET 10 release📌 seQUESTeredIdentifies that an issue has been imported into Quest.breaking-changeIndicates a .NET Core breaking change
@Nigusu-Allehu

Description

@Nigusu-Allehu
Nigusu-Allehu
opened on May 1, 2025

Description

Currently, dotnet package list, dotnet package search, push and delet APIs allow insecure http:// sources with a warning (NU1803).

You are running the 'list package' operation with an 'HTTP' source, 'http://api.source/index.json'. Non-HTTPS access will be removed in a future version. Consider migrating to an 'HTTPS' source.

As mentioned in the warning, these should be treated as errors by default now, unless allowInsecureConnections="true" is explicitly set in nuget.config.

Version

.NET 10 Preview 4

Previous behavior

Previously, user would get a warning about their HTTP sources.

You are running the 'list package' operation with an 'HTTP' source, 'http://api.source/index.json'. Non-HTTPS access will be removed in a future version. Consider migrating to an 'HTTPS' source.

New behavior

After the changes, user will get an error instead of a warning. However, they can still opt out using allowInsecureConnections.

Type of breaking change

  • Binary incompatible: Existing binaries might encounter a breaking change in behavior, such as failure to load or execute, and if so, require recompilation.
  • Source incompatible: When recompiled using the new SDK or component or to target the new runtime, existing source code might require source changes to compile successfully.
  • Behavioral change: Existing binaries might behave differently at run time.

Reason for change

This is a security improvement. Blocking insecure sources by default helps protect users and aligns with secure-by-default practices.

Recommended action

Users can still allow http:// sources by setting allowInsecureConnections="true" in nuget.config.

Feature area

SDK

Affected APIs

  • ~NuGet.Protocol.Core.Types.PackageUpdateResource.PushAsync(System.Collections.Generic.IList<string> packagePaths, string symbolSource, int timeoutInSecond, bool disableBuffering, System.Func<string, string> getApiKey, System.Func<string, string> getSymbolApiKey, bool noServiceEndpoint, bool skipDuplicate, bool allowSnupkg, bool allowInsecureConnections, NuGet.Common.ILogger log) -> System.Threading.Tasks.Task
  • ~NuGet.Protocol.Core.Types.PackageUpdateResource.Delete(string packageId, string packageVersion, System.Func<string, string> getApiKey, System.Func<string, bool> confirm, bool noServiceEndpoint, NuGet.Common.ILogger log) -> System.Threading.Tasks.Task
  • ~NuGet.Protocol.Core.Types.PackageUpdateResource.Delete(string packageId, string packageVersion, System.Func<string, string> getApiKey, System.Func<string, bool> confirm, bool noServiceEndpoint, bool allowInsecureConnections, NuGet.Common.ILogger log) -> System.Threading.Tasks.Task

Associated WorkItem - 429411

Metadata

Metadata

Assignees

Labels

🏁 Release: .NET 10Work items for the .NET 10 release📌 seQUESTeredIdentifies that an issue has been imported into Quest.breaking-changeIndicates a .NET Core breaking change

Type

No type

Projects

dotnet/docs May 2025 sprint project

Status

✅ Done

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions