Home: CLI installs should not install unlisted packages

Do either of these actually end up installing unlisted packages?

Didn’t check recently but I guess this issue was filed because back then these did :) do you see a different behavior now?

I was looking into related code and noticed a "possible" issue with this.

Looking at the code today, I'd expect them to have a different behavior, but I could be wrong.

Either way, this needs analyzed and fixed.

Confirming this behavior for 5.3.0.

@matkoch can you help us understand your scenario and how this bug is causing an issue? I am asking so that I can help identify a workaround while we schedule a fix.

Here's a helpful resource about what having an unlisted package currently means.

https://docs.microsoft.com/en-us/nuget/nuget-org/policies/deleting-packages

Focus on the following paragraphs from the linked page.

Unlisted packages don't appear on nuget.org or in the Visual Studio UI, and do not appear in search results. Unlisted packages, however, can still be downloaded and installed by using an exact version number, which supports package restore. In addition, unlisted packages may still be discovered in the following specific scenarios:

• Package restore using floating versions (for example, 1.0.0-), if the latest available package matching the version or dependency constraints is an unlisted package.*
• Replication of packages through the catalog (as the catalog also contains unlisted packages).

> /usr/local/bin/mono /Users/matt/.nuget/packages/nuget.commandline/5.3.0/tools/NuGet.exe install Nuke.Docker -OutputDirectory /Users/matt/code/nuke/repositories/nuke-build/web/.tmp/packages -ExcludeVersion -DependencyVersion Ignore -Verbosity detailed
NuGet Version: 5.3.0.6251
Feeds used:
  https://www.myget.org/F/nukebuild/api/v3/index.json
  https://www.myget.org/F/nukebuild/api/v3/index.json
  https://api.nuget.org/v3/index.json
  /Users/matt/.nuget/packages

Installing package 'Nuke.Docker' to '/Users/matt/code/nuke/repositories/nuke-build/web/.tmp/packages'.
  GET https://api.nuget.org/v3/registration3-gz-semver2/nuke.docker/index.json
  OK https://api.nuget.org/v3/registration3-gz-semver2/nuke.docker/index.json 765ms
  GET https://www.myget.org/F/nukebuild/api/v3/registration1/nuke.docker/index.json
  NotFound https://www.myget.org/F/nukebuild/api/v3/registration1/nuke.docker/index.json 274ms
  GET https://www.myget.org/F/nukebuild/api/v3/registration1/nuke.docker/index.json
  NotFound https://www.myget.org/F/nukebuild/api/v3/registration1/nuke.docker/index.json 212ms
  GET https://www.myget.org/F/nukebuild/api/v3/registration1/nuke.docker/index.json
  CACHE https://api.nuget.org/v3/registration3-gz-semver2/nuke.docker/index.json
  NotFound https://www.myget.org/F/nukebuild/api/v3/registration1/nuke.docker/index.json 55ms
  GET https://www.myget.org/F/nukebuild/api/v3/registration1/nuke.docker/index.json
  NotFound https://www.myget.org/F/nukebuild/api/v3/registration1/nuke.docker/index.json 51ms
Resolved actions to install package 'Nuke.Docker.1.0.0'
Retrieving package 'Nuke.Docker 1.0.0' from 'nuget.org'.
Adding package 'Nuke.Docker.1.0.0' to folder '/Users/matt/code/nuke/repositories/nuke-build/web/.tmp/packages'
Added package 'Nuke.Docker.1.0.0' to folder '/Users/matt/code/nuke/repositories/nuke-build/web/.tmp/packages'
Added package 'Nuke.Docker.1.0.0' to folder '/Users/matt/code/nuke/repositories/nuke-build/web/.tmp/packages' from source 'https://api.nuget.org/v3/index.json'
Successfully installed 'Nuke.Docker 1.0.0' to /Users/matt/code/nuke/repositories/nuke-build/web/.tmp/packages
Executing nuget actions took 177.25 ms

1.0.0 is unlisted. The latest listed package is 0.4.0.

So?

Is anyone checking this out? I’m sorry to say, but how is this still not fixed after being reported a year ago?

It was reported way longer ago in other issues. Even by jon skeet....

Matthias Koch notifications@github.com schrieb am So., 17. Nov. 2019,
18:48:

Is anyone checking this out? I’m sorry to say, but how is this still not
fixed after being reported a year ago?

—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
https://github.com/NuGet/Home/issues/7466?email_source=notifications&email_token=AAAOANDZUYP3JBWTNEJAB6LQUF7WRA5CNFSM4GBQDFF2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEEIRWXI#issuecomment-554769245,
or unsubscribe
https://github.com/notifications/unsubscribe-auth/AAAOANBRPLXYK5XJTPQHN6LQUF7WRANCNFSM4GBQDFFQ
.

@karann-msft @nkolev92 did you have a chance to look into that?

@karann-msft @nkolev92 any news?

This is definitely still a problem when using dotnet add package. Any word on getting this fixed? One reason a package owner may unlist a package is due to security issues. Fixing this seems important from a security perspective.

The dotnet.exe side will be fixed https://github.com/NuGet/NuGet.Client/pull/3480.

👏🏽👏🏽👏🏽

@nkolev92 I was just testing nuget.exe and already found this to be the case.
Considering you closed a PR for dotnet.exe, can this Issue be closed?

Unlisted package still got installed when running NuGet.exe install .
Checked with @nkolev92 , fixing NuGet.exe is enough as dotnet.exe has been fixed.
He also provided following useful info:
Product change should be made at: https://github.com/NuGet/NuGet.Client/blob/dev/src/NuGet.Clients/NuGet.CommandLine/Commands/InstallCommand.cs#L289
Tests need to be added.
https://github.com/NuGet/NuGet.Client/blob/5a0d881d8cbb144de7bc0a03f40a6a633662d7d4/test/NuGet.Clients.Tests/NuGet.CommandLine.Test/FileSystemBackedV3MockServer.cs#L26 this type should be helpful.
The change that added that type has a sample test:
https://github.com/NuGet/NuGet.Client/commit/9261fb964ca110fadb69c5bb1100746558cfe908 https://github.com/NuGet/NuGet.Client/blob/5a0d881d8cbb144de7bc0a03f40a6a633662d7d4/test/NuGet.Clients.Tests/NuGet.CommandLine.Test/Common/SelfUpdaterTests.cs#L18-L48