NuGet 5.7+ Ignores NuSpec CSProj Replacement Tokens - and other weird behaviors
2020-12-26 13:38
Update
A stellar sleuth discovered that the error messages are related to whether thenuget.exe
executable's "Unblock" attribute is checked. When it is (i.e. the file is unblocked), the error message doesn't occur. While it's still a bug, at least there's a solid workaround.
I submitted this issue in on 2020-08-28. It's had some comments and confirmations, but the moderators are having trouble reproducing it. I'm hoping this will help.
Source Code: ClassLibrary1.zip
Title
Here's the link to the issue.
Environment
Windows 10 Pro
Visual Studio 2019
.NET Framework 4.8
More Info
There are multiple failures being reported below. The fundamental one is that NuGet 5.7 and above ignore token replacements in .nuspec files from .NET Framework project .csproj files.
Steps to Reproduce
Pre-setup
Check the Windows PATH environment variables (System Properties > Advanced > Environment Variables
) at the user and system levels and be sure that no version of nuget.exe
is on the path. One way to verify is to open a new command window and type nuget
. If there's output, nuget
is on the path.
A reboot may be required for the computer to recognize the path change. Normally, it only takes closing completely out of the System Properties editor.
Remember to open a new command window after PATH changes so the environment variable is reloaded.
Steps
- In Visual Studio, create a new .NET Framework Console Application.
- Open Properties\AssemblyInfo.cs add the values that are substituted for $description and $author:
[assembly: AssemblyDescription("Desc")] [assembly: AssemblyConfiguration("")] [assembly: AssemblyCompany("Name")]
- Download NuGet 5.7 https://www.nuget.org/downloads
- Copy to the project folder
- Rename to
nuget.exe
.
It's important that the file be named
nuget.exe
.
In the
ClassLibrary1.csproj
project folder, runnuget spec
Reduce the resulting
ClassLibrary1.nuspec
file to the minimum required properties<?xml version="1.0" encoding="utf-8"?> <package > <metadata> <id>$id$</id> <version>$version$</version> <authors>$author$</authors> <description>$description$</description> </metadata> </package>
Build the project or solution.
In project folder, run
nuget pack
Expected: Successful build of new package
Actual: Error that Author and Description are missing:
Attempting to build package from 'ClassLibrary1.csproj'.
MSBuild auto-detection: using msbuild version '16.8.2.56705' from 'C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\MSBuild\Current\Bin'.
Packing files from 'C:\Users\charl\source\repos\ClassLibrary1\ClassLibrary1\bin\Debug'.
Using 'ClassLibrary1.nuspec' for metadata.
Authors is required.
Description is required.
NuGet 5.6 Behavior
In the above environment, replace the
nuget.exe
version 5.7 with version 5.6.It's important that the file be named
nuget.exe
.Run
nuget pack
The pack succeeds.
Attempting to build package from 'ClassLibrary1.csproj'.
MSBuild auto-detection: using msbuild version '16.8.2.56705' from 'C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\MSBuild\Current\Bin'.
Packing files from 'C:\Users\charl\source\repos\ClassLibrary1\ClassLibrary1\bin\Debug'.
Using 'ClassLibrary1.nuspec' for metadata.
Successfully created package 'C:\Users\charl\source\repos\ClassLibrary1\ClassLibrary1\ClassLibrary1.1.0.0.nupkg'.
WARNING: NU5128: Some target frameworks declared in the dependencies group of the nuspec and the lib/ref folder do not have exact matches in the other location. Consult the list of actions below:
- Add a dependency group for .NETFramework4.8 to the nuspec
NuGet 5.8 and 5.9 preview Behaviors
Both versions exhibit the same bug as 5.7.
Behavior When Renaming nuget.exe
- Copy version 5.6 into the project folder
- Rename it
nugetx.exe
(It doesn't matter what it's renamed to, as long as it isn'tnuget.exe
) - Run
nugetx.exe pack
Unlike when named
nuget.exe
, version 5.6pack
fails with the unexpected error!
Attempting to build package from 'ClassLibrary1.csproj'.
MSBuild auto-detection: using msbuild version '16.8.2.56705' from 'C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\MSBuild\Current\Bin'.
Packing files from 'C:\Users\charl\source\repos\ClassLibrary1\ClassLibrary1\bin\Debug'.
Using 'ClassLibrary1.nuspec' for metadata.
Authors is required.
Description is required.
Behavior When Two NuGet files in Path
- Copy version 5.6 into the project folder and rename to
nuget.exe
- Copy version 5.6 again into the project folder and rename to
nugetx.exe
- Run
nuget pack
- Run
nugetx pack
In both cases, the pack succeeds.
Real World Concerns
Many organizations will, in a continuous deployment environment, use a known path to the latest NuGet package and expect it to be named nuget.exe
. As seen above, those organizations will suddenly find themselves with failing package steps.
In order to continue, they must either stay on version 5.6 and accept the potential security issues there, or rework their pipeline.