Description

NuGet now validates package IDs when they’re used to create URLs. If an ID isn’t in the correct format, NuGet will show an error instead of continuing. This ensures only valid package IDs are used.

Version

.NET 10 RC 1

Previous behavior

Previously, NuGet resources that constructed URLs from package IDs did not validate the package ID format. Invalid or malformed package IDs could be used

New behavior

With the new change, any package ID used to construct a URL via NuGet resources is now validated. If the package ID does not conform to NuGet's expected format, an exception is thrown, and the URL is not constructed.

Type of breaking change

• Binary incompatible: Existing binaries might encounter a breaking change in behavior, such as failure to load or execute, and if so, require recompilation.
• Source incompatible: When recompiled using the new SDK or component or to target the new runtime, existing source code might require source changes to compile successfully.
• Behavioral change: Existing binaries might behave differently at run time.

Reason for change

This change introduces validation to ensure that only properly formatted package IDs are used when constructing URLs. The validation strengthens the code’s security posture by reducing the risk of unsafe or unintended inputs being processed.

Recommended action

If you need to bypass the new validation, you can set the environment variable NUGET_DISABLE_PACKAGEID_VALIDATION to true in your environment. This will disable the package ID validation logic and restore the previous behavior.

Feature area

SDK

Affected APIs

No response

Associated WorkItem - 486215