I just tried to answer the question “How to ensure that my ASP.NET MVC 5 web app gets updated automatically when a severe security issue is found in a NuGet dependency”.
The best resources I have found on this topic:
- .NET 4.5.1 Supports Microsoft Security Updates for .NET NuGet Libraries (.NET blog)
- Announcing the .NET Framework 4.5.1 Preview (.NET blog)
- NuGet is a .NET framework release vehicle (.NET blog)
- Microsoft .NET Framework NuGet Packages (.NET blog)
- !This list is empty! (state of affairs 31.07.2017)
- Support lifecycle for ASP.NET Web Stack (MS Support)
Summary
- Windows Update will update NuGet packages only for targeted security updates
- Supported .NET version: 4.5.1. or newer
- MS .NET NuGet packages treated as part of the .NET framework
- Security update notifications are posted to .NET blog. Subscribe!
- Microsoft Update records loaded MS assemblies on a machine to identify candidates for patching.
- Apps using a vulnerable NuGet package will get served the patched Assembly via GAC Publisher Policy.
Conclusions
I am now more confident that using NuGet packages I get critical updates for my applications when needed when Windows Update is used.
But: I would like to see a more recent document about the treatment of Security issues in NuGet. (Pease leave a comment if you have something and I will update the post). And I would like to know why the NuGet package feed list is empty.