Automatic security updates for Microsoft NuGet packages?

I just tried to answer the question “How to ensure that my ASP.NET MVC 5 web app gets updated automatically when a severe security issue is found in a NuGet dependency”.

The best resources I have found on this topic:

Summary

  • Windows Update will update NuGet packages only for targeted security updates
  • Supported .NET version: 4.5.1. or newer
  • MS .NET NuGet packages treated as part of the .NET framework
  • Security update notifications are posted to .NET blog. Subscribe!
  • Microsoft Update records loaded MS assemblies on a machine to identify candidates for patching.
  • Apps using a vulnerable NuGet package will get served the patched Assembly via GAC Publisher Policy.

Conclusions

I am now more confident that using NuGet packages I get critical updates for my applications when needed when Windows Update is used.

But: I would like to see a more recent document about the treatment of Security issues in NuGet. (Pease leave a comment if you have something and I will update the post). And I would like to know why the NuGet package feed list is empty.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.