NuGet Warning NU1905
warning NU1905: NuGetAudit is enabled, but no package sources contain known vulnerability data.
Issue
NuGetAudit is explicitly enabled, but none of the configured package sources provide vulnerability information for NuGet to check against.
Solution
NuGet asks all configured package sources for vulnerability information. Any package source implementing NuGet's V3 server API can provide the data via the VulnerabilityInfo resource, including by mirroring nuget.org's vulnerability data. You can check if your package source administrators have a setting to enable vulnerability data.
If you would like to treat this warning as an error, to cause build failures when vulnerability checks could not be performed, you can add <WarningAsError>$(WarningAsError);NU1905</WarningAsError> to your project file.
If you are using TreatWarningsAsErrors to cause all warnings to be treated as errors, you can add <NoWarn>$(NoWarn);NU1905</NoWarn> to your project file to suppress this warning message, or <WarningsNotAsErrors>NU1905</WarningsNotAsErrors> to prevent this warning from being treated as an error.
Note
There is a request to get vulnerability data without adding nuget.org as a package source. As a temporary mitigation, if your security policy allows it, you can use Package Source Mapping to get all your packages from package sources other than nuget.org, so that adding nuget.org as a package source will only use it for vulnerability data.
For more information, see the documentation on auditing packages.
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for