Menu
We are running a private nuget repository. Our build server creates nuget packages from a couple of our framework projects and copy these packages into the repository. As of today we are receiving a weird error from nuget when we try to restore some packages.
The package '[package name here]' contains an entry which is unsafe for extraction.
Unfortunately I didn't find anything in google that was able to assist me.
My question is: What in a nuget package is considered being unsafe for extraction? Is there a list of entries, that must not be part of a package?
The package of the current version looks like the package of the previous versions, which still can be retrieved via the nuget manager. Or is this something that came along with the latest visual studio patch for 15.8.2?
** * UPDATE * **
In the meanwhile we found out, that the problem appears in package manager 4.8.0.5385. In versions 4.7.* everything is working as expected. On nuget.org the latest recommended version of nuget.exe is 4.7.1! Unfortunately one doesn't have the option to opt out from updating the version, because it installed with the latest Visual Studio Patch for 15.8.2
798
To do that, go to Tools, NuGet Packaged Manager, then go to Package Manager Settings. Go to the General section, and then make sure you have a checkmark for Allow NuGet to download missing packages and also to automatically check for missing packages during the build in Visual Studio. So click on OK.
Switch to the Browse tab, search for the package name, select it, then select Install). For all packages, delete the package folder, then run nuget install . For a single package, delete the package folder and use nuget install <id> to reinstall the same one.
Download & Installation You can download the latest version from nuget.org/downloads. The latest version is always recommended, and 4.1. 0+ is required to publish packages to nuget.org. The file is not an installer, and it is the nuget.exe file directly.
Quick solution for Visual Studio usersSelect the Tools > NuGet Package Manager > Package Manager Settings menu command. Set both options under Package Restore. Select OK. Build your project again.
According to the NuGet source code, it looks like this occurs to prevent a ZIP traversal attack (sometimes called 'zip-slip')
Either your NuGet package contains a file that has a name that would cause it to be extracted in a bad location, or there is a bug in the NuGet client's way of determining that. If it's the latter, you would likely need to file a bug to get it fixed.
189
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
