Merge pull request #3494 from NuGet/main

Author: nkolev92

docs/concepts/Auditing-Packages.md

@@ -115,7 +115,39 @@ Alternatively, if you want to keep low and moderate vulnerabilities as warnings,
 > [!NOTE]
 > MSBuild properties for message severity such as `NoWarn` and `TreatWarningsAsErrors` are not supported for packages.config projects.
 
-## Ensure restore audited projects
+## Running NuGet Audit in CI
+
+### Separating Errors from Warnings with a Dedicated Auditing Pipeline
+
+You can use MSBuild's conditional statements to configure a dedicated CI pipeline for running audits, without audit warnings being treated as errors in other pipelines or on local builds.
+Depending on your CI system and team processes, you can have failed runs of the audit pipeline email the team, or you may have a dashboard where you can show a badge of the most recent run of the pipeline.
+
+Like many things in programming, there are multiple ways to achieve the outcome.
+One option is to treat NuGet Audit warnings as errors only in an audit pipeline.
+
+```xml
+<PropertyGroup>
+  <NuGetAuditCodes>NU1900;NU1901;NU1902;NU1903;NU1904;NU1905</NuGetAuditCodes>
+  <WarningsAsErrors Condition=" '$(AuditPipeline)' == 'true' ">$(WarningsAsErrors);$(NuGetAuditCodes)</WarningsAsErrors>
+  <WarningsNotAsErrors Condition=" '$(AuditPipeline)' != 'true' ">$(WarningsNotAsErrors);$(NuGetAuditCodes)</WarningsNotAsErrors>
+</PropertyGroup>
+```
+
+Then in your pipeline, you run restore specifying the property used by the condition.
+For example, using GitHub Actions syntax:
+
+```yml
+- name: Restore with NuGet Auditing
+  run: dotnet restore -p:AuditPipeline=true
+```
+
+The property name `AuditPipeline` is only an example, and you can customize it as you wish, as long as the name is the same in both the MSBuild condition and the command line.
+MSBuild also uses environment variables when reading a property that has not yet been defined, so an environment variable is an alternative to the command line parameter.
+
+By using conditions to selectively cause NuGet Audit warnings to fail a restore, you can have a dedicated pipeline to check packages for known vulnerabilities, while preventing new security advisories from blocking your bug fixes at inconvenient times.
+Keeping NuGet Audit warnings enabled for local builds allows developers to get a non-blocking notification about new security advisories and can encourage upgrading package versions to fix the vulnerabilities more quickly than waiting for someone to check the audit pipeline status.
+
+### Ensure restore audited projects
 
 NuGet in MSBuild 17.13 and .NET 9.0.200 added output properties `RestoreProjectCount`, `RestoreSkippedCount` and `RestoreProjectsAuditedCount` on the restore task.
 This can be used to enforce that audit ran during a restore.

docs/consume-packages/managing-the-global-packages-and-cache-folders.md

@@ -11,12 +11,12 @@ ms.topic: conceptual
 
 Whenever you install, update, or restore a package, NuGet manages packages and package information in several folders outside of your project structure:
 
-| Name | Description and Location (per user)|
+| Name | Location |
 | --- | --- |
-| global-packages | The *global-packages* folder is where NuGet installs any downloaded package. Each package is fully expanded into a subfolder that matches the package identifier and version number. Projects using the [PackageReference](package-references-in-project-files.md) format always use packages directly from this folder. When using the [packages.config](../reference/packages-config.md), packages are installed to the *global-packages* folder, then copied into the project's `packages` folder.<br/><ul><li>Windows: `%userprofile%\.nuget\packages`</li><li>Mac/Linux: `~/.nuget/packages`</li><li>Override using the NUGET_PACKAGES environment variable, the `globalPackagesFolder` or `repositoryPath` [configuration settings](../reference/nuget-config-file.md#config-section) (when using PackageReference and `packages.config`, respectively), or the `RestorePackagesPath` MSBuild property (MSBuild only). The environment variable takes precedence over the configuration setting.</li></ul> |
-| http-cache | The Visual Studio Package Manager (NuGet 3.x+) and the `dotnet` tool store copies of downloaded packages in this cache (saved as `.dat` files), organized into subfolders for each package source. Packages are not expanded, and the cache has an expiration time of 30 minutes.<br/><ul><li>Windows: `%localappdata%\NuGet\v3-cache`</li><li>Mac/Linux: `~/.local/share/NuGet/v3-cache`</li><li>Override using the NUGET_HTTP_CACHE_PATH environment variable.</li></ul> |
-| temp | A folder where NuGet stores temporary files during its various operations.<br/><li>Windows: `%temp%\NuGetScratch`</li><li>Mac: `/tmp/NuGetScratch`</li><li>Linux: `/tmp/NuGetScratch<username>`</li><li>Override using the NUGET_SCRATCH environment variable.</li></ul> |
-| plugins-cache **4.8+** | A folder where NuGet stores the results from the operation claims request.<br/><ul><li>Windows: `%localappdata%\NuGet\plugins-cache`</li><li>Mac/Linux: `~/.local/share/NuGet/plugins-cache`</li><li>Override using the NUGET_PLUGINS_CACHE_PATH environment variable.</li></ul> |
+| [global-packages](#global-packages) | <ul><li>Windows: `%userprofile%\.nuget\packages`</li><li>Mac/Linux: `~/.nuget/packages`</li><li>Override using the NUGET_PACKAGES environment variable, the `globalPackagesFolder` or `repositoryPath` [configuration settings](../reference/nuget-config-file.md#config-section) (when using PackageReference and `packages.config`, respectively), or the `RestorePackagesPath` MSBuild property (MSBuild only). The environment variable takes precedence over the configuration setting.</li></ul> |
+| [http-cache](#http-cache) | <ul><li>Windows: `%localappdata%\NuGet\v3-cache`</li><li>Mac/Linux: `~/.local/share/NuGet/v3-cache`</li><li>Override using the NUGET_HTTP_CACHE_PATH environment variable.</li></ul> |
+| [temp](#temp) | <li>Windows: `%temp%\NuGetScratch`</li><li>Mac: `/tmp/NuGetScratch`</li><li>Linux: `/tmp/NuGetScratch<username>`</li><li>Override using the NUGET_SCRATCH environment variable.</li></ul> |
+| [plugins-cache](#plugin-cache) **4.8+** | <ul><li>Windows: `%localappdata%\NuGet\plugins-cache`</li><li>Mac/Linux: `~/.local/share/NuGet/plugins-cache`</li><li>Override using the NUGET_PLUGINS_CACHE_PATH environment variable.</li></ul> |
 
 > [!Note]
 > NuGet 3.5 and earlier uses *packages-cache* instead of the *http-cache*, which is located in `%localappdata%\NuGet\Cache`.
@@ -27,6 +27,54 @@ When asked to retrieve a package, NuGet first looks in the *global-packages* fol
 
 For more information, see [What happens when a package is installed?](../concepts/package-installation-process.md).
 
+## global-packages
+
+The *global-packages* folder is where NuGet installs any downloaded package.
+Each package is fully expanded into a subfolder that matches the package identifier and version number.
+Projects using the [PackageReference](package-references-in-project-files.md) format always use packages directly from this folder.
+When using the [packages.config](../reference/packages-config.md), packages are installed to the *global-packages* folder, then copied into the project's `packages` folder.
+
+### Cleaning the global-packages directory
+
+The global-packages directory needs to be manually cleaned to remove packages that are no longer used.
+You can do this with the `dotnet nuget locals global-packages --clean` command, or the "clear NuGet local resources" button in Visual Studio's options (equivalent to `dotnet nuget locals all --clear`).
+After clearing the global-packages directory, you will need to restore your projects again to redownload all required packages.
+In Visual Studio, you may need to reload your solution to clear NuGet's "up to date restores" cache, or alternatively do a command line restore (for example, within Visual Studio's terminal window) with `msbuild -t:restore your.sln`.
+
+To clean only unused packages, it's a two step process.
+First, there is a [nuget.config setting `updatePackageLastAccessTime`](../reference/nuget-config-file.md) that should be enabled.
+This setting will cause NuGet to update each package's `.nupkg.metadata` file when it is used in a restore.
+When restore runs, but a project is considered already up to date, the package timestamps are *not* updated.
+The `.nupkg.metadata` file is the last file that NuGet will create when downloading and extracting packages during a restore or install, and is the file that restore uses to check if a package has been extracted successfully.
+
+Second, run a tool to perform the cleanup.
+After the `updatePackageLastAccessTime` setting is enabled, we recommend waiting a few days to make sure that all the packages you use regularly have had their timestamps updated.
+
+At this time, NuGet does not provide a tool or command to do this.
+You can [add a 👍 reaction to this GitHub issue](https://github.com/NuGet/Home/issues/4980) to signal your interest.
+Some community members have created their own open source NuGet cleaner tools that you can search for.
+
+If you are going to write your own cleanup tool, it is important that the `.nupkg.metadata` file is deleted if any of the other package files are deleted, so we recommend that this file is deleted first.
+Otherwise projects referencing the package may have unexpected behavior.
+If writing a cleanup tool in .NET, consider using `ConcurrencyUtilities.ExecuteWithFileLocked[Async](..)` from the [NuGet.Common package](https://www.nuget.org/packages/NuGet.Common), passing the full nupkg path of the package directory you're going to delete as the key, to avoid deleting a package that restore is trying to extract at the same time.
+The global packages directory can be programatically found with the [NuGet.Configuration package](https://www.nuget.org/packages/NuGet.Configuration).
+Use `Settings.LoadDefaultSettings(path)` to get an `ISettings` instance (you can pass `null` as the path, or pass a directory if you want to handle solutions with a nuget.config that redirects the global-packages directory), and then use `SettingsUtility.GetGlobalPackagesFolder(settings)`.
+Alternatively, you can run `dotnet nuget locals global-packages --list` as a child process and parse the output.
+
+## http-cache
+
+NuGet will cache copies of most NuGet feed communications (excluding search), organized into subfolders for each package source.
+Packages are not expanded, and files with a last modified date older than 30 minutes are typically considered expired.
+
+## temp
+
+A folder where NuGet may store temporary files during its various operations.
+
+## plugin-cache
+
+A folder where NuGet stores the results from the operation claims request.
+See the [cross platform plugins reference](../reference/extensibility/NuGet-Cross-Platform-Plugins.md) for more information.
+
 ## Viewing folder locations
 
 You can view locations using the [nuget locals command](../reference/cli-reference/cli-ref-locals.md):

docs/nuget-org/TOC.md

@@ -8,6 +8,7 @@
 ## [Package ID prefix reservation](id-prefix-reservation.md)
 ## [Package deprecation](deprecate-packages.md)
 ## [Package readme](package-readme-on-nuget-org.md)
+## [Package sponsorship](package-sponsorship-on-nuget-org.md)
 # Policies
 ## [Data Requests](policies/Data-requests.md)
 ## [Dispute resolution](policies/dispute-resolution.md)

docs/nuget-org/media/sponsorship-add-link.png

@@ -0,0 +1,118 @@
+---
+title: Package sponsorship on NuGet.org
+description: Learn how to add sponsorship links to your NuGet packages and support package maintainers through NuGet.org's sponsorship feature.
+author: pranathibora14
+ms.author: prabora
+ms.date: 10/15/2025
+ms.topic: conceptual
+ai-usage: ai-generated
+---
+
+# Package sponsorship on NuGet.org
+
+The NuGet.org sponsorship feature makes it easier for package consumers to recognize and support the authors behind their favorite packages.
+
+NuGet.org enables package authors to add sponsorship URLs to their packages. These links appear when the "Sponsor" button on the package details page is selected.
+
+
+## Setting up sponsorship for package publishers
+
+### Prerequisites
+
+- You must be the owner or co-owner of a package on NuGet.org
+- Your sponsorship link platform must be from the approved list:
+  - GitHub Sponsors
+  - Patreon
+  - Open Collective
+  - Ko-fi
+  - Tidelift
+  - Liberapay
+
+### Navigate to your package management page
+
+1. Go to [NuGet.org](https://nuget.org) and sign in to your account.
+2. Select your username in the top right corner.
+3. Select **Manage Packages** from the dropdown menu.
+4. Find the package you want to add sponsorship information for and select the edit button.
+
+### Access sponsorship settings
+
+1. On your package management page, scroll down to find the **Sponsorship Links** section.
+2. Select to expand the collapsible **Sponsorship Links** section.
+3. You'll see a form where you can add sponsorship URLs.
+
+   ![Screenshot of the manage package page with the Sponsorship Links section](media/sponsorship-section-manage-package-page.png)
+
+### Add your sponsorship URLs
+
+1. Enter your sponsorship URL in the text field:
+   - Example: `https://github.com/sponsors/yourusername`
+   - Example: `https://www.patreon.com/yourusername`
+
+   ![Screenshot of the sponsorship URL form with example URL filled in](media/sponsorship-add-link.png)
+
+2. Select the **Add** button.
+3. The system automatically validates that your URL is from an approved platform.
+4. If any URLs are invalid or from non-approved platforms, you'll see error messages to correct them. Otherwise, you'll see a confirmation message that your sponsorship link has been saved.
+
+   ![Screenshot of a URL from a platform that is not approved](media/sponsorship-link-error-manage-package.png)
+
+5. Each added sponsorship URL will have a **Remove** button next to it if you need to delete it.
+6. You can add up to 10 different sponsorship URLs per package ID.
+
+### Verify your sponsorship URLs display correctly
+
+1. Navigate to your package's public page on NuGet.org.
+2. Look for the **Sponsor** button in the package details **About** section.
+3. Select the **Sponsor** button to test that your URLs appear correctly in the popup.
+
+   ![Screenshot of a package details page with the sponsorship links popup open](media/sponsorship-display-links.png)
+
+## Finding and supporting packages
+
+### Identify packages that need sponsorship
+
+1. Browse to any package page on NuGet.org.
+2. Look for packages displaying a **Sponsor** button in the package details section.
+3. The **Sponsor** button indicates that the package maintainer is seeking financial support.
+
+   ![Screenshot of a package details page with a Sponsor button](media/sponsorship-button-package-details-page.png)
+
+### View available sponsorship options
+
+1. Select the **Sponsor** button on the package page.
+2. A popup window appears showing all available sponsorship links for that package.
+
+   ![Screenshot of a package details page with the sponsorship links popup open](media/sponsorship-display-links.png)
+
+### Choose your preferred sponsorship platform
+
+1. Review the available sponsorship options in the popup.
+2. Select your preferred platform to be redirected to the external sponsorship page.
+3. The link opens in a new tab or window, keeping the NuGet package page open.
+
+> [!IMPORTANT]
+> These links take you to third-party platforms. Microsoft isn't affiliated with or responsible for the content or practices of third-party platforms, and we don't endorse them. Microsoft reserves the right to remove any allowed third-party platforms.
+
+## Frequently asked questions
+
+**Can I add sponsorship information to older versions of my package?**
+
+Yes! Sponsorship information is managed at the package ID level, so it automatically applies to all versions of your package, including previously published versions.
+
+**What happens if my sponsorship platform URL changes?**
+
+You can update your sponsorship URLs anytime through the package management page. Changes take effect immediately across all versions.
+
+**Can I see analytics on how many people selected my sponsorship links?**
+
+No, NuGet.org doesn't track sponsorship link selections. You'll need to check analytics on your sponsorship platform directly.
+
+**Can I add custom sponsorship platforms not on the approved list?**
+
+Currently, only the approved list of platforms is supported. This helps ensure security and legitimacy of sponsorship links. If you'd like to request a new platform to be added to the approved list, you can open an issue on the [NuGet Gallery repository](https://github.com/NuGet/NuGetGallery/issues).
+
+**Does NuGet.org store my financial information?**
+
+No personal or financial data is stored by NuGet.org. All transactions occur on secure external platforms that a maintainer chooses for sponsoring their packages.
+

docs/nuget-org/media/sponsorship-button-package-details-page.png

@@ -17,6 +17,7 @@ Updating last access time on file "C:\packages\contoso.library\1.0.0\.nupkg.meta
 
 ### Solution
 
-You have enabled an experimental feature that updates the last access of the .nupkg.metadata file in the NuGet global packages folder. 
+You have enabled a feature that updates the last access of the .nupkg.metadata file in the NuGet global packages folder.
 Failures are likely to be issues with permissions.
-The details of the failure reason will be contained in the error message. Consult that information for the exact action.
+The details of the failure reason will be contained in the error message.
+Consult that information for the exact action.