NuGet Warning NU1900

Example 1

warning NU1900: Error occurred while getting package vulnerability data: (more information)

Issue

Vulnerability data could not be downloaded from one of the package sources.

Solution

This warning generally means that there is a problem with the package source.

If the error is related to networking, such as unable to connect to server, a timeout, a DNS error, and so on, then retrying after waiting a few minutes might resolve the issue. If you use a hosted package source, try checking their server status page to see if there is a known outage.

If the error is a JSON deserialization error, this suggests the package source returned invalid data to NuGet. You can try clearing NuGet's HTTP cache (dotnet nuget locals http-cache --clear from the command line) and try again. If issues persist, then contact the package source administrators.

For more information, see the documentation on auditing packages.

Example 2

warning NU1900: Package 'Contoso.Utilities' 1.0.0 has a known unknown severity vulnerability, https://cve.contoso.com/advisories/1

Issue

The server provided vulnerability data for the package, but provided an invalid severity value. If you know which package source provided the invalid data, you can contact the server administrators to inform them that their vulnerability data does not comply with NuGet's server API. Once packages have been restored into your global packages folder, you can comment out all but one package source in your nuget.config file, and re-run restore until you find which package source is providing the invalid data.