So Microsoft Deleted Some of Our Packages From NuGet.org Without Notice

Aaron on the Web's resource offers insights, tutorials, and resources for software developers and technology enthusiasts. Readers can learn about coding best practices, software architecture patterns, and emerging technologies. With articles, tutorials, and code samples, Aaron on the Web provides  guidance and expertise for building software applications and advancing technical skills.

Aaronontheweb

Microsoft deleted NuGet packages from third-party developers without notice to address a security vulnerability in their Microsoft.Identity.Client package. The vulnerability was a typo in XML documentation pointing to a phishing URL, not a critical runtime issue. This action bypassed normal CVE disclosure processes and created concerns about package availability guarantees, Microsoft's privileged access to NuGet operations, and the arbitrary nature of the deletions. The incident highlights tensions between security remediation and package ecosystem stability.

An uncomfortable precedent that should not be repeated - even for CVEs.

Microsoft.Identity.Client Security Vulnerabilities