Merge pull request #45596 from dotnet/main

Merge main into live

Author: dotnet-policy-service[bot]

.github/workflows/quest-bulk.yml

@@ -1,8 +1,8 @@
 name: "bulk quest import"
 on:
   schedule:
-    - cron: '0 10 * * *' # UTC time, that's 5:00 am EST, 2:00 am PST.
-    - cron: '0 9 6 * *'  # This is the morning of the 6th.
+    - cron: '0 7 1-5,7-31 * *' # UTC time, that's 2:00 am EST, 11:00 pm PST.
+    - cron: '0 7 6 * *'  # This is the morning of the 6th.
 
   workflow_dispatch:
     inputs:
@@ -58,4 +58,4 @@ jobs:
           org: ${{ github.repository_owner }}
           repo: ${{ github.repository }}
           issue: '-1'
-          duration: ${{ github.event_name == 'workflow_dispatch' && github.event.inputs.duration || github.event.schedule == '0 9 6 * *' && -1 || 5 }}
+          duration: ${{ github.event_name == 'workflow_dispatch' && github.event.inputs.duration || github.event.schedule == '0 7 6 * *' && -1 || 5 }}

.openpublishing.redirection.core.json

@@ -1421,6 +1421,10 @@
         {
             "source_path_from_root": "/docs/core/testing/unit-testing-with-nunit.md",
             "redirect_url": "/dotnet/core/testing/unit-testing-csharp-with-nunit"
+        },
+        {
+            "source_path_from_root": "/docs/core/compatibility/sdk/9.0/nugetaudit-transitive-packages.md",
+            "redirect_url": "/dotnet/core/compatibility/sdk/10.0/nugetaudit-transitive-packages"
         }
     ]
 }

docs/ai/quickstarts/includes/ai-templates-azure-openai.md

@@ -70,19 +70,27 @@ After you install the AI app templates, you can use them to create starter apps
 
 [!INCLUDE [ai-templates-explore-app](ai-templates-explore-app.md)]
 
-## Create and configure the Azure OpenAI resource
+## Create and authenticate to the Azure OpenAI service
 
-To use the .NET AI templates, you'll need to create and authenticate to an Azure OpenAI service:
+To use the .NET AI templates with Azure OpenAI, you'll need to create and authenticate to an Azure OpenAI service.
+
+### Create the Azure OpenAI service
 
 1. [Create an Azure OpenAI Service resource](/azure/ai-services/openai/how-to/create-resource?pivots=web-portal) if you don't already have one available.
 
-2. Deploy the `gpt-4o-mini` and `text-embedding-3-small` models to your Azure OpenAI Service resource. When creating those deployments, give them the same names as the models (`gpt-4o-mini` and `text-embedding-3-small`). To learn how to deploy a model, see [Create a resource](/azure/ai-services/openai/how-to/create-resource?pivots=web-portal#deploy-a-model) in the Azure OpenAI docs.
+1. Deploy the `gpt-4o-mini` and `text-embedding-3-small` models to your Azure OpenAI Service resource. When creating those deployments, give them the same names as the models (`gpt-4o-mini` and `text-embedding-3-small`) so that they match the default template values. To learn how to deploy a model, see [Create a resource](/azure/ai-services/openai/how-to/create-resource?pivots=web-portal#deploy-a-model) in the Azure OpenAI docs.
+
+### Authenticate to the Azure OpenAI service
+
+The AI template uses Microsoft Entra ID for seamless, keyless authentication. It leverages [`DefaultAzureCredential`](/dotnet/api/azure.identity.defaultazurecredential) to automatically detect and utilize credentials from your development tools when running locally. To connect to the service, ensure your developer account has the appropriate roles assigned and is signed in to your local development tools.
+
+1. Assign a role to your developer account to access the Azure OpenAI resource:
 
-3. The AI template is configured to use Microsoft Entra ID for keyless authentication. Configure the Azure OpenAI resource for keyless authentication:
+    - In the Azure Portal, navigate to the overview page of your Azure OpenAI resource.
+    - Select **Access control (IAM)** from the left navigation.
+    - [Add a role assignment](/dotnet/azure/sdk/authentication/local-development-dev-accounts#assign-roles-to-the-group) for the `Azure AI Developer` role to your Azure account.
 
-- In the Azure Portal, navigate to the overview page of your Azure OpenAI resource.
-- Select **Access control (IAM)** from the left navigation.
-- [Add a role assignment](/azure/developer/ai/keyless-connections) for the `Azure AI Developer` role to your Azure account.
+1. [Sign-in to a local development tool](/dotnet/azure/sdk/authentication/local-development-dev-accounts#sign-in-to-azure-using-developer-tooling) such as Visual Studio or the Azure CLI using the Azure account you assigned the `Azure AI Developer` role to.
 
 ## Configure the app
 

docs/azure/includes/dotnet-all.md

@@ -52,6 +52,7 @@ If you're migrating an app to .NET 10, the breaking changes listed here might af
 | Title                                                                                                                | Type of change      | Introduced version |
 |----------------------------------------------------------------------------------------------------------------------|---------------------|--------------------|
 | [Default workload configuration from 'loose manifests' to 'workload sets' mode](sdk/10.0/default-workload-config.md) | Behavioral change   | Preview 2          |
+| [`dotnet restore` audits transitive packages](sdk/10.0/nugetaudit-transitive-packages.md)                            | Behavioral change   | Preview 3          |
 | [MSBUILDCUSTOMBUILDEVENTWARNING escape hatch removed](sdk/10.0/custom-build-event-warning.md)                        | Behavioral change   | Preview 1          |
 | [MSBuild custom culture resource handling](sdk/10.0/msbuild-custom-culture.md)                                       | Behavioral change   | Preview 1          |
 | [NU1510 is raised for direct references pruned by NuGet](sdk/10.0/nu1510-pruned-references.md)                       | Source incompatible | Preview 1          |

docs/azure/includes/dotnet-new.md

@@ -101,7 +101,6 @@ If you're migrating an app to .NET 9, the breaking changes listed here might aff
 
 | Title                                                                                     | Type of change      | Introduced version |
 |-------------------------------------------------------------------------------------------|---------------------|--------------------|
-| [`dotnet restore` audits transitive packages](sdk/9.0/nugetaudit-transitive-packages.md)  | Behavioral change   | Preview 6          |
 | [`dotnet sln add` doesn't allow invalid file names](sdk/9.0/dotnet-sln.md)                | Behavioral change   | 9.0.2xx            |
 | [`dotnet watch` incompatible with Hot Reload for old frameworks](sdk/9.0/dotnet-watch.md) | Behavioral change   | RC 1               |
 | [`dotnet workload` commands output change](sdk/9.0/dotnet-workload-output.md)             | Behavioral change   | Preview 1          |

docs/core/compatibility/10.0.md

@@ -1,58 +1,63 @@
----
-title: "Breaking change: 'dotnet restore' audits transitive packages"
-description: Learn about a breaking change in the .NET 9 SDK where 'dotnet restore' also produces security vulnerability warnings for transitive packages by default.
-ms.date: 11/14/2024
----
-# 'dotnet restore' audits transitive packages
-
-The [`dotnet restore` command](../../../tools/dotnet-restore.md), which restores the dependencies and tools of a project, now produces security vulnerability warnings for transitive packages by default.
-
-## Previous behavior
-
-In .NET 8, [NuGetAudit](../8.0/dotnet-restore-audit.md) was introduced to emit warnings for packages with known security vulnerabilities. By default, only direct package references were audited, however, it was possible to change the `NuGetAuditMode` property to include all packages.
-
-## New behavior
-
-Starting in .NET 9, `NuGetAuditMode` defaults to `all` if it hasn't been explicitly set. This setting means that *transitive packages* (dependencies of packages your project directly references) with known vulnerabilities now cause warnings to be reported.
-If your project treats warnings as errors, this behavior can cause restore failures.
-
-## Version introduced
-
-.NET 9 Preview 6
-
-## Type of breaking change
-
-This change is a [behavioral change](../../categories.md#behavioral-change).
-
-## Reason for change
-
-Packages with known vulnerabilities might cause your app to be exploitable, even if your project does not directly reference or use the vulnerable package.
-New features in .NET 9 also make it easier to investigate the package graph and to suppress advisories that aren't relevant to how your app uses the vulnerable package.
-
-## Recommended action
-
-- To explicitly reduce the probability of this change breaking your build due to warnings, you can consider your usage of `<TreatWarningsAsErrors>` and use `<WarningsNotAsErrors>NU1901;NU1902;NU1903;NU1904</WarningsNotAsErrors>` to ensure known security vulnerabilities are still allowed in your environment.
-
-- Use tools such as `dotnet nuget why` to find the top-level package that caused the transitive package with the known vulnerability to be included, and try to upgrade it to see if the transitive vulnerability goes away. If not, promote the transitive package to a top-level package by adding a `PackageReference` for it, and upgrade it to a newer version.
-
-- If you want to suppress a specific advisory, you can add `<NuGetAuditSuppress Include="url" />` item to your project file, where `url` is the URL reported in NuGet's warning message.
-
-  ```xml
-  <ItemGroup>
-      <NuGetAuditSuppress Include="url" />
-  </ItemGroup>
-  ```
-
-- If you want to only be warned of direct package references with known vulnerabilities, you can set `<NuGetAuditMode>` to `direct` in your project file.
-
-  ```xml
-  <PropertyGroup>
-    <NuGetAuditMode>direct</NuGetAuditMode>
-  </PropertyGroup>
-  ```
-
-## See also
-
-- [Audit for security vulnerabilities (`dotnet restore`)](../../../tools/dotnet-restore.md#audit-for-security-vulnerabilities)
-- [Auditing package dependencies for security vulnerabilities](/nuget/concepts/auditing-packages)
-- [NuGetAudit 2.0: Elevating Security and Trust in Package Management](https://devblogs.microsoft.com/nuget/nugetaudit-2-0-elevating-security-and-trust-in-package-management/)
+---
+title: "Breaking change: 'dotnet restore' audits transitive packages"
+description: Learn about a breaking change in the .NET 10 SDK where 'dotnet restore' also produces security vulnerability warnings for transitive packages by default.
+ms.date: 03/28/2025
+---
+# 'dotnet restore' audits transitive packages
+
+The [`dotnet restore` command](../../../tools/dotnet-restore.md), which restores the dependencies of a project, now produces security vulnerability warnings for transitive packages by default when the project targets .NET 10 or a later version.
+
+## Previous behavior
+
+[NuGetAudit](../8.0/dotnet-restore-audit.md) was introduced in .NET 8 to emit warnings for packages with known security vulnerabilities.
+By default, only direct package references were audited, however, it was possible to change the `NuGetAuditMode` property to include all packages.
+
+In .NET 9 preview 6, NuGetAuditMode's default was changed to `all` for all projects, and this change was reverted back to `direct` in the .NET 9.0.101 SDK.
+
+## New behavior
+
+When projects target .NET 10 or higher, then `NuGetAuditMode` defaults to `all` if it hasn't been explicitly set.
+This setting means that *transitive packages* (dependencies of packages your project directly references) with known vulnerabilities now cause warnings to be reported.
+If your project treats warnings as errors, this behavior can cause restore failures.
+
+If your project targets .NET 9 or lower, the default for `NuGetAuditMode` remains `direct`.
+
+## Version introduced
+
+.NET 10 Preview 3
+
+## Type of breaking change
+
+This change is a [behavioral change](../../categories.md#behavioral-change).
+
+## Reason for change
+
+Packages with known vulnerabilities might cause your app to be exploitable, even if your project does not directly reference or directly use the vulnerable package.
+
+## Recommended action
+
+- To prevent audit warnings being treated as errors, even when using `<TreatWarningsAsErrors>`, you can use `<WarningsNotAsErrors>NU1901;NU1902;NU1903;NU1904;$(WarningsNotAsErrors)</WarningsNotAsErrors>`.
+
+- Use tools such as `dotnet nuget why` to find the top-level package that caused the transitive package with the known vulnerability to be included, and try to upgrade it to see if the transitive vulnerability goes away. If not, promote the transitive package to a top-level package by adding a `PackageReference` for it, and upgrade it to a newer version.
+
+- If you want to suppress a specific advisory, you can add `<NuGetAuditSuppress Include="url" />` item to your project file, where `url` is the URL reported in NuGet's warning message.
+
+  ```xml
+  <ItemGroup>
+      <NuGetAuditSuppress Include="url" />
+  </ItemGroup>
+  ```
+
+- If you want to only be warned of direct package references with known vulnerabilities, you can set `<NuGetAuditMode>` to `direct` in your project file.
+
+  ```xml
+  <PropertyGroup>
+    <NuGetAuditMode>direct</NuGetAuditMode>
+  </PropertyGroup>
+  ```
+
+## See also
+
+- [Audit for security vulnerabilities (`dotnet restore`)](../../../tools/dotnet-restore.md#audit-for-security-vulnerabilities)
+- [Auditing package dependencies for security vulnerabilities](/nuget/concepts/auditing-packages)
+- [NuGetAudit 2.0: Elevating Security and Trust in Package Management](https://devblogs.microsoft.com/nuget/nugetaudit-2-0-elevating-security-and-trust-in-package-management/)

docs/core/compatibility/9.0.md

@@ -42,6 +42,8 @@ items:
                 href: globalization/10.0/version-override.md
           - name: SDK and MSBuild
             items:
+              - name: "`dotnet restore` audits transitive packages"
+                href: sdk/10.0/nugetaudit-transitive-packages.md
               - name: Default workload configuration from 'loose manifests' to 'workload sets' mode
                 href: sdk/10.0/default-workload-config.md
               - name: MSBUILDCUSTOMBUILDEVENTWARNING escape hatch removed
@@ -166,8 +168,6 @@ items:
                 href: networking/9.0/query-redaction-logs.md
           - name: SDK and MSBuild
             items:
-              - name: "`dotnet restore` audits transitive packages"
-                href: sdk/9.0/nugetaudit-transitive-packages.md
               - name: "`dotnet sln add` doesn't allow invalid file names"
                 href: sdk/9.0/dotnet-sln.md
               - name: "`dotnet watch` incompatible with Hot Reload for old frameworks"
@@ -1910,6 +1910,8 @@ items:
         items:
           - name: .NET 10
             items:
+              - name: "`dotnet restore` audits transitive packages"
+                href: sdk/10.0/nugetaudit-transitive-packages.md
               - name: Default workload configuration from 'loose manifests' to 'workload sets' mode
                 href: sdk/10.0/default-workload-config.md
               - name: MSBUILDCUSTOMBUILDEVENTWARNING escape hatch removed
@@ -1920,8 +1922,6 @@ items:
                 href: sdk/10.0/nu1510-pruned-references.md
           - name: .NET 9
             items:
-              - name: "`dotnet restore` audits transitive packages"
-                href: sdk/9.0/nugetaudit-transitive-packages.md
               - name: "`dotnet sln add` doesn't allow invalid file names"
                 href: sdk/9.0/dotnet-sln.md
               - name: "`dotnet watch` incompatible with Hot Reload for old frameworks"

docs/core/compatibility/sdk/9.0/nugetaudit-transitive-packages.md renamed to docs/core/compatibility/sdk/10.0/nugetaudit-transitive-packages.md

@@ -22,7 +22,7 @@ The .NET platform has been designed to deliver productivity, performance, securi
 * **Adaptability across programming domains** (cloud, client, gaming) is enabled with specialized implementations of the general-purpose programming model.
 * **Industry standards** like OpenTelemetry and gRPC are favored over bespoke solutions.
 
-.NET is maintained by Microsoft and the community. It is regularly updated to ensure users deploy secure and reliable applications to production.
+.NET is maintained collaboratively by Microsoft and a global community. Regular updates ensure users deploy secure and reliable applications to production environments.
 
 ## Components
 
@@ -42,9 +42,9 @@ The core libraries expose thousands of types, many of which integrate with and f
 
 Support for doing multiple things at the same time is fundamental to practically all workloads. That could be client applications doing background processing while keeping the UI responsive, services handling many thousands of simultaneous requests, devices responding to a multitude of simultaneous stimuli, or high-powered machines parallelizing the processing of compute-intensive operations. Asynchronous programming support is a first-class feature of the C# programming language, which provides the `async` and `await` keywords that make it easy to write and compose asynchronous operations while still enjoying the full benefits of all the control flow constructs the language has to offer.
 
-The [type system](../standard/base-types/common-type-system.md) offers significant breadth, catering somewhat equally to safety, descriptiveness, dynamism, and native interop. First and foremost, the type system enables an object-oriented programming model. It includes types, (single base class) inheritance, interfaces (including default method implementations), and virtual method dispatch to provide a sensible behavior for all the type layering that object orientation allows. [Generic types](../standard/generics.md) are a pervasive feature that let you specialize classes to one or more types.
+The [type system](../standard/base-types/common-type-system.md) offers significant breadth, catering somewhat equally to safety, descriptiveness, dynamism, and native interop. First and foremost, the type system enables an object-oriented programming model. It includes types, (single base class) inheritance, interfaces (including default method implementations), and virtual method dispatch to provide a sensible behavior for all the type layering that object orientation allows. [Generic types](../standard/generics.md) are ubiquitous and let you specialize classes to one or more types.
 
-The .NET runtime provides automatic memory management via a garbage collector. For any language, its memory management model is likely its most defining characteristic. This is true for .NET languages. .NET has a self-tuning, tracing GC. It aims to deliver "hands off" operation in the general case while offering configuration options for more extreme workloads. The current GC is the result of many years of investment and learnings from a multitude of workloads.
+The .NET runtime provides automatic memory management via a garbage collector. For any language, its memory management model is likely its most defining characteristic. This is true for .NET languages. .NET has a self-tuning, tracing GC. It aims to deliver "hands-off" use in the general case while offering configuration options for more extreme workloads. The current GC is the result of many years of investment and learnings from a multitude of workloads.
 
 Value types and stack-allocated memory blocks offer more direct, low-level control over data and native platform interop, in contrast to .NET's GC-managed types. Most of the primitive types in .NET, like integer types, are value types, and users can define their own types with similar semantics. Value types are fully supported through .NET's generics system, meaning that generic types like `List<T>` can provide flat, no-overhead memory representations of value type collections.
 
@@ -68,7 +68,7 @@ NuGet is the package manager for .NET. It contains hundreds of thousands of pack
 
 .NET is [supported by multiple organizations](https://github.com/dotnet/core/blob/main/support.md) that work to ensure that .NET can run on [multiple operating systems](https://github.com/dotnet/core/blob/main/os-lifecycle-policy.md) and is kept up to date. It can be used on Arm64, x64, and x86 architectures.
 
-New versions of .NET are released annually in November, per our [releases and support policies](releases-and-support.md). It is [updated monthly](https://github.com/dotnet/announcements/labels/Monthly-Update) on Patch Tuesday (second Tuesday), typically at 10AM Pacific time.
+New versions of .NET are released annually in November, per our [releases and support policies](releases-and-support.md). It is [updated monthly](https://github.com/dotnet/announcements/labels/Monthly-Update) on Patch Tuesday (second Tuesday), typically at 10 AM Pacific time.
 
 ## .NET ecosystem