Allow releases to be tagged as security-related

[landaire]

Summary

When uploading a new release to NuGet.org, the package author should be able to choose to indicate whether the new version contains security fixes and which versions are affected.

Details

Tracking vulnerable NuGet packages is currently not an easy task. A lot of projects do not issue CVEs and if they do, they do not correlate the CVEs to their NuGet package. NuGet should support at a gallery layer indicating whether a package version should be avoided due to known vulnerabilities.

This proposal would have 3 main changes:

1. Add new UI elements on the package upload page to indicate a security release and affected versions
2. Change the "Version History" page to indicate previous versions that may contain vulnerabilities
3. Add additional info to the API response to include a flag on versions which contain vulnerabilities and which package version they should upgrade to

Implementation

Here are some examples of UI changes that may occur:

[skofman1]

@anangaur

[anangaur]

I think this is tied to package deprecation feature where authors can deprecate certain packages and provide reasons and recommended package+versions: NuGet/Home#2867

[anangaur]

Closing this one. Pls use NuGet/Home#2867 for any discussion related to deprecation, flagging vulnerable packages etc.