What does nuget:NU1903 mean?

NuGet audit data marked a resolved package version as having a known high-severity vulnerability, which may fail restore or CI.

How can I manually validate nuget:NU1903?

Re-run the failing command and confirm the original code/message is gone. Confirm expected artifacts or outputs exist (packages restored, build/publish succeeds).

NU1903: Package has a known high severity vulnerability

Q: How do I prevent nuget:NU1903 in CI?

Automate dependency updates and auditing in CI. Prefer lock files and periodic controlled refreshes to handle vulnerability-driven upgrades.

Fix it fast

Most likely: NuGet audit data found a high-severity vulnerability in one resolved direct or transitive package version.

1. Confirm this is your error

warning NU1903: Package 'Example.Package' 1.0.0 has a known high severity vulnerability.

2. Check the cause

dotnet list package --vulnerable --include-transitive
dotnet restore -v normal
grep -R -n "NuGetAudit\|WarningsAsErrors\|NoWarn" *.csproj Directory.Packages.props NuGet.Config

3. Apply the safe fix

# Upgrade the vulnerable package to a fixed version.
dotnet add package <package-id> --version <fixed-version>

# If the vulnerable package is transitive, upgrade the direct dependency that brings it in.
dotnet restore
dotnet build

4. Verify it works

dotnet list package --vulnerable --include-transitive
dotnet restore
dotnet build

Don't use unsafe shortcuts

Do not silence NU1903 before confirming the affected package, risk, and remediation plan.
Do not pin a vulnerable transitive package just to satisfy another version constraint.
Do not assume local restore and CI use the same audit settings, check the repo and CI config.

What Broke in the Dependency Graph

This is NuGet refusing to continue with a dependency graph that does not make sense. The important detail is which versions or peer requirements disagree, not just the final error code.

Repair the dependency graph

Identify the vulnerable package and which dependency brings it in with dotnet list package --include-transitive.

Upgrade to a fixed version directly, or by upgrading the parent package.

If you must ship temporarily, suppress NU190x explicitly and track remediation.

Why Resolution Broke

Usually this comes down to a direct or transitive dependency resolves to a vulnerable version, version pins or constraints prevent upgrading to a fixed version, or vulnerability data updates newly classify a version as vulnerable.

Prove the Graph Is Clean Again

dotnet restore no longer emits NU1903, or it is explicitly suppressed with intent.

The resolved graph contains the upgraded, non-flagged version.

Validation

Re-run the failing command and confirm the original code/message is gone, and confirm expected artifacts or outputs exist (packages restored, build/publish succeeds).

Mechanism

During restore, NuGet can audit packages against vulnerability data. NU1903 is emitted when a resolved version is flagged as high severity and may fail builds when warnings are treated as errors.

Keep the Dependency Graph Healthy

To prevent this, automate dependency updates and auditing in CI, and prefer lock files and periodic controlled refreshes to handle vulnerability-driven upgrades.