Invalid //license and //third-party-notices entries in [Content_Types].xml in NuGet packages #189
Description
Summary
When downloading and re-publishing the PhotoSauce.MagicScaler NuGet package version 0.14.2 to an internal Azure DevOps NuGet feed, an error occurs due to malformed entries in the [Content_Types].xml file within the .nupkg.
The problematic lines are:
<Override PartName="//license" ContentType="application/octet" />
<Override PartName="//third-party-notices" ContentType="application/octet" />These paths (//license) are invalid and cause errors in systems that strictly validate the NuGet package structure (e.g., Azure DevOps Artifacts).
Impact
This issue likely affects all versions of all packages where these files are included. Every .nupkg built with the current configuration may contain the same malformed paths.
Steps to Reproduce
- Download the package from NuGet.org: https://www.nuget.org/api/v2/package/PhotoSauce.MagicScaler/0.14.2
- Try to opened package by bellow scripts:
Add-Type -AssemblyName WindowsBase
$packagePath = "C:\repositories\PhotoSauce\out\nuget\PhotoSauce.MagicScaler.0.14.2.nupkg"
try {
$fileStream = [System.IO.File]::OpenRead($packagePath)
try {
$package = [System.IO.Packaging.ZipPackage]::Open($fileStream)
try {
foreach ($part in $package.GetParts()) {
$null = $part.Uri
}
Write-Host "OK" -ForegroundColor Green
}
finally {
$package.Close()
}
}
finally {
$fileStream.Close()
}
}
catch {
Write-Host "Error in package" -ForegroundColor Red
Write-Host "Details: $($_.Exception.Message)" -ForegroundColor Yellow
}Expected Behavior
The entries should be:
<Override PartName="/license" ContentType="application/octet" />
<Override PartName="/third-party-notices" ContentType="application/octet" />Possible Cause
This issue may stem from how files located outside the project directory (e.g., license and third-party-notices referenced via $(RepositoryRoot)) are included in the .csproj and packed using Pack="true" with PackagePath="/".
Because the files are not explicitly given a Link metadata or a normalized PartName, NuGet may incorrectly resolve the path, resulting in malformed entries like //license in [Content_Types].xml.
This appears related to NuGet/Home#12948, which discusses incorrect path handling for content files located outside the project root, particularly when combined with custom PackagePath or missing Link.
This could be due to how license and third-party-notices files are included in the .csproj using $(RepositoryRoot) without Link metadata or proper path normalization. The PackagePath="/" combined with paths outside the project root might be resolved incorrectly during packing. This
In the Common.props update the item group to use Link to control internal file names:
<None Include="$(RepositoryRoot)license" Pack="true" PackagePath="" />
<None Include="$(RepositoryRoot)third-party-notices" Pack="true" PackagePath="" />Alternatively, ensure the paths are normalized or absolute when packing.
Environment
- Package: PhotoSauce.MagicScaler
- Version: 0.14.2
- Issue occurs when re-packing or validating the .nupkg file