dotnet · gewarren · Jul 31, 2023 · Jul 28, 2023 · Jul 28, 2023
@@ -1,16 +1,14 @@
 ---
 title: Breaking changes in .NET Core 3.1
 description: Lists the breaking changes in version 3.1 of .NET Core and ASP.NET Core.
-ms.date: 06/22/2022
+ms.date: 07/28/2023
 ---
 # Breaking changes in .NET Core 3.1
 
 If you're migrating to version 3.1 of .NET Core or ASP.NET Core, the breaking changes listed in this article may affect your app.
 
 ## ASP.NET Core
 
-- [HTTP: Browser SameSite changes impact authentication](#http-browser-samesite-changes-impact-authentication)
-
 [!INCLUDE[HTTP: Browser SameSite changes impact authentication](~/includes/core-changes/aspnetcore/3.1/http-cookie-samesite-authn-impacts.md)]
 
 ***
@@ -21,16 +19,15 @@ If you're migrating to version 3.1 of .NET Core or ASP.NET Core, the breaking ch
 
 ## MSBuild
 
-- [Design-time builds only return top-level package references](#design-time-builds-only-return-top-level-package-references)
-
 [!INCLUDE [design-time-builds-return-top-level-package-refs](../../../includes/core-changes/msbuild/3.1/design-time-builds-return-top-level-package-refs.md)]
 
 ***
 
-## Windows Forms
+## SDK
 
-- [Removed controls](#removed-controls)
-- [CellFormatting event not raised if tooltip is shown](#cellformatting-event-not-raised-if-tooltip-is-shown)
+[Tool manifests in root folder](sdk/7.0/manifest-search.md)
+
+## Windows Forms
 
 [!INCLUDE[Removed controls](~/includes/core-changes/windowsforms/3.1/remove-controls-3.1.md)]
 

@@ -2,7 +2,7 @@
 title: Breaking changes in .NET 6
 titleSuffix: ""
 description: Navigate to the breaking changes in .NET 6.
-ms.date: 06/22/2022
+ms.date: 07/28/2023
 no-loc: [Blazor, Razor, Kestrel]
 ---
 # Breaking changes in .NET 6
@@ -145,6 +145,7 @@ For information on other breaking changes for containers in .NET 6, see [.NET 6
 | [Publish ReadyToRun with --no-restore requires changes](sdk/6.0/publish-readytorun-requires-restore-change.md) | ✔️ | ❌ | 6.0.100 |
 | [runtimeconfig.dev.json file not generated](sdk/6.0/runtimeconfigdev-file.md) | ❌ | ✔️ | 6.0.100 |
 | [RuntimeIdentifier warning if self-contained is unspecified](sdk/6.0/runtimeidentifier-self-contained.md) | ✔️ | ❌ | RC 1 |
+| [Tool manifests in root folder](sdk/7.0/manifest-search.md) | ✔️ | ✔️ | 6.0.4xx, 6.0.3xx, 6.0.1xx |
 | [Version requirements for .NET 6 SDK](sdk/6.0/vs-msbuild-version.md) | ✔️ | ✔️ | 6.0.300 |
 | [.version file includes build version](sdk/6.0/version-file-entries.md) | ✔️ | ✔️ | 6.0.401 |
 | [Write reference assemblies to IntermediateOutputPath](sdk/6.0/write-reference-assemblies-to-obj.md) | ❌ | ✔️ | 6.0.200 |

@@ -2,7 +2,7 @@
 title: Breaking changes in .NET 7
 titleSuffix: ""
 description: Navigate to the breaking changes in .NET 7.
-ms.date: 05/18/2023
+ms.date: 07/28/2023
 no-loc: [Blazor, Razor, Kestrel]
 ---
 # Breaking changes in .NET 7
@@ -130,6 +130,7 @@ If you're migrating an app to .NET 7, the breaking changes listed here might aff
 | [Console encoding not UTF-8 after completion](sdk/8.0/console-encoding-fix.md) | ❌ | ✔️ |
 | [MSBuild serialization of custom types in .NET 7](sdk/7.0/custom-serialization.md) | ❌ | ❌ |
 | [Side-by-side SDK installations](sdk/7.0/side-by-side-install.md) | ❌ | ❌ |
+| [Tool manifests in root folder](sdk/7.0/manifest-search.md) | ✔️ | ✔️ |
 | [Version requirements for .NET 7 SDK](sdk/7.0/vs-msbuild-version.md) | ✔️ | ✔️ |
 | [dotnet test: switch `-a` to alias `--arch` instead of `--test-adapter-path`](https://github.com/dotnet/sdk/issues/21389) | ❌ | ❌ |
 | [dotnet test: switch `-r` to alias `--runtime` instead of `--results-dir`](https://github.com/dotnet/sdk/issues/21952) | ❌ | ❌ |

@@ -0,0 +1,41 @@
+---
+title: "Breaking change: Tool manifests in root folder"
+description: Learn about a breaking change where the .NET SDK no longer looks for local tool manifests in the root folder on Windows.
+ms.date: 07/28/2023
+---
+# Tool manifests in root folder
+
+.NET no longer looks for local tool manifest files in the root folder on Windows, unless overridden via the `DOTNET_TOOLS_ALLOW_MANIFEST_IN_ROOT` environment variable. This change does not impact Linux or macOS.
+
+## Previous behavior
+
+Previously, .NET SDK local tools checked the root folder on all platforms when searching for a tool manifest. The search continued from the current directory up the directory tree to the root folder until it found a manifest. At each level, .NET searches for the tool manifest, named *dotnet-tools.json*, in a *.config* subfolder. On a Windows system, if no other tool manifest was found, the SDK ultimately looked for a tool manifest in *C:\\.config\dotnet-tools.json*.
+
+## New behavior
+
+.NET no longer searches in the root folder of the current directory tree by default on Windows, unless overridden via the `DOTNET_TOOLS_ALLOW_MANIFEST_IN_ROOT` environment variable. `DOTNET_TOOLS_ALLOW_MANIFEST_IN_ROOT` is set to `false` by default.
+
+## Version introduced
+
+- .NET SDK 7.0.3xx
+- .NET SDK 7.0.1xx
+- .NET SDK 6.0.4xx
+- .NET SDK 6.0.3xx
+- .NET SDK 6.0.1xx
+- .NET SDK 3.1.4xx
+
+## Type of breaking change
+
+This change is a [behavioral change](../../categories.md#behavioral-change).
+
+## Reason for change
+
+This change was made to address a security concern. Since all users can create files and folders in the *C:\\* directory on Windows, low-privilege attackers can hijack the *C:\\.config\dotnet-tools.json* file. When an administrator runs a `dotnet` tool command, the tool could potentially read malicious configuration information from the file and download and run malicious tools.
+
+## Recommended action
+
+To disable the new behavior, set the `DOTNET_TOOLS_ALLOW_MANIFEST_IN_ROOT` environment variable to `true` or `1`.
+
+## See also
+
+- [Tutorial: Install and use a .NET local tool using the .NET CLI](../../../tools/local-tools-how-to-use.md)
@@ -274,16 +274,18 @@ items:
         href: sdk/7.0/automatic-rid-publish-only.md
       - name: CLI console output uses UTF-8
         href: sdk/8.0/console-encoding.md
-      - name: Version requirements for .NET 7 SDK
+      - name: Version requirements
         href: sdk/7.0/vs-msbuild-version.md
       - name: SDK no longer calls ResolvePackageDependencies
         href: sdk/7.0/resolvepackagedependencies.md
-      - name: Serialization of custom types in .NET 7
+      - name: Serialization of custom types
         href: sdk/7.0/custom-serialization.md
       - name: Side-by-side SDK installations
         href: sdk/7.0/side-by-side-install.md
       - name: --output option no longer is valid for solution-level commands
         href: sdk/7.0/solution-level-output-no-longer-valid.md
+      - name: Tool manifests in root folder
+        href: sdk/7.0/manifest-search.md
     - name: Serialization
       items:
       - name: BinaryFormatter serialization APIs produce compiler errors
@@ -488,6 +490,8 @@ items:
         href: sdk/6.0/runtimeconfigdev-file.md
       - name: RuntimeIdentifier warning if self-contained is unspecified
         href: sdk/6.0/runtimeidentifier-self-contained.md
+      - name: Tool manifests in root folder
+        href: sdk/7.0/manifest-search.md
       - name: Version requirements for .NET 6 SDK
         href: sdk/6.0/vs-msbuild-version.md
       - name: .version file includes build version
@@ -1444,6 +1448,8 @@ items:
         href: sdk/7.0/side-by-side-install.md
       - name: --output option no longer is valid for solution-level commands
         href: sdk/7.0/solution-level-output-no-longer-valid.md
+      - name: Tool manifests in root folder
+        href: sdk/7.0/manifest-search.md
     - name: .NET 6
       items:
       - name: -p option for `dotnet run` is deprecated
@@ -1470,6 +1476,8 @@ items:
         href: sdk/6.0/runtimeconfigdev-file.md
       - name: RuntimeIdentifier warning if self-contained is unspecified
         href: sdk/6.0/runtimeidentifier-self-contained.md
+      - name: Tool manifests in root folder
+        href: sdk/7.0/manifest-search.md
       - name: Version requirements for .NET 6 SDK
         href: sdk/6.0/vs-msbuild-version.md
       - name: .version file includes build version

@@ -8,7 +8,7 @@ ms.date: 04/04/2023
 
 **This article applies to:** ✔️ .NET Core 3.1 SDK and later versions
 
-In this article, you'll learn about the environment variables used by .NET SDK, .NET CLI, and .NET runtime. Some environment variables are used by the .NET runtime, while others are only used by the .NET SDK and .NET CLI. Some environment variables are used by all.
+In this article, you'll learn about the environment variables used by .NET. Some environment variables are used by the .NET runtime, while others are only used by the .NET SDK and .NET CLI. Some environment variables are used by all three components.
 
 ## .NET runtime environment variables
 
@@ -287,7 +287,11 @@ Disables background download of advertising manifests for workloads. Default is
 
 ### `DOTNET_CLI_WORKLOAD_UPDATE_NOTIFY_INTERVAL_HOURS`
 
-Specifies the minimum number of hours between background downloads of advertising manifests for workloads. Default is `24` - no more frequently than once a day. For more information, see [Advertising manifests](dotnet-workload-install.md#advertising-manifests).
+Specifies the minimum number of hours between background downloads of advertising manifests for workloads. The default is `24`, which is no more frequently than once a day. For more information, see [Advertising manifests](dotnet-workload-install.md#advertising-manifests).
+
+### `DOTNET_TOOLS_ALLOW_MANIFEST_IN_ROOT`
+
+Specifies whether .NET SDK local tools search for tool manifest files in the root folder on Windows. The default is `false`.
 
 ### `COREHOST_TRACE`