Chocolatey Release Notes - Open Source

This covers changes for the "chocolatey" and "chocolatey.lib" packages, which are available as FOSS.

NOTE: For licensed versions, refer to both this set of release notes and Licensed Release Notes.

0.10.7 (June 8, 2017)

BREAKING CHANGES

BUG FIXES

IMPROVEMENTS

0.10.6.1 (June 3, 2017)

BUG FIXES

0.10.6 (June 1, 2017)

This release includes fixes and adjustments to the API to make it more usable. Search / List has also been improved with the data that it returns when verbose/detailed, along with info always returning a package with information instead of erroring sometimes. The search results from the community package repository now match what you see on the website.

BUG FIXES

IMPROVEMENTS

0.10.5 (March 30, 2017)

BUG FIXES

IMPROVEMENTS

0.10.4 (March 30, 2017)

We're dubbing this the "10–4 good buddy" release. We've added some major functionality and fixes we think you are going to find top notch - dare we say as smooth as really expensive chocolate? A lot of work for this release has been provided by the community. Remember that Chocolatey is only as good as the support that comes from the community! Be sure to thank other community members for the awesome that is Chocolatey and Chocolatey 10–4. We've closed over 30 bugs and added over 40 enhancements (75 tickets in total)!

Proxy support just got some major enhancements with the ability to not only specify proxy information at runtime, but also to set bypass lists and bypassing on local connections and configure source repositories to bypass proxies. A major issue with changing command execution timeout was just fixed. And there used to be a tiny chance you might corrupt the choco config when running multiple choco processes -but now that is much better handled.

We've also made package itself display download progress, which is great when software binaries are embedded in packages. For you folks looking to remove any progress (like when using Vagrant), now you can use --no-progress. When NuGet.Core has issues, those issues will have more visibility into why things are failing without needing a debugging log. Speaking of some extreme visibility, see network traffic with --trace.

We've got a few possible breaking changes that could affect you, see what we've written about them below.

This also marks the first release that uses the Chocolatey Software digital certificate for signing instead of the RealDimensions Software, LLC certificate.

Another major feature released in preview is using remembered arguments on upgrade. This is in preview in 0.10.4 and will be turned to 'on' automatically in a future release. We are going to be continually making it better and won't turn it on by default until it is ready. If you want to turn it on and start using it, once you have 0.10.4 installed, run choco feature enable -n useRememberedArgumentsForUpgrades. You can also do this per command with --use-remembered-arguments. You can also turn it off per command with --ignore-remembered-arguments. We've also really described a lot of important considerations and thoughts related to using this so there are no surprises. Please do read the issue notes at length if you plan to use this feature to reduce confusion.

BREAKING CHANGES

FEATURES

BUG FIXES

IMPROVEMENTS

0.10.3 (October 7, 2016)

BREAKING CHANGES

Starting in v0.9.10, Chocolatey started checking $LASTEXITCODE in addition to the script command success as a way to be more helpful in determining package failures. This meant it offered the ability to capture when a script exited with Exit 1 and handle that accordingly. However that really has never been a recommended scenario for returning errors from scripts and is not seen in the wild anywhere so it is believed that those that may be affected are very few.

Checking $LastExitCode checks the last executable's exit code when the script specifically does not call Exit. This can lead to very perplexing failures, such as running a successful xcopy that exits with 2 and seeing package failures without understanding why. Since it is not typically recommended to call Exit to return a value from PowerShell because of issues with different hosts, it's less of a concern to only look at explicit failures. For folks that may need it, allow failing a package again by the last external command exit code or exit from a PowerShell script. Note that it is not recommended to use exit with a number to return from PowerShell scripts. Instead you should use $env:ChocolateyExitCode or Set-PowerShellExitCode (first available in v0.9.10) to ensure proper setting of the exit code.

If you need the prior behavior, please turn on the feature scriptsCheckLastExitCode.

BUG FIXES

0.10.2 (September 30, 2016)

We're dubbing this the "Every Joe" release in honor of a friend that just lost his fight with brain cancer. If you want to help further research, please make a donation to a cancer research association of your choosing (e.g.  the American Brain Tumor Assocation).

A couple of important fixes/enhancements in this release. Most of the improvements are about providing better feedback to you and fixing minor issues. The big one surrounds when packages set a download path for a file using $env:TEMP, choco will ensure that the file can still be found for later use.

BUG FIXES

IMPROVEMENTS

0.10.1 (September 19, 2016)

We're dubbing this the "Shhh! Keep that secret please" release. We've found that when passing in passwords and other sensitive arguments, those items can end up in the logs in clear text. We've addressed this in #948 and #953. When it comes to passing sensitive arguments through to native installers, you can set up environment variables with those sensitive args and pass those arguments directly through to Start-ChocolateyProcessAsAdmin. If you prefer a better experience, the licensed version allows passing sensitive options directly through choco.exe as --install-arguments-sensitive and --package-parameters-sensitive. Read more in the Licensed CHANGELOG.

Perhaps the biggest improvement in this release is that Chocolatey will automatically look to see if it can download binaries over HTTPS when provided an HTTP url. If so, Chocolatey will switch to downloading the binaries over SSL. This provides better security in downloading and knowing you are getting the binary from the source location instead of a possible man in the middle location, especially when the package does not provide checksums for verification.

Another improvement you may not even notice, but we think you will love is that Chocolatey now supports TLS v1.2 transport which presents a nice transparent increase in security. You will need to have at least .NET Framework 4.5 installed to take advantage of this feature.

FEATURES

BUG FIXES

IMPROVEMENTS

0.10.0 (August 11, 2016)

What was planned for 0.9.10.4 is now 0.10.0. This is due partly to a breaking change we are making for security purposes and a move to provide better a better versioning scheme for the remainder of the sub-v1 versions of Chocolatey. Instead of 0.y.z.0 being considered where major verions occur in the sub 1 series, 0.y.0 will now be considered where those major versions occur. We also are moving right along towards v1 (and hope to be there in 2017).

0.10.0 carries the fixes for 0.9.10.4 and includes a major security enhancement (checksum requirement).

BREAKING CHANGES

Checksums in package scripts are meant as a measure to validate the originally intended downloaded resources used in the creation of a package are the same files that are received at a future date. This also ensures that the same files that are checked by all parts of moderation (if applicable) are the same files that are received by users for a package. This is seen mostly on the community repository because it is public and packages are subject to copyright laws (distribution rights), which typically requires the package scripts to download software from the official distribution locations. The Chocolatey framework has had the ability to use checksums in package scripts since July 2014.

What is the requirement? choco will now fail if a package download resources from HTTP/FTP and does not use checksums to verify those downloaded resources. The requirement for HTTP/FTP is #112. We are considering also requiring it for HTTPS (#895) as well. You can optionally set a feature (allowEmptyChecksumsSecure) to ensure packages using HTTPS also use checksums.

How does this protect the community anymore than before? During moderation review, there is a check of these downloaded binaries against VirusTotal (which verifies these binaries against 50–60+ different virus scanners). The binaries are also verified for installation purposes against a test computer. With an independent 3rd party checksum in the package itself, it guarantees that the files received by a user from those remote sources are the exact same files that were used in the verification process.

Why the requirement, and why now? This is a measure of protection for the Chocolatey community. HTTP is easy to hack with both DNS poisoning and MITM (man in the middle) attacks. Without independent verification of the integrity of the downloaded resources, users can be left susceptible to these issues. We've been planning a move to require checksums for awhile now, with a planned longer and smoother transition for package maintainers to get packages updated to reduce breakages. Unfortunately there was a recent event with FOSSHub getting hacked (the community repository had 8 possibly affected packages and we quickly took action), which necessitated a need for us to move in a much swifter fashion to ensure the protection of the community sooner, rather than later. The changes in Chocolatey represented by the checksum changes are a major step in the process to ensure protection. Requiring for HTTPS as well will mitigate any future compromises of software distribution sites that are used with Chocolatey packages.

Can I shut this behavior off or opt out per package?
You can shut off the checksum requirement by enabling the feature allowEmptyChecksums. This will return Chocolatey to previous behavior. We strongly recommend against it.

You can shut it off or turn it per package install/upgrade with --allow-empty-checksums and --require-checksums, respectively. See https://chocolatey.org/docs/commands-install / https://chocolatey.org/docs/commands-upgrade.

You can also disable the feature allowEmptyChecksumsSecure to enforce checksums for packages that download from secure locations (HTTPS).

Other things I should know? Users also now have the ability to pass their own checksums and checksumtypes into the install. See https://chocolatey.org/docs/commands-install / https://chocolatey.org/docs/commands-upgrade.

KNOWN ISSUES

FEATURES

BUG FIXES

IMPROVEMENTS

0.9.10.3 (June 23, 2016)

BUG FIXES

IMPROVEMENTS

0.9.10.2 (June 19, 2016)

BUG FIXES

IMPROVEMENTS

0.9.10.1 (June 18, 2016)

BUG FIXES

IMPROVEMENTS

0.9.10 (June 17, 2016)

The "I got 99 problems, but a package manager ain't one" release. With the release of 0.9.10 (or if you prefer 0.9.10.0), we're about to make everything 100% better in your Windows package management world. We've addressed over 100 features and bugs in this release. We looked at how we could improve PowerShell and we've come out with a competely internal host that can Prompt and Read-Host in a way that times out and selects default values after a period of time. Speaking of PowerShell, how about some tab completion choco <tab> to choco install node<tab>? How about never having to close and reopen your shell again?

Alternative sources (-source webpi, -s windowsfeature, etc) are back! I mean, am I right?! Have you heard of auto uninstaller? If Chocolatey has installed something that works with Programs and Features, Chocolatey knows how to uninstall it without an uninstall script about 90+% of the time. This feature was in beta for the 0.9.9 series, it is on by default in 0.9.10 (unless you disabled it after trying it, you will need to reenable it, see choco feature for more details).

Here's one you probably never knew existed - extensions. Chocolatey has had the ability to extend itself by adding PowerShell modules for years, and most folks either didn't know it existed or have never used them. We've enhanced them a bit in preparation for the licensed version of Chocolatey.

We redesigned our choco new default packaging template and we've made managing templates as easy as managing packages.

choco search/choco list has so many enhancements, you may not need to visit dot org again. See it in action.

There are 150 tickets closed for this release! We've included remediation steps for when a breaking change affects you. Mostly if you have been using Chocolatey in a recommended way, you won't even notice any adverse changes. There are a number of things we thought to highlight, and quite a few security enhancements coming in this release (look for the [Security] tag on the ticket summary).

BREAKING CHANGES

The 0.9.8 series would only fail a package with terminating errors. The 0.9.9 series took that a bit further and started failing packages if anything wrote to stderr. It turns out that is a bad idea. Only when PowerShell exits with non-zero (which comes with terminating errors) should the package fail due to this. If you need the old behavior of the 0.9.9 series, you can get it back with a switch (--fail-on-standard-error and its aliases) and/or a feature flip (failOnStandardError).

If you set a custom cache directory for downloads, it will no longer use a "chocolatey" subdirectory under that. You may need to make any adjustments if this is going to affect you.

There are more exit codes from Chocolatey now that indicate success -0, 1605, 1614, 1641, and 3010. You may need to adjust anything you were using that would only check for 0 and nonzero.
If you need the previous behavior, be sure to disable the feature usePackageExitCodes or use the --ignore-package-exit-codes switch in your choco commands.

If you were using any of the functions in a non-recommended way or not compliant with the examples, you are going to find breakages in the functions as some of the things that were called out as non-optional are now enforced. This shouldn't affect most folks.

This further restricts the default installation location by removing all permissions and inheritance of permissions, explicitly giving Administrator/LocalSystem to Full access, and Users are granted Read and Execute.

KNOWN ISSUES

FEATURES

BUG FIXES

IMPROVEMENTS

0.9.9.12 (March 18, 2016)

BUG FIXES

0.9.9.11 (October 6, 2015)

BUG FIXES

0.9.9.10 (October 3, 2015)

Not to be confused with 0.9.10 (this is not that version). This fixes a small but extremely significant issue with relation to configuration managers and other tools that use choco.

BUG FIXES

0.9.9.9 (October 2, 2015)

With this release you can completely configure choco from the command line (including the priority of sources). Choco now allows you to create custom package templates. Choco has proper proxy support now. We also squashed up some bugs, like the infinite download loop that happens if the connection is lost. We've also improved the installation experience of Chocolatey itself, unpacking all of the required setup files in the chocolatey package and improving the messaging output during the bootstrapping process. Chocolatey also doesn't try to write config updates every command, unless something actually changes in the config file. And last but not least for mentions, the issue of choco not recognizing itself as needing upgraded after being installed by the bootstrapper is now fixed.

FEATURES

BUG FIXES

IMPROVEMENTS

0.9.9.8 (June 26, 2015)

BUG FIXES

IMPROVEMENTS

0.9.9.7 (June 20, 2015)

"Fix Everything. Fix All The Things" - There have been some things bugging us for a long time related to limitations with NuGet, so we decided to fix that. Like nuspec enhancements, that crazy content folder restriction has been removed (I know, right?!), and we're working around badly behaved packages quite a bit more to bring you more feature parity.

Let's talk about a couple of big, like really big, BIG features just added with this release. No more packages rebooting Windows. We fixed (#304 / #323) and enhanced up the Auto Uninstaller Service quite a bit to ensure things are working like you would expect (It goes on by default in 0.9.10 - we'll start documenting more about it soon). But wait, there's more! I haven't even told you about the big features yet

The first big feature is enhancing the nuspec. I mentioned this I know, but now you can use packageSourceUrl in the nuspec to tell folks where you are storing the source for the package! We also added projectSourceUrl, docsUrl, mailingListUrl, and bugTrackerUrl. What's even better is that the community feed has already been enhanced to look for these values. So have the templates from choco new. And it's backwards compatible, meaning you can still install packages that have these added nuspec enhancements without issue (but we will need to provide a fix for Nuget Package Explorer).

The second is Xml Document Transformations (XDT), which I think many folks are aware of but may not realize what it can provide. NuGet has allowed transformations for quite awhile to allow you to make changes to an app.config/web.config on install/uninstall. We are following in similar footsteps to allow you to do similar when installing/upgrading packages. We will look for *.install.xdt files in the package (doesn't matter where) and they will apply to configuration files with the same name in the package. This means that during upgrades we won't overwrite configuration files during upgrades that have opted into this feature. It allows you to give users a better experience during upgrades because they won't need to keep making the same changes to the xml config files each time they upgrade your package.

FEATURES

BUG FIXES

IMPROVEMENTS

0.9.9.6 (May 16, 2015)

Some really large fixes this release, especially removing all files that are installed to the package directory if they haven't changed, including ensuring that the nupkg file is always removed on successful uninstalls. The really big add some folks are going to like is the new outdated command. Some more variables that were misused have been brought back, which allows some packages (like Atom) to be installed again without issue. If you can believe some people never read these, we decided to add a note to the installer prompt to let people know about -y.

FEATURES

BUG FIXES

IMPROVEMENTS

0.9.9.5 (April 20, 2015)

BREAKING CHANGES

BUG FIXES

IMPROVEMENTS

0.9.9.4 (March 30, 2015)

BUG FIXES

IMPROVEMENTS

0.9.9.3 (March 29, 2015)

BUG FIXES

IMPROVEMENTS

0.9.9.2 (March 6, 2015)

BUG FIXES

IMPROVEMENTS

0.9.9.1 (March 3, 2015)

BUG FIXES

0.9.9 (March 3, 2015)

This also includes issues that were being tracked in the old Chocolatey repository: Chocolatey 0.9.9.

The two links above will not capture everything that has changed, since this is a complete rewrite. We broke everything. If this were a v1+, it would be a major release. But we are less than v1, so 0.9.9 it is! ;)

Okay, so we didn't really break everything. We have maintained nearly full compatibility with how you pass options into choco, although the output may be a bit different (but better, we hope) and in at least one case, additional switches (or a feature setting) is/are required - we limited this to security related changes only.

We also fixed and improved a bunch of things, so we feel the trade off is well worth the changes.

We'll try to capture everything here that you should know about. Please call choco -? or choco.exe -h to get started.

KNOWN ISSUES

BREAKING CHANGES

  1. You now have one config file to interact with in %ChocolateyInstall%\config - your user config is no longer valid and can be removed once you migrate settings to the config.
  2. The config will no longer be overwritten on upgrade.
  3. Choco no longer interacts with NuGet's config file at all. You will need to reset all of your apiKeys (see features for apikey). On the plus side, the keys will work for all users of the machine, unlike NuGet's apiKeys (only work for the user that sets them).
  4. This also means you can no longer use useNugetForSources. It has been removed as a config setting.
  1. Choco now installs packages without version numbers on folders. This means quite a few things...
  2. Upgrading packages doesn't install a new version next to an old version, it actually upgrades.
  3. Dependencies resolve at highest available version, not the minimum version as before - see Chocolatey #415
  4. install versus upgrade - Use upgrade on existing packages instead of install. A -force reinstall will reinstall the same version you already have installed.
  1. Read the above about apikey changes
  2. Read above about dependency resolution changes.
  1. installmissing has been removed. It was deprecated awhile ago, so this should not be a surprise.
  2. choco version has been deprecated and will be removed in v1. Use choco upgrade pkgName --noop or choco upgrade pkgName -whatif instead.
  3. Write-ChocolateySuccess, Write-ChocolateyFailure have been deprecated.
  4. update is now upgrade. update has been deprecated and will be removed/replaced in v1. Update will be reincarnated later for a different purpose. Hint: It rhymes with smackage pindexes.

FEATURES

  1. pin - Suppress upgrades. This allows you to 'pin' an install to a particular version - see #1, Chocolatey #5 and Pin Command
  2. apikey - see ApiKey Command
  3. new - see New Command and Chocolatey #157
  1. Install-ChocolateyShortcut - see Chocolatey #238, Chocolatey #235 and Chocolatey #218

BUG FIXES

Probably a lot of bug fixes that may not make it here, but here are the ones we know about.

IMPROVEMENTS

0.9.8.33 (Feb 11, 2015)

FEATURES:

IMPROVEMENTS:

0.9.8.32 (January 22, 2015)

BUG FIXES:

0.9.8.31 (January 7, 2015)

BUG FIXES:

0.9.8.30 (January 6, 2015)

FEATURES:

BUG FIXES:

0.9.8.29 (January 2, 2015)

FEATURES:

IMPROVEMENTS:

0.9.8.28 (November 4, 2014)

BREAKING CHANGES:

BUG FIXES:

IMPROVEMENTS:

0.9.8.27 (July 13, 2014)

BUG FIXES:

0.9.8.26 (July 12, 2014)

Pulled due to major breakage with #516

BUG FIXES:

IMPROVEMENTS:

0.9.8.25 (July 7, 2014)

BUG FIXES:

0.9.8.24 (July 3, 2014)

BREAKING CHANGES:

FEATURES:

BUG FIXES:

IMPROVEMENTS:

0.9.8.23 (November 11, 2013)

BUG FIXES:

0.9.8.22 (November 10, 2013)

BREAKING CHANGES:

FEATURES:

BUG FIXES:

0.9.8.21 (November 7, 2013)

BREAKING CHANGES:

FEATURES:

IMPROVEMENTS:

BUG FIXES:

0.9.8.20 (December 11, 2012)

FEATURES:

IMPROVEMENTS:

BUG FIXES:

0.9.8.19 (July 2, 2012)

FEATURES:

BUG FIXES:

0.9.8.18 (June 16, 2012)

BUG FIXES:

0.9.8.17 (June 15, 2012)

FEATURES:

IMPROVEMENTS:

BUG FIXES:

0.9.8.16 (February 27, 2012)

BUG FIXES:

0.9.8.15 (February 27, 2012)

BREAKING CHANGES:

FEATURES:

IMPROVEMENTS:

BUG FIXES:

0.9.8.14 (February 6, 2012)

IMPROVEMENTS:

BUG FIXES:

0.9.8.13 (January 8, 2012)

FEATURES:

IMPROVEMENTS:

BUG FIXES:

0.9.8.12 (November 20, 2011)

IMPROVEMENTS:

BUG FIXES:

0.9.8.11 (October 4, 2011)

BUG FIXES:

0.9.8.10 (September 17, 2011)

FEATURES:

0.9.8.9 (September 10, 2011)

BUG FIXES:

0.9.8.8 (September 10, 2011)

BUG FIXES:

0.9.8.7 (September 2, 2011)

IMPROVEMENTS:

0.9.8.6 (July 27, 2011)

BUG FIXES:

0.9.8.5 (July 27, 2011)

IMPROVEMENTS:

BUG FIXES:

0.9.8.4 (July 27, 2011)

BUG FIXES:

0.9.8.3 (July 7, 2011)

BREAKING CHANGES:

FEATURES:

IMPROVEMENTS:

0.9.8.2 (May 21, 2011)

FEATURES:

0.9.8.1 (May 18, 2011)

BUG FIXES:

0.9.8 (May 4, 2011)

BREAKING CHANGES:

IMPROVEMENTS:

0.9.7.3 (April 30, 2011)

BUG FIXES:

0.9.7.2 (April 29, 2011)

BUG FIXES:

0.9.7.1 (April 29, 2011)

BUG FIXES:

0.9.7 (April 29, 2011)

FEATURES:

IMPROVEMENTS:

0.9.6.4 (April 26, 2011)

IMPROVEMENTS:

0.9.6.3 (April 25, 2011)

FEATURES:

0.9.6.2 (April 25, 2011)

BUG FIXES:

0.9.6.1 (April 23, 2011)

IMPROVEMENTS:

0.9.6 (April 23, 2011)

IMPROVEMENTS:

FEATURES:

0.9.5 (April 21, 2011)

FEATURES:

IMPROVEMENTS:

0.9.4 (April 10, 2011)

IMPROVEMENTS:

0.9.3 (April 4, 2011)

IMPROVEMENTS:

0.9.2 (April 4, 2011)

FEATURES:

0.9.1 (March 30, 2011)

IMPROVEMENTS: