Why do I see third party packages in my Azure Artifacts feed? - azure-devops

I have a build pipeline setup creating packages from my projects, and a release pipeline that is pushing those packages to the artifact feed, but now (after some change to the pipeline) I'm seeing microsoft packages in my feed.
Any info about why this is happening would be great.

NuGet.org is an upstream source. Your feed is configured to use nuget.org as an upstream source, so it's caching the packages from nuget.org that your applications are using.

Related

Ensuring a NuGet package can only be installed from a specific feed

I have an Azure Pipelines job setup to authenticate to a private NuGet feed in Azure Artifacts, and then build my .NET project that relies on a NuGet package in the feed. However, my private package is a pretty common name. How can I ensure that it only installs that specific package from my private feed, and doesn't try to fallback to the NuGet general gallery? I do not want it to pull in an incorrect package that has the same name and version name as my private package.
Once you configure multiple sources/feeds, NuGet will look for a package in all these sources together with no guarantee of where the package will be downloaded from. However, you could make the AzDo artifacts feed as the only configured feed and then upstream other sources from it. This way NuGet will get all packages from the configured AzDo artifacts source and AzDo artifacts will source other packages not available with it from the upstreamed sources in the order defined. More info can be found here: https://learn.microsoft.com/en-us/azure/devops/artifacts/concepts/upstream-sources?view=azure-devops

Azure Dev Ops, Private Nuget feed, options to develop / test nuget packages?

I am looking for practical options to develop and test private nuget packages.
We have a set of "core" code that is delivered securely through an Azure Artifact Feed. We have various "consuming" applications that use the core nuget packages.
As a small-medium team, one person may be developing the core nuget as well as consuming it.
Today we check-in / merge the code for the nuget package. Make sure the Pull request is approved / passes. Then the build updates the Azure Artifact feed.
Then we come back to the "consuming" app and can update the package. Works great if you fix / add the feature the first time. However, slows down productivity when treating this as an iterative development approach.
Looking for simple options for a small team. Random thoughts on options:
Push nuget "alpha" package straight from developer's machine to Azure Artifact feed. Symbol server too?
Do something with an Azure build to allow "feature" branches to publish to Azure Artifact feed somehow?
Push to local nuget feed. Include pdbs so it can be debugged?
Temporarily break the nuget reference directly for local copy of dll(s)?
Re-think using nuget packages as a whole?
Push nuget "alpha" package straight from developer's machine to Azure Artifact feed. Symbol server too?
It depends on whether you need to debug it. If you need do debug this "alpha" package, you have to push the symbol package to the symbol server.
Note: You do not need to push the "alpha" package to the symbol server, just the symbol package.
Do something with an Azure build to allow "feature" branches to
publish to Azure Artifact feed somehow?
There is a task Push NuGet packages, we could use it to publish to Azure Artifact feed during build, no matter which branch it is on. It depends on whether you have enough permissions for the Azure Artifact feed, you can check it from Artifacts->Settings->Feed settings->Permissions:
Push to local nuget feed. Include pdbs so it can be debugged?
No, you also have to include the source code. Check this thread for some more details.
And there is a lightweight solution how to debugged nuget package on local feed on a network share.
Temporarily break the nuget reference directly for local copy of
dll(s)?
Re-think using nuget packages as a whole?
The answer is yes, when we develop the project on the local, use project reference is better than nuget, check my another post for some more details:
Ticket: Project reference VS NuGet.
Hope this helps.

pushing public package to azure devops feed

In artifacts I have created a feed,and all seems good. It publishes my packages to the feed.Good
If I understood it correctly it can work like a " private Nuget server" if you like and have all the packages that your team should be using.
I need to push several public packages to my feed.
EG How can I push "Newtonsoft" version 11.2 to my feed on azure devops?
Is this a manual step?
Can be automated?
many thanks
You don't need to do anything. Configure your feed to use NuGet.org as an upstream package source and any packages that are available on NuGet will be automatically cached when restored.

Artifact feed azure devops.Not sure how it meant to work

I have set up a feed on azure devops
I now have nuget.config in my solution with the packages sources configured with my feed.
Question
Given that my mobile solution contains projects that will output nuget packages, why are those packages not appearing in my feed?
When building the app in appcenter I was expecting all the dependencies and nugets to appear
in the artifact feed automatically but only 02 did?
do you have to have a pipeline to push packages to the feed?
Can just building a solution be enough for all the dependencies in the solution to be pushed
to the artifact feed? .Hope makes sense
I have looked at all microsoft docs and its' not clear!
Any suggestions how feeds are meant to work apart from pushing them yourself via either nuget push or a pipeline?
The packages don't get published to your feed unless you explicitly publish them to the feed. There's no mechanism that detects that you've created packages and automatically publishes them.
Use the NuGet task with the push option and you can choose the artifact feed to which your packages are published.

How to prevent the release pipeline in VSTS from creating nuget.org packages

I created a build and release pipeline for my NuGet package using VSTS.
But after running the build and release pipeline successfully, the feed includes the nuget.org reference which was added. How can I prevent this?
This is by design. You enabled upstream sources and installed these packages through this feed. Refer to this documentation for details: Saving packages from upstream sources: continuity.
When you enable an upstream source, packages installed from the
upstream source via the feed will automatically be saved in the feed.