24 April 2016

If you have a large development team with developers that are not familiar with Nuget Package Management it often happens that developer always adds the latest nuget package in the projects. This can and often leads to some runtime exceptions and assembly bindings entries in app and web config files.

There’s already an article on how to create an authenticated feed. Tho’ adding a new (mirror) feed will not solve our problems, we need a way to disable fetching from the nuget.org feed.

Here is a sample way on how to use only your nuget feeds and disable official ones and how to provide access to authorized feeds without much hassle.

nuget.org feed is added by default within Visual Studio itself, and from VS13 on there’s also machine-wide feed Microsoft and .NET which is for curated feeds. So if we just added our feeds, the search would include also these two feeds and install the package.

Nuget.Config has a way on how to disable these feeds. Here is a sample nuget.config, make sure you have nuget.config located in the root of your project:

<?xml version="1.0" encoding="utf-8"?>  
    <add key="disableSourceControlIntegration" value="true" />  
       <add key="AugmentechPrivateFeed" value="https://nuget.augmentech.si/privatefeed/" />
	    <add key="AugmentechMirroredFeed " value=" https://nuget.augmentech.si/mirroredfeed/" />
       <add key="nuget.org" value="https://nuget.org/api/v2/" />
       <add key="Microsoft and .NET" value="https://www.nuget.org/api/v2/curated-feeds/microsoftdotnet/" />
        <add key="Username" value="augmentech" />
        <add key="ClearTextPassword" value="notRealPassword" />

Using the disabledPackageSources tag Visual Studio disables those feeds from the nuget package dialogs.

By using this approach we gain control on the package versions and the packages being added into our projects. By using the packageSourceCredentials manual adding feed (command line expression) becomes obsolete but we would have protected feeds with password in plaintext in nuget.config. I originate from the assumption that if the person has access to our code, then she should have access to our feeds.

There are also other perks of having mirror nuget.org feed, such as bandwidth download, availability in case of the nuget.org downtime, …

blog comments powered by Disqus