Welcome to the Inedo Forums! Check out the Forums Guide for help getting started.
If you are experiencing any issues with the forum software, please visit the Contact Form on our website and let us know!
ProGet: Auto package promotion from NuGet mirror?
-
We currently have a NuGet mirror feed which points to nuget.org. We don't use packages from it directly in our CI/CD builds. Instead, we have an "approved" internal feed that we use for that. We populate that feed by promoting from our NuGet mirror feed.
Is it possible to configure our "approved" internal feed to have new versions of approved packages automatically detected and promoted from our NuGet mirror feed?
-
Hi @scampbell_8969,
ProGet does not have this feature; we've thought about it after some customer discussions in years past, but I don't think anyone's asked about it until now. And it wasn't the right solution for those customers.
We concluded it would be kind of complicated to document / configure / troubleshoot, especially once we got into the details and specifics. Here's some of those:
- A new version could be unwanted, especially after the "Moq Meltdown" from last year
- Patch versions are probably okay, but new major versions should still be vetted
- Licenses can (and do) change between versions
- New versions It's also a vector for malicious update attacks
- Some kind of filter would be needed to select package for auto-promotion
- Very few packages get frequent updates, so this doesn't seem like it's solving a big problem
Instead we created a "latest version" compliance flag that allows you to flag packages that aren't the latest patch version. We'll see if that's popular.
Thanks,
Alana
