Welcome to the Inedo Forums! Check out the Forums Guide for help getting started.
If you are experiencing any issues with the forum software, please visit the Contact Form on our website and let us know!
ProGet: Auto package promotion from NuGet mirror?
-
We currently have a NuGet mirror feed which points to nuget.org. We don't use packages from it directly in our CI/CD builds. Instead, we have an "approved" internal feed that we use for that. We populate that feed by promoting from our NuGet mirror feed.
Is it possible to configure our "approved" internal feed to have new versions of approved packages automatically detected and promoted from our NuGet mirror feed?
-
Hi @scampbell_8969,
ProGet does not have this feature; we've thought about it after some customer discussions in years past, but I don't think anyone's asked about it until now. And it wasn't the right solution for those customers.
We concluded it would be kind of complicated to document / configure / troubleshoot, especially once we got into the details and specifics. Here's some of those:
- A new version could be unwanted, especially after the "Moq Meltdown" from last year
- Patch versions are probably okay, but new major versions should still be vetted
- Licenses can (and do) change between versions
- New versions It's also a vector for malicious update attacks
- Some kind of filter would be needed to select package for auto-promotion
- Very few packages get frequent updates, so this doesn't seem like it's solving a big problem
Instead we created a "latest version" compliance flag that allows you to flag packages that aren't the latest patch version. We'll see if that's popular.
Thanks,
Alana
-
To piggyback on this -- this has been an idea we've been interested in as well. As part of our corporate policies, generally once a package has been approved (at a name level), all subsequent versions are OK assuming there's no vulnerabilities or license issues. Denying a request for this is very rare.
By automating version promotion, it would allow developers access to newer versions of packages sooner, making access easier and devs will be more likely to upgrade.
We thought about doing this by filters, but managing that list would quickly get out of hand.
This isn't a critical functionality for us today, more of a nice to have.
-
Our policies are very similar to what you described. That's why I asked if this was possible.
-
@dan-brown_0128 @scampbell_8969 thanks for the feedback!
I've added a note to our internal board for ProGet 2025 roadmap consideration; after we get through the PostgreSQL migratoin, we will likely focus on SCA feature improvement, but maybe there will be room for this.
Any guidance/ideas on the UI/docs would be really helpful when we come to revisit it.
