RE: ProGet: Editing Feed(s) field in a project changes the field for all projects

@dean-houston

Hello!

In the "fixed" version, it no longer sets the same feed to all other projects, which is good.

Less good is that it now instead empties the Feed(s) field for all except the most recently changed Project.

Best regards
Nils Nilsson

Hi,

Thanks for investigating.

You're right that UserNotFoundException turned out to be a cache issue.

Eagerly awaiting the fix.

Regards
Nils Nilsson

Service came online a few hours after the rollback, the error above persists though and LDAP integration for Task/Permissions still isn't working.
Rollback also didn't restore my scoped permissions, all of those groups used to have different scopes.

Additionally after doing a rollback to 2025.27 ProGet can not start the web service, with this error in event viewer

Exception:
Inedo.ProGet.Web.Security.UserNotFoundException: Exception of type 'Inedo.ProGet.Web.Security.UserNotFoundException' was thrown.
  at Inedo.ProGet.WebApplication.ProGetHttpModule.AuthorizeRequestAsync(AhHttpApplication app)
  at Inedo.Web.InedoHttpModule.Inedo.Web.IAhWebModule.AuthorizeRequestAsync(AhHttpApplication app)
  at Inedo.Web.AhWebMiddleware.InvokeAsync(HttpContext context)
  at Inedo.Web.AhWebMiddleware.InvokeAsync(HttpContext context)
  at Inedo.Web.AhWebMiddleware.InvokeAsync(HttpContext context)
  at Inedo.Web.AhWebHost.<>c.<<Configure>b__22_0>d.MoveNext()
--- End of stack trace from previous location ---
  at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.Http.HttpProtocol.ProcessRequest[TContext](IHttpApplication`1 application)

Hi!

I have a breaking issue in ProGet 2026, upgraded from 2025.27
The issue is that when I try to add a new permission/restriction for ["Specific User...", "Specific Groups..."] it no longer manages to search for those defined in my Active Directory and synced through LDAP.

Attempting to Test Privileges of a group that is assigned(and still seems to be in effect as I'm able to log in and administer using my domain account) it is also unable to search for users/groups.

I've verified that the LDAP connection is still healthy through the 'Test User Directories' dialog

This issue was found because after upgrading all my existing permissions that were scoped to a feed group no longer had an association to the migrated "Feed & Project Groups" that replaced them, thus leading to having to reconfigure all permissions.

Regards
Nils Nilsson

Hi Alex,

Thanks for taking the time to respond to my request.

I fully agree that individual vulnerabilities are often not relevant for a container image.

The problem arises when we can not make distinctions when assessing, as we might never be able to assess a vulnerability using the global scope.

A scaled down example could be that we have two feed groups, each with their own Package Policy. 'External' which is used for the build/store of an application served to external users comprised of the general public(i.e. a web service), while 'Internal' is used for an identical but separately generated application that is run strictly for internal users with no exposure to the internet.

External:
Universal Feed, Nuget feed, Container feed

Internal:
Universal Feed, Nuget feed, Container feed

Then we might have a vulnerability like PGV-255532C, assuming we in our application are using the functionality of sqlite which is affected.
This would pose an unacceptable risk for an application reachable and used by external users, while it could be fine for an internal application.

The current assessment structure for containers wouldn't allow us to continue using the container in the 'Internal' feed group, without also allowing the container in the 'External' feed group.

I agree on the premise that an Image is more like a Build, than it is a Package. But even then sharing policies between containers and package feeds would remain relevant for our usecase.

Best regards
Nils Nilsson

Hi!

My organization has departments/products with various risk aptite and regulatory requirements.

We need to be able to assess vulnerabilities in containers per feed/policy, in the same way that can be done for 3rd-party components.

Best regards
Nils Nilsson

Thanks!

No immediate rush, I'll wait for mainline release :)

Best regards
Nils Nilsson

@dean-houston

Hello!

In the "fixed" version, it no longer sets the same feed to all other projects, which is good.

Less good is that it now instead empties the Feed(s) field for all except the most recently changed Project.

Best regards
Nils Nilsson

Hi Dean,

Thank you for the swift reply and fix :)

Best regards
Nils Nilsson

Hello.

When I edit the Feed(s) field on a project in ProGet, to associate the project to feeds for policies and tracking, it then sets the field to the same feeds for all other projects in my organization.

In effect I can not currently have:
Project A - association -> nuget_A
Project B - association -> nuget_B
As changing the setting in the editing pane for Project B also changes the setting for Project A

Running ProGet v25.0.23.11 on Windows Server 2022

Best regards
Nils Nilsson