Hi @atripp
I think packages has to be iterated instead. I haven't seen dependencies beneath packages.
Further, the "empty" Key has to be ignored as it stands for the root project:
Maybe a little bit parsing would be necessary.
In lockfileVersion 2 a dependency was listed like this:
In lockfileVersion 3 it looks like this:
If desired, we can also upload package-lock.json files for testing via MyInedo.
Hi all,
we tested the .slnx support of pgutil and noticed that pgutil can only detect projects that are a direct child of the root element.
If the .slnx structure is more complex, projects are not found.
E.g:
Both projects are detected by pgutil:
No projects are being found:
Since it was a quick fix, we created a pull request for it:
https://github.com/Inedo/pgutil/pull/25
Please have a look at it and let us know if you can confirm the behavior.
Thanks
Caterina
Hi @stevedennis ,
using ?bypassIntegrated=false lets me download the package from the UI.
Is this something you can fix?
For now I can share this information with my colleagues.
Offtopic (since we are already talking):
We recieved your Inedo snackbox this week and we love it 
Thanks,
Caterina
Hi @stevedennis ,
the thing is that microsoft states that windows authentication is great for internal applications integrating the Active Directory: https://learn.microsoft.com/en-us/aspnet/core/security/authentication/windowsauth?view=aspnetcore-10.0&tabs=visual-studio
I can not find a documentation telling me to switch to token-based authentication.
It is also easier to maintain, because the AD is already managed. To manage tokens for each person that is allowed to access ProGet would take up extra effort.
Either way, we moved away from hostname-binding and then we are able to use "npm install" for example.
But a new problem occured:
If I go to the ProGet UI, into one of our npm feeds and try to download a npm package using the download button, i get an Unauthorized error:
So I can see the packages, but I can not download them, eventhough the permission is "View and Download packages"
Can you help me here as well?
Thanks,
Caterina
Hi @stevedennis ,
thank you for your reply. I still have some questions.
When talking about WIA are you only talking about NTLM?
What we do is using Kerberos to make sure specific AD-groups have access to our packages. Not everyone is allowed to view/download packages. Going with no authentication is not an option for us.
I can not find a documentation that states that Kerberos is discontinued. Maybe you can provide me with sources? Or maybe we are talking about different things when talking about WIA
Right now our process is that a user is authenticated if he is in a specific AD group and wants to access nuget packages, and he needs an api key to access npm packages.
If I install ProGet 2025 with integrated web server and activate WIA in the settings, I am no longer able to make e.g. "npm i" because the authentication fails:
Which makes sense, because npm is not supporting WIA, but I was hoping ProGet manages this under the hood when switching to integrated web server.
Our ProGet instance is bound to a hostname and a port.
I already tried to explicitly disable WIA for our npm feeds, but it does not seem to be working.
Is there another setting I am missing?
Thanks,
Caterina
Hi all,
we are trying to update from ProGet 2024 to ProGet 2025.
As I understood the documentation we have to move from IIS to integrated web server.
Right now we are running ProGet on two IIS sites. One where windows authentication is enabled and one where it is disabled (necessary for npm).
Is this still possible when moving to Integrated Web Server?
We need to keep the windows authentication but I am not sure if our npm tasks will continue working.
Maybe you can clarify that for me.
Thanks,
Caterina
Hi all,
we tested the .slnx support of pgutil and noticed that pgutil can only detect projects that are a direct child of the root element.
If the .slnx structure is more complex, projects are not found.
E.g:
Both projects are detected by pgutil:
No projects are being found:
Since it was a quick fix, we created a pull request for it:
https://github.com/Inedo/pgutil/pull/25
Please have a look at it and let us know if you can confirm the behavior.
Thanks
Caterina
Hi @stevedennis,
thank you.
It looks like you guys created a seperate repo for ConsoleMan:
https://github.com/Inedo/ConsoleMan
I guess this one creates the NuGetPackage?
Thanks,
Caterina
Hi all,
I got the latest source code of pgutil and wanted to compile it.
Unfortunately, I get the error that the package 'ConsoleMan' can not be found.
I know that there was the project 'ConsoleMan' in previous versions but it seems like it has been removed.
Is there something special I have to do to build the solution? Maybe I am missing something.
Thanks
Caterina
Hi @atripp,
so as far as I understood it, one should not tag packages with the latest Tag themself, npm handels that tag.
If no specific tag is given, "npm publish" gives the latest tag to the last uploaded version. And if a new version is uploaded without a specific tag, this version gets the latest tag and it is being removed from the former package.
But we would also lose the tags if we manually tag them. Maybe we want to separate between testversions and productionversions with tags. Just a thought. We also lose this tag during promotion.
So maybe you can not only promote the latest tag but all tags? To lose information about a package is always bad I guess.
Tanks,
Caterina
Hi all,
we noticed that some of our npm packages are missing its tags.
Having a closer look at that issue we noticed that the tags are lost during promotion.
Usually, we upload our packages with the tag "latest" to a testfeed. After testing we promote the package to our live feed. In the testfeed we can see the tag, in the live feed the tag is missing.
Testfeed:
LiveFeed:
We usually promote packages using the api but it also happens when we manually promote packages.
We also noticed that manually adding a npm package is not saving the tag. In the upload window you already suggest the tag "latest" so we just leave it:
But the tags are empty after the upload:
We noticed this behavior because we are using "npm outdated" to check if there are newer versions of installed npm packages. This command scans registries for the package with the tag "latest" but we never got any suggestions for our packages.
Can you verify this behavior?
Thanks,
Caterina
Hi @rhessinger,
thank you for pointing out the feed features. License detection was not enabled in the feed I used for testing. After activating the feature the package is being reanalyzed correctly and the global policy is being used.
Thanks
Caterina