Internet Explorer is no longer supported. Many things will still work, but your experience will be degraded and some things won't function. Please use a modern browser such as Edge, Chrome, or Firefox.

NuGet (.NET) Packages and Feeds in Proget

view on GitHub

NuGet is the package manager for .NET and a NuGet feed allows client tools like Visual Studio to consume and publish NuGet and symbol packages.

You can also use a NuGet Feed as a proxy for NuGet.org, both to block improper licenses and security vulnerabilities, and to cache packages in case the Internet or NuGet.org goes down.

Authenticating to NuGet Feeds

By default, NuGet feeds in ProGet do not need to be authenticated to when consuming packages. However, if your feed requires authentication to view and download packages, then you'll need to configure an authenticated source when adding the feed.

When an authenticated feed is added to Visual Studio, you'll be prompted for a username and password. You can enter api for the username and your api key as the password:

visualstudio-connecttoserver-inputted.png

Or, you can use the --username and --password arguments in the NuGet CLI:

$ dotnet nuget add source --name "Internal NuGet" --username api --password abcdef12345 https://proget.corp.local/nuget/internal-nuget

See the NuGet CLI sources command to learn more.

Authentication for Publishing Packages

If you use the NuGet CLI to push packages to ProGet, you'll need to also specify an --api-Key argument.

You can also add an API key to a source using the setApiKey command:

$ dotnet nuget setApiKey «api-key» -Source «feed-url»

The NuGet CLI only uses this setting for pushing packages; it will be ignored when viewing/downloading packages, which means you'll also need to add an authenticated source.

Creating and Publishing NuGet Packages

The NuGet package format is well-documented, and you can create packages in a number of ways, including directly from Visual Studio or using using the NuGet CLI.

However, many users find it easiest to publish packages using pgutil. This requires some minor configuration before use, but allows you to more easily specify different feeds.

For example, to upload the package My.Package.1.0.0.nupkg stored at bin\publish to your internal-nuget feed you would enter:

$ dotnet nuget setApiKey «api-key» -Source «feed-url»

The NuGet CLI only uses this setting for pushing packages; it will be ignored when viewing/downloading packages, which means you'll also need to add an authenticated source.

Creating and Publishing NuGet Packages

The NuGet package format is well-documented, and you can create packages in a number of ways, including directly from Visual Studio or using using the NuGet CLI.

However, many users find it easiest to publish packages using pgutil. This requires some minor configuration before use, but allows you to more easily specify different feeds.

Your package will then be uploaded to the internal-nuget feed. To learn more about creating and publishing packages, see HOWTO: Publish NuGet Packages to a Private Repository in ProGet.

Symbols and Source Packages

A NuGet feed in ProGet may be configured as a Symbol/Source server compatible with debuggers such as Visual Studio and WinDbg. This will allow you to "step through" code in your NuGet package as if it were in the project.

Configuring this is a bit more involved than simply enabling that feature on your feed, and requires creating special NuGet symbol packages and then configuring Visual Studio to use those packages. See Symbols and Source Code in ProGet to learn more.

Vulnerability Integration

Beginning in ProGet 2023.5, we have added support to show vulnerability information directly in Visual Studio and the NuGet CLI. You will see the severity of your vulnerability along with a link to see the vulnerability details in ProGet.

When selecting a package version with a vulnerability in Visual Studio, you will see the severity with a clickable link to the vulnerability in ProGet.

When running dotnet list package --vulnerable in the NuGet CLI, you will see a list of vulnerable packages with their severity and a link to the vulnerability in ProGet.

⚠ ProGet Free edition limits vulnerability information shown in Visual Studio and the NuGet CLI.