Upgrading to ProGet 2026

ProGet 2026 is a major update, and this article provides information about what will change, the impact to your instance, and how to mitigate risk during upgrade.

Planning for Your Upgrade

ProGet 2026 is a major upgrade, and many of the changes were additive features (available as "preview" features in ProGet 2025), configuration changes (Windows Service architecture, Docker base image), platform updates (library upgrades, etc.), and UI changes.

Upgrading from ProGet 2025

If there are issues, you can rollback to ProGet 2025 without restoring your database.

Upgrading from Older Versions

If you're currently using ProGet 5.2, ProGet 5.3, ProGet 6.0, ProGet 2022, ProGet 2023, or ProGet 2024 we recommend directly upgrading to ProGet 2026. While it won't hurt to do incremental upgrades, there's almost never a benefit. However, if there are issues, you will need to restore your database before rolling back.

Please read the upgrade notes from each version to learn what changed and how to mitigate risks. To summarize:

In ProGet 2025, PostgreSQL support was added and IIS support was removed.

In ProGet 2024, many of the changes were in ProGet's SCA features like Vulnerability Scanning, License Detection, Assessments, SBOMS, and Projects/Builds. Webhooks & Notifiers were also redesigned.

Upgrading from ProGet 2022 or Earlier

In ProGet 2023, in addition to the new packaging indexing system, there were several changes surrounding vulnerability scanning. One breaking change was that Docker images will no longer have the library/ namespace automatically appended on push.

In ProGet 2022, the hosting platform changed to .NET6 and users initially reported performance issues, but these should be mostly fixed in maintenance releases. In addition, the Package Consumers feature was also replaced in favor of SCA Projects and Releases.

In ProGet 6.0, due API Keys changes, some users reported that some API Keys needed to edited or deleted and recreated to fix permissions issues.

In ProGet 5.3, legacy NuGet ("quirks") feeds were removed. You will need to migrate all of these feeds before upgrading.

Upgrading from ProGet 5.1 or Earlier

We recommend upgrade to latest ProGet 5.2, then latest ProGet 2026. See: 5.3 notes, v4 notes, v2/v3 notes

New Features in ProGet 2026

Feature Overhaul: Vulnerabilities Management

There are substantial changes to the way vulnerabilities are managed in ProGet 2026, both in the UI and the backend. It's basically a feature rewrite.

However, at a high-level, the functionality remains the same:

• ProGet identifies vulnerabilities in packages
• ProGet automatically assesses the severity of those vulnerabilities based on user-definable severity rules
• Users can override ("manually assess") or comment on individual vulnerabilities
• Packages become "Noncompliant" based the assessment
• Noncompliant packages can be blocked from being used

The key differences are:

• The "vulnerability database" is now stored as a read-only file on disk instead within the ProGet database
• The 5-category Package Vulnerability Remediation Scale (PVRS) is displayed instead of the 100-point CVS Score
• Users can customize the Risk Profile used to calculate the PVRS category
• Assessment language has been updated to reflect the appropriate response (i.e. "Monitor, Remediate, Contain") instead of mostly severity (i.e. "Ignore, Critical, Block")

From a workflow perspective, the biggest changes are:

• Vulnerability "severity" will be much more balanced with PVRS and reflect the actual exploit risk instead of "theoretical damage from a sophisticated attacker under ideal conditions"
• "Assessment" is automatic by default, which aligns to most users' expectations
• Unless a user overrode the assessment, ProGet will automatically reassess when the vulnerability facts changed or you change relevant configuration (assessment rules or risk profile).
• "Unassessed" vulnerability should no longer be part of a workflow

Assessment/Comments Not Migrated... Yet

From a data perspective, the existing assessments, assessment types, comments, and policy assessment rules were not migrated. This was because nearly all of the assessments and comments we've seen in the field were related to problems that the new assessment system is designed to automatically addressed.

However, the data remains in the database, stored in dormant/unused tables. Should you wish to migrate or export this data, just let us know. We can build a migration tool, script, etc. From what we saw, the data simply didn't seem worth migrating.

Updated Feature: SCA Projects Groupings

Feed Groups are now called Feed & Project Groups. A group created on this page will be used used to visually group related items in UI as well as define permissions that are shared across all feeds in the group.

This allows projects to be split into groups so that different teams can use them without interfering with eachother.

Removed Feature: Package & Container Scanners

The Package & Container Scanners feature was introduced in early versions of ProGet with limited documentation and no clear use case. As such, it hadn't gotten much usage and was effectively disabled since ProGet 2022.

The code has been finally removed. However, should you be interested in reviving this feature, please join the discussion on the forums and let us know.

See the archived container scanner documentation (github.com) and package scanner documentation (github.com) to learn more.

Other Improvements & Notable Changes

Health Handler Changes

The /health endpoint now provides a simple, plain text error message to allow monitoring systems to convey the system error without parsing JSON. The old health handler is still accessible under /health/json.

Various Changes & Improvements

• Docker Feed UI Tweaks; improved support for displaying manifest lists (i.e. fat manifests) and attestations
• Platform Upgrade (.NET8 to .NET10)
• "Notifications" Feature; added via PG-3233 as a preview feature, provides in-application notifications instead of relying on email
• Concurrent Request Limit; now defaults to 100
• Removed Various Advanced Settings; several settings (e.g. ExecutionDispatcherThrottle) should never be changed and have been removed from Advanced Configuration
• Connector-installed Packages use Repository's Publish Date; introduced as the UseConnectorPublishDate advanced setting in ProGet 2025, cached and pulled connector packages will now use the publish date specified in the upstream repository as opposed to the date the package was added to package

Upgrade Process

You should generally perform the upgrade using the same method you used to install.

• On Windows, the most common installation method is using the internet-connected Inedo Hub; see HOWTO: Upgrade or Downgrade with the Inedo Hub for more details on how to upgrade.
• On Linux, the most common installation method is using our Docker container; see Upgrading Docker Containers for more details.

However, there are other installation options available, including offline installation, cluster installation, and even manual installation. If you want to change installation methods, the easiest way is to simply uninstall (by following the process in reverse) and install using the new method.

If you're upgrading from ProGet 5.3 or earlier, it's possible ProGet was installed with the legacy installer (github.com), The Inedo Hub should be able to upgrade these installations, but you may need to uninstall and then reinstall using the Inedo Hub.

While you can upgrade from ProGet 5.0 and later to ProGet 2026 (i.e. there is no need to install intermediate versions), you can only rollback to ProGet 2025 without restoring your database.

Rolling Back

However, if you need to rollback to ProGet 2025, you can do so without restoring the database by simply using the Inedo Hub. While there are database schema changes, they are all backwards-compatible with ProGet 2025, which means you can safely rollback your ProGet installation if there's a showstopper bug, and then upgrade later.