Package Consumers (v6 and Earlier)
  • 04 Sep 2023
  • 2 Minutes to read
  • Dark
    Light
  • PDF

Package Consumers (v6 and Earlier)

  • Dark
    Light
  • PDF

Article Summary

Package Consumers

The Package Consumers feature was depreciated in ProGet 2022 in favor of Packages and Releases, and will be completely removed in ProGet 2023.

Available in ProGet 5.3 and ProGet 6.0, the Package Consumers feature lets you track what applications and components are consuming specific DLL package versions.

What are Package Consumers?

Package Consumers uses pgscan or an API connection to let you know precisely where any given package is being consumed. This gives you invaluable insight into which specific versions of applications or components are consuming specific versions of your packages. If you discover a critical bug or security vulnerability, you can quickly identify the consumers and fix them or notify responsible parties, or simply delete it if it's not in use.

Inside ProGet, Package Consumers are listed under the "Usage & Statistics" tab for each package and are configured and viewed there.

How can they help?

NuGet, npm, PyPI, and other package types are often built using other packages. These "dependencies" are noted in that package's manifest file. Modern applications are often built with dozens (or even hundreds) of packages, and each of those can be built with any number of packages themselves. This means that the actual packages that make up the bulk of the shipped code in any given application may change by simply rebuilding the application, even if you don't change a single line of your own code.

After building your application (and resolving all of those complicated dependencies), ProGet's Package Consumers feature uses pgscan to scan the build output, search for the specific package versions consumed by the application, and publish that data to ProGet along with your application's name and version.

Limitations in the Free Edition

Those using the ProGet Free edition can only add records manually.

Automatically Scan with pgscan

pgscan is a simple, open-source, command-line tool for publishing dependencies used by a package when it is built.

ProGet can use pgscan for NuGet, npm, and PyPI packages. You can extend package consumers further via the API.

Package Consumers API

You can also use the API endpoint to register package consumers, extending the feature to meet your needs.

POST /api/dependencies/dependents
{
  "feed": "shared-libraries",

  "packageName": "kramerica-lib",
  "groupName": "",
  "version": "1000.0.0",

  "dependentPackageName": "hdars-web",
  "dependentGroupName": "",
  "dependentVersion": "44.2.1",

  "comments": "This field *supports* markdown and [URLS](https://my-server/)"
}

HOWTO: pgscan for .NET applications

Azure DevOps users can execute pgscan using the Command Line Task immediately after building the project.

In BuildMaster, pgscan can be added to an OtterScript plan to publish the following information:

# Build MyLibrary
DotNet::Build MyLibrary.csproj
(
    Configuration: Release
);

# Publish dependencies of MyLibrary to the proget.local server
Exec
(
    FileName: pgscan.exe
    Arguments: >> publish 
        --input=MyLibrary.csproj 
         --package-feed=Libraries 
        --proget-url=https://proget.local 
        --consumer-package-source=Libraries 
        --consumer-package-version=$ReleaseNumber >>
);

Was this article helpful?