- 06 Mar 2023
- 7 Minutes to read
-
Print
-
DarkLight
-
PDF
[Preview] Upgrading to ProGet 2023
- Updated on 06 Mar 2023
- 7 Minutes to read
-
Print
-
DarkLight
-
PDF
ProGet 2023 is still in early development. This article is a preview of what to expect when upgrading. There are a lot of rough notes/bullets that we will fill-in later and some of the complete-looking information may change.
ProGet 2023 is a major update, and this article provides information about what will change, the impact to your instance, and how to mitigate risk during upgrade.
Planning for Your Upgrade
ProGet 2023 is a major upgrade, and many of the changes were additive features (available as "preview" features in ProGet 2022), platform updates (library upgrades, etc.), and UI changes.
Upgrading from ProGet 2022
There are some key things to keep in mind before upgrading:
- XYZ has updated/refactored, and you may need to migrate configuration
- ABC has been replaced and you may want to migrate data
- Something something
You can also rollback to ProGet 2022 if there are issues without restoring your database.
Upgrading from Older Versions
In most cases, we recommend directly upgrading to ProGet 2023 from ProGet 5.2, ProGet 5.3, and ProGet 6.0. Please read the upgrade notes from each version to learn what changed and how to mitigate risks.
In ProGet 2022, something about platform changes (maybe) and old data. Perhaps warn about data removal?
In ProGet 6.0, due API Keys changes, some users reported that some API Key needing to edited or deleted/recreated to fix permissions issues.
In ProGet 5.3, legacy NuGet ("quirks") feeds were removed. You will need to migrate all of these feeds before upgrading.
Upgrading from ProGet 5.1 or Earlier
If you're upgrading from ProGet 5.1 or earlier, you should upgrade to ProGet 5.2 first. Upgrading directly is not recommended.
We recommend upgrade to latest ProGet 5.2, then latest ProGet 2023. See: 5.3 notes, v4 notes, v2/v3 notes
New Features in ProGet 2023
Redesigned Feature: Vulnerabilities
ProGet 2023 includes an "offline" vulnerability database called ProGet Vulnerability Central (PGVC) that is periodically updated on a nightly basis, and whenever you upgrade ProGet. Unlike third-party vulnerability services (such as OSS Index) that require using an API or an overnight download, PGVC vulnerability data will be available immediately, even on remote packages.
Having this built-in database led us to rethink the vulnerabilities feature, and make the following changes:
- You now can enable or disable vulnerabilities on a feed (instead of relying on the confusing Feed Usage setting)
- On remote packages (i.e. not cached or local)...
- vulnerabilities from PGVC will always be displayed
- you can assess these vulnerabilities before downloading or using the package
- if "block unassessed" is configured, attempting to download a remote package will result in an error
- otherwise, the vulnerabilities will be added to ProGet and considered unassessed
- vulnerability sources like OSS Index are now called "third-party vulnerability sources"
On cached or local packages, vulnerabilities will behave largely the same: if a new vulnerability is downloaded in a PGVC update, the package will get an unassessed vulnerability
The experimental "on-demand vulnerability scanning" feature was also removed, as it rarely worked due to rate limitations of OSS Index.
If you're currently using a third-party vulnerability source like OSS Index, then PGVC will not be enabled. If you enable the PGVC, you will very likely receive duplicate vulnerability reports and see a lot of unassessed vunlerabilities.
Unfortunately, these cannot be automatically resolved.
There is no risk mitigation required, as this is additive and will not impact your existing data or configuration. In addition, this was introduced as a preview feature in ProGet 2022.20.
New Feature: HTTP/HTTPS Setting
ProGet 2023 allows you to configure HTTP/HTTPS settings from within ProGet, on the Administration page. This only applies if you're using the Integrated Web Server on Windows, as both IIS and Docker manage these settings externally to ProGet. See Configuring HTTPS on the Integrated Web Server to learn more.
There is no risk mitigation required, as the pages simply edit configuration files on disk and restart the web server. The changes/additions were introduced as a preview feature in ProGet 2022.19.
Improved Feature: NuGet Symbol Serving
NuGet feeds in ProGet 2023 support symbol package (i.e. a .snupkg
file) to be stored alongside the main package (i.e. the .nupkg
file).
When this feature is enabled, you can use the dotnet nuget push --symbol
command to push both packages to the same feed. If you've already enabled symbol serving on your NuGet feed and would like to try this combine approach, you can change the symbol serving setting from Legacy (.symbols.nupkg)
to Mixed (both formats)
. See the updated Source and Symbol Server documentation to learn more.
There is no risk mitigation required, as trying to run dotnet nuget push --symbol
would simply result in an error. In addition, this was introduced as a preview feature in ProGet 2022.20.
Improved Feature: Active Directory Integration
ProGet 2023 supports the latest version (v4) of our Active Directory / LDAP integration. This version is are write of the previous (v3), and added optimizations, advanced LDAP filtering, and is tied to a single domain, simplifying LDAP queries. It also includes a new Microsoft Active Directory Group Search Type for improved performance and customization of LDAP queries, supporting large forests and other LDAP providers. See Active Directory / LDAP (v4) to learn more.
There is no risk mitigation required, as this is a separate user directory and will not be enabled by default. Support was introduced as a preview feature in ProGet 2022.20.
Improved UX: "Feed Usage" -> "Feed Features"
In ProGet 2022 and earlier, you could set the "Feed usage" on a feed to be Free/Open Source, Private/Internal, Validated/promoted, or Mixed. This setting controlled which tabs and messages were displayed in the user interface and whether packages without licenses would be blocked. For example, "Private/Internal packages" wouldn't display the license or vulnerability information, nor block unlicensed packages.
In ProGet 2023, this setting was changed to "Feed Features" to give more granular control over what to show on the User Interface. You can now control whether to:
- Display vulnerability information and enforce download blocking rules
- Display license information and enforce download blocking rules
There is no risk mitigation required. This was introduced as a preview feature in ProGet 2022.21, and it was enabled by default on new installations.
New Feature: Web-based Package Editor
Talk about this feature, etc.
There is no risk mitigation required. This was introduced as a preview feature in ProGet 2022.21.
Back-end Refactoring: Package Centralization
In ProGet 2022 and earlier, package metadata was stored in feed-specific tables like NpmPackages
and NuGetPackageVersions
. This made cross-feed queries (such as showing recently published packages) complex and relatively slow.
In ProGet 2023, we created a centralized package metadata to store common information about each package in ProGet, such as file size, publish date, hash, etc. This “centralizing”will make it easier for us to add new feed types and related features down the road.
After upgrading, when ProGet 2023 starts for the first time, package data will be copied from the feed-specific tables to the central table. This should be relatively fast, but expect several minutes of downtime if you have 100k+ packages.
TBD.
Rollback quickly?
Upgrade Process
You should generally perform the upgrade using the same method you used to install.
- On Windows, the most common installation method is using the internet-connected Inedo Hub; see HOWTO: Upgrade or Downgrade with the Inedo Hub for more details on how to upgrade.
- On Linux, the most common installation method is using our Docker container; see Upgrading Docker Containers for more details.
However, there are other installation options available, including offline installation, cluster installation, and even manual installation. If you want to change installation methods, the easiest way is to simply uninstall (by following the process in reverse) and install using the new method.
If you're upgrading from ProGet 5.3 or earlier, it's possible ProGet was installed with the legacy installer, The Inedo Hub should be able to upgrade these installations, but you may need to uninstall and then reinstall using the Inedo Hub.
You should make sure your installation is backed-up.
While you can upgrade from ProGet 5.0 and later to ProGet 2023 (i.e. there is no need to install intermediate versions), you can only rollback to ProGet 2022 without restoring your database.
Rolling Back
If you want to rollback to ProGet 6.0 or earlier, you will need to restore the instance to the previous state. See the Backing Up & Restoring documentation to learn more.
However, if you need to rollback to ProGet 2022, you can do so without restoring the database by simply using the Inedo Hub. While there are database schema changes, they are all backwards-compatible with ProGet 2022, which means you can safely rollback your ProGet installation if there's a showstopper bug, and then upgrade later.