Edit

Use upstream sources in a public feed

  • Article

Azure Artifacts enables developers to manage their dependencies from a single feed. Using upstream sources, you can consume packages from feeds and public registries such as NuGet.org, and npmjs.com. In this article, you'll learn how to:

  • Create a public feed
  • Enable upstream sources
  • Add a new upstream source

Prerequisites

Important

Package lock files assist with reproducible builds and minimizing the scenarios where an anonymous user will be prompted for credentials when using public feeds.

Create a public feed

A public feed is a project-scoped feed in a public project. Public feeds inherit the visibility settings of the hosting project.

  1. Sign in to your Azure DevOps organization, and then select your public project.

  2. Select Artifacts, and then select Create Feed.

    A screenshot showing the create feed button in Azure Artifacts.

  3. Give your feed a Name, and then select Project: PublicProject (Recommended) for its scope.

    A screenshot showing how to create a new public feed.

  4. Select Create when you're done.

Add an upstream source

  1. Sign in to your Azure DevOps organization, and then select your public project.

  2. Select Artifacts, and then select your public feed.

  3. Select the gear icon gear icon to access your Feed Settings.

  4. Select Upstream Sources, and then select Add Upstream.

    A screenshot showing how to add an upstream source in a public feed.

  5. Select your upstream source Type. In this example, we'll be adding NuGet.org as an upstream source.

    A screenshot showing the different types of upstream sources.

  6. Configure your source, and then select Save when you're done.

    A screenshot showing how to configure your upstream source.

  7. Select Save to save your new upstream source.

    A screenshot showing how to save the newly added upstream source.

Important

Public feeds do not support upstreaming to a private Artifacts feed. If you are using a public Azure Artifacts feed, you can only upstream to public registries (NuGet.org, npmjs) or other Public Azure Artifacts feeds.

Restore packages

Run the following command in an elevated command prompt:

nuget.exe restore

Note

You must be a Feed and Upstream Reader (Collaborator) or higher to install new package versions from upstream. Anonymous users can only install packages that exist in their feed.

Q&A

Q: I'm trying to restore my packages but I keep getting a 401 unauthorized error?

The contents of a feed can only be changed by an authenticated and authorized identity who has appropriate permissions on the feed. This includes saving packages into the feed from an upstream source. Unauthenticated (anonymous) users can download packages already saved into a feed, but cannot save new packages from an upstream into the feed.

Maintainers of a project should save all needed versions of packages into the public feed. This can be done by restoring a project using an identity that can supply credentials to the feed when prompted, and ensuring that the identity used has Feed and Upstream Reader (Collaborator) or higher permissions on the public feed.

If anonymous users who are restoring packages for a project are repeatedly being blocked by requests for credentials (401 response), the following approaches will reduce or eliminate the issue:

  1. Avoid using package version ranges in your project configuration. Explicit package versions will ensure that packaging clients only request the exact version needed.

  2. Where supported, utilize lock files for your packaging ecosystem so that the packaging clients only request the specific versions needed for the project during a restore/install operation.

Q: I'm trying to restore my packages using Visual Studio, but I'm noticing that they're getting pulled from a different source?

A: Make sure that Visual Studio is using the source referenced in your nuget.config file and not from the local NuGet package manager. See Package sources for more details.

You can also use the NuGet CLI to force NuGet to use the source in your config file by running the following command:

nuget restore -config <PATH_TO_NUGET_CONFIG_FILE>