Use upstream sources in a public feed
Azure Artifacts enables developers to manage their dependencies from a single feed. Using upstream sources, you can consume packages from feeds and public registries such as NuGet.org, and npmjs.com. In this article, you'll learn how to:
- Create a public feed
- Enable upstream sources
- Add a new upstream source
Prerequisites
An Azure DevOps organization. Create an organization, if you don't have one already.
An Azure DevOps project. Create a new project if you don't have one already.
Set your project visibility to public.
Important
Package lock files assist with reproducible builds and minimizing the scenarios where an anonymous user will be prompted for credentials when using public feeds.
Create a public feed
A public feed is a project-scoped feed in a public project. Public feeds inherit the visibility settings of the hosting project.
Sign in to your Azure DevOps organization, and then select your public project.
Select Artifacts, and then select Create Feed.
Give your feed a Name, and then select Project: PublicProject (Recommended) for its scope.
Select Create when you're done.
Add an upstream source
Sign in to your Azure DevOps organization, and then select your public project.
Select Artifacts, and then select your public feed.
Select the gear icon to access your Feed Settings.
Select Upstream Sources, and then select Add Upstream.
Select your upstream source Type. In this example, we'll be adding NuGet.org as an upstream source.
Configure your source, and then select Save when you're done.
Select Save to save your new upstream source.
Important
Public feeds do not support upstreaming to a private Artifacts feed. If you are using a public Azure Artifacts feed, you can only upstream to public registries (NuGet.org, npmjs) or other Public Azure Artifacts feeds.
Restore packages
Run the following command in an elevated command prompt:
Note
You must be a Collaborator or higher to install new package versions from upstream. Anonymous users can only install packages that exist in their feed.
Q&A
Q: I'm trying to restore my packages but I keep getting a 401 unauthorized error?
The contents of a feed can only be changed by an authenticated and authorized identity who has appropriate permissions on the feed. This includes saving packages into the feed from an upstream source. Unauthenticated (anonymous) users can download packages already saved into a feed, but cannot save new packages from an upstream into the feed.
Maintainers of a project should save all needed versions of packages into the public feed. This can be done by restoring a project using an identity that can supply credentials to the feed when prompted, and ensuring that the identity used has Collaborator or higher permissions on the public feed.
If anonymous users who are restoring packages for a project are repeatedly being blocked by requests for credentials (401 response), the following approaches will reduce or eliminate the issue:
Avoid using package version ranges in your project configuration. Explicit package versions will ensure that packaging clients only request the exact version needed.
Where supported, utilize lock files for your packaging ecosystem so that the packaging clients only request the specific versions needed for the project during a restore/install operation.
Q: I'm trying to restore my packages using Visual Studio, but I'm noticing that they're getting pulled from a different source?
A: Make sure that Visual Studio is using the source referenced in your nuget.config file and not from the local NuGet package manager. See Package sources for more details.
You can also use the NuGet CLI to force NuGet to use the source in your config file by running the following command:
nuget restore -config <PATH_TO_NUGET_CONFIG_FILE>