vcpkg May 2022 Release: artifacts using JSON, COS and SPDX support, and more

Augustin Popa

The May 2022 release of the vcpkg package manager is available. This blog post summarizes changes from March 31st, 2022 to May 10th, 2022 for the Microsoft/vcpkg and Microsoft/vcpkg-tool GitHub repos.

Some stats for this period:

  • 10 new ports were added to the open-source registry. If you are unfamiliar with the term ‘port’, they are packages that are built from source and are typically C/C++ libraries.
  • 422 updates were made to existing ports. As always, we validate each change to a port by building all other ports that depend on or are depended by the library that is being updated for our nine main triplets.
  • There are now 1,936 total libraries available in the vcpkg public registry.
  • The May release of the main vcpkg repo includes 238 commits by 63 people.
  • The main vcpkg repo has 4.5k forks and 15.7k stars on GitHub.


Notable Changes

vcpkg Artifacts update

This is our first significant update to vcpkg artifacts since we introduced them in December. The changes and additions are all on the artifact metadata used in populating catalogs of available artifacts. As such this section is mainly of interest to people working on preparing their own catalogs of artifacts.

The experience is still in preview and retains a focus on embedded developers, but will expand to C++ scenarios targeting Linux, macOS, and Windows soon.

Metadata format changes

Based on our experiences in expanding the available artifacts in registries we encountered the need to describe more in the registry metadata and realized some of the existing capabilities could be better named.

You will observe all the examples below are in json. When first released, vcpkg artifact catalogs could be created as either yaml or json and our examples were in yaml. Going forward we are normalizing to use json only.

The current “settings” has been renamed “exports” as that is functionally what it is doing. Similarly, the “variables” block has been renamed “environment” as it is setting environment variables.

There are a few additions as well, all to the exports block:

  • contents: categorized files/contents, documentation, etc.
  • aliases: named commands for use by the consumer or Visual Studio / Visual Studio Code integration

We also found the need to be able to support value expansion within demand blocks based on activation.

The examples in the sections below are snippets, see the default vcpkg artifact registry for complete entries.

Settings to exports

We had a “settings” block that was part of the “demands” block. This block is now named “exports” as it better describes what this block does as it is exporting the configuration into the environment.

"demands": {
    "exports": {
        "tools": {
            "cmake": "bin/cmake",
            "cmake_gui": "bin/cmake-gui",
            "ctest": "bin/ctest"
        "paths": {
            "path": "bin"
Variables to environment

There was a variables block used to store the environment variables that are exported from the artifact. “Variables” is not as clear as it could be, as such the name has been changed to “environment” to better convey what this section does. The environment block is part of the exports block.

"exports": {
  "environment": {
      "CLFAGS": "-Wall -Wextra -Werror"

PR: Microsoft/vcpkg-tool#473


Added Cloud Object Storage support for binary caching

Cloud Object Storage (COS) is a distributed storage service from Tencent Cloud accessible via HTTP/HTTPS. A recent community PR enables vcpkg users to use COS for binary caching. Binary caching saves copies of library binaries in a shared location that can be accessed by vcpkg for future fast installs, potentially across multiple development environments locally and in CI.

PRs: Microsoft/vcpkg#23538, Microsoft/vcpkg-tool#476 (thank you @day253!)


Added Software Package Data Exchange (SPDX) v2.2.1 support

Software Package Data Exchange (SPDX) establishes a standard for software bill of materials (SBOM). It allows the expression of components, licenses, copyrights, security references and other metadata relating to software (Source: Wikipedia). In this release, experimental support was added for the latest SPDX standard to vcpkg which makes it possible to easily track all dependencies that vcpkg installs on your system. This is very important for organizations with security compliance needs, including US-based organizations selling software to the United States government. While vcpkg needs to support SPDX for our own internal compliance needs, this can also be leveraged by vcpkg users shipping their own software. We are still working on this experience, but the prototype is in this tool release.

PR: Microsoft/vcpkg-tool#296


Warn on classic mode build failure if version constraints weren’t met

Tracking has been added for version constraints in vcpkg classic mode. Classic mode is when you specify ports to install in the command line via vcpkg install <PORT>, rather than installing via a manifest. The version constraints are displayed to the user in case of a build failure. While it is by design that classic mode does not force users to rebuild dependencies that are out-of-date, knowing the version constraints is a big help for debugging. This display appears for install commands only.

PR: Microsoft/vcpkg-tool#494


Improved console output for port operations

Cleaned up console output when vcpkg is installing, modifying, or removing ports. New behavior also publishes additional test results to improve diagnostics. We’ve gotten a lot of user feedback that vcpkg is more verbose than people feel is productive – this is just one step toward a more concise vcpkg!

PR: Microsoft/vcpkg-tool#437


Secrets are stripped from curl errors before printing them

For security reasons, secrets listed in curl errors (e.g. x-azblob SAS) are no longer displayed when the errors are printed in vcpkg output in the console window.

PR: Microsoft/vcpkg-tool#499


Total Ports Available for Tested Triplets

triplet ports available
x86-windows 1,744
x64-windows 1,793
x64-windows-static 1,689
x64-windows-static-md 1,705
x64-uwp 925
arm64-windows 1,327
arm-uwp 874
x64-osx 1,649
x64-linux 1,724

While vcpkg supports a much larger variety of target platforms x architectures, the list above is routinely tested to ensure updated ports don’t break other ports in the catalog.


Thank you to our contributors

vcpkg couldn’t be where it is today without contributions from our open-source community. Thank you for your continued support! The following people contributed to the vcpkg and vcpkg-tool repos between March 31 – May 10, 2022:

  • Thomas1664 (36 commits)
  • chausner (33 commits)
  • autoantwort (23 commits)
  • dg0yt (18 commits)
  • Neumann-A (11 commits)
  • RT222 (7 commits)
  • daschuer (4 commits)
  • Pospelove (4 commits)
  • coryan (3 commits)
  • ZeeWanderer (2 commits)
  • mathisloge (2 commits)
  • cenit (2 commits)
  • AenBleidd (2 commits)
  • day253 (2 commits)
  • Ryan-rsm-McKenzie (1 commit)
  • evpobr (1 commit)
  • yurybura (1 commit)
  • luncliff (1 commit)
  • wrobelda (1 commit)
  • wravery (1 commit)
  • horenmar (1 commit)
  • podsvirov (1 commit)


Learn More

You can find the full May release notes on GitHub for the main repo. Recent updates to the vcpkg tool can be viewed on the vcpkg-tool Releases page. If you’re new to vcpkg or curious about how a package manager can make your life easier as a C/C++ developer, check out the vcpkg website –

If you would like to contribute to vcpkg and its library catalog, or want to give us feedback on anything, check out our GitHub repo. Please report bugs or request updates to ports in our issue tracker, or join more general discussion in our discussion forum. For an overview of our top priorities and backlog, take a look at our roadmap page.



Discussion is closed. Login to edit/delete existing comments.

  • Richard Wheeler 0

    Have a question. How can this system be useful going forward if the people who support getting packages upgraded are unable to get them done. I tried for months to get Tesseract upgraded and the support has no understanding of the pipeline and why it rejects the upgrade.

    If this can’t be addressed then why continue to support it if needed packages cannot be upgraded.

    Appreciate a real answer on this.


    • Augustin PopaMicrosoft employee 0

      Hi Richard, thanks for raising this issue. I am following up with the team now to look into this, we will get back to you as soon as possible with a response.

Feedback usabilla icon