There are several criteria you can use today to evaluate NuGet packages. We received feedback that you would like even more information to help choose the right packages. We’re excited to introduce GitHub Usage on nuget.org, which allows you to explore top GitHub repositories that depend on the package you are looking at.
NuGet.org now supports surfacing source code repository link for NuGet packages. This will enable package authors to surface both the project’s website and the source repository using the projectUrl and the repository properties respectively instead of having to choose between the two using just the projectUrl property.
In May, we implemented Stage 1 and enabled support for any NuGet.org user to submit signed packages to NuGet.org. Today, we are announcing Stage 2 of our NuGet package signing journey – tamper proofing the entire package dependency graph.
What is a Repository Signature?
In September 2017, we announced our plans to improve the security of the NuGet ecosystem by introducing the ability for package authors to sign packages. Today, we want to announce support for any NuGet.org user to submit signed packages to NuGet.org.
We had previously announced the deprecation of NuGet.org’s home-grown authentication in favor of Microsoft accounts (MSA) that will allow us to add support for additional security systems such as two-factor authentication (2FA). We will be disabling the NuGet.org’s home-grown authentication mechanism starting June 1st,
We are happy to announce support for Organizations on NuGet.org. This will help businesses and open-source projects collaborate on packages using a single nuget.org identity.
NuGet.org used to allow you to create an account and publish packages through that account with little support to manage and publish packages as a team or a group.
We did this blog post to report about the incident that happened on March 22, 2018. In the last couple of days we digged deeper into the incident. Here is the summary of our findings and proposed next steps.
NuGet.org website and V2 APIs were unavailable for 2 hours on March 22,
As announced in our NuGet Fall 2017 Roadmap blog post, we are transitioning away from NuGet.org’s home-grown authentication mechanism which will eventually allow us to add support for additional security systems such as two-factor authentication (2-FA). In preparation for this transition,
In December 2017, we changed the NuGet.org backend publishing pipeline to introduce a set of validation steps for submitted packages. Our goal is to maintain the same level of experience in terms of the time and effort it would take to publish a package and have it available for download.
NuGet.org, the package manager for .NET, was purpose-built as a global service with high scale performance regardless of the developer’s location. We are finding that this is not always the case, particularly for developers accessing the service from China, which is the second largest region for .NET developers.