The NuGet Blog

The latest news, updates, and insights from the NuGet team

Deprecating TLS 1.0 and 1.1 on NuGet.org

co-authored by Scott Bommarito At Microsoft, using the latest and secure encryption techniques is very important to us to ensure the security and privacy of our customers. TLS 1.0 and TLS 1.1, released in 1999 and 2006 respectively, are known to be vulnerable to a number of attacks including POODLE and BEAST. In the past, we removed ...

Deprecating packages on nuget.org

We are excited to announce that nuget.org now supports package deprecation. This has been a long standing ask that will help the ecosystem use supported packages. As a package publisher on nuget.org, you can now deprecate packages that are obsolete, legacy, or buggy. You can also suggest an alternate package to your deprecated package. This ...

New and improved NuGet Search is here!

It’s been a long time coming, and today we are excited to announce the new and improved search on NuGet.org leveraging Azure Search. We want to start this post with a huge thanks to you, the NuGet community, for providing feedback. We have aggregated all feedback around search result relevance into one mega issue. We used this as the ...

Introducing Source Code Link for NuGet packages

NuGet.org now supports surfacing source code repository link for NuGet packages. This will enable package authors to surface both the project's website and the source repository using the and the properties respectively instead of having to choose between the two using just the property. The nuspec has supported the property for a while ...

NuGet.org starts repo-signing packages

In May, we implemented Stage 1 and enabled support for any NuGet.org user to submit signed packages to NuGet.org. Today, we are announcing Stage 2 of our NuGet package signing journey - tamper proofing the entire package dependency graph. What is a Repository Signature? A repository signature is a code signing signature produced with an X....

Introducing signed package submissions to NuGet.org

In September 2017, we announced our plans to improve the security of the NuGet ecosystem by introducing the ability for package authors to sign packages. Today, we want to announce support for any NuGet.org user to submit signed packages to NuGet.org. A signed NuGet package is designed to be fully compatible with pre-existing NuGet servers ...

NuGet.org will only support MSA/AAD starting June 1st, 2018

We had previously announced the deprecation of NuGet.org's home-grown authentication in favor of Microsoft accounts (MSA) that will allow us to add support for additional security systems such as two-factor authentication (2FA). We will be disabling the NuGet.org's home-grown authentication mechanism starting June 1st, 2018. This means that ...

Organizations on NuGet.org

We are happy to announce support for Organizations on NuGet.org. This will help businesses and open-source projects collaborate on packages using a single nuget.org identity. Why organizations? NuGet.org used to allow you to create an account and publish packages through that account with little support to manage and publish packages as a ...

Incident report – NuGet.org downtime on March 22, 2018

We did this blog post to report about the incident that happened on March 22, 2018. In the last couple of days we digged deeper into the incident. Here is the summary of our findings and proposed next steps. Customer Impact NuGet.org website and V2 APIs were unavailable for 2 hours on March 22, 2018 between 8:45AM - 11:30AM UTC. More than 1....