Get the Bing + MSN extension Breaking news from around the world Get the Bing + MSN extension

Add it now
This site uses cookies for analytics, personalized content and ads. By continuing to browse this site, you agree to this use. Learn more
Skip to main content
Microsoft
NuGet
NuGet
  • Home
  • DevBlogs
    • App Center
    • Azure DevOps
    • Visual Studio
    • Visual Studio Code
    • Visual Studio for Mac
    • Azure Artifacts
    • Azure Boards
    • Azure Pipelines
    • Azure Repos
    • Azure Test Plans
    • DevOps
    • C++
    • Java
    • JavaScript
    • PowerShell
    • Python
    • Q#
    • Scripting
    • TypeScript
    • Visual Basic
    • Visual C#
    • Visual F#
    • .NET
    • ASP.NET
    • NuGet
    • Xamarin
    • Apps for Windows
    • Azure Government
    • Bing Dev Center
    • Command Line
    • DirectX Developer Blog
    • IoT Developer
    • Microsoft Edge Dev
    • Microsoft Azure
    • Office 365 Development
    • Old New Thing
    • PIX on Windows
    • Premier Developer
    • Azure Cosmos DB
    • OData
    • Revolutions R
    • SQL Server Data Tools

    The NuGet Blog

    The latest news, updates, and insights from the NuGet team

    Security Archives | The NuGet Blog

    Deprecating TLS 1.0 and 1.1 on NuGet.org
    AvatarScott BommaritoNovember 15, 2019Nov 15, 201911/15/19

    At Microsoft, using the latest and secure encryption techniques is very important to us to ensure the security and privacy of our customers. TLS 1.0 and TLS 1.1, released in 1999 and 2006 respectively, are known to be vulnerable to a number of attacks including POODLE and BEAST.

    Lock down your dependencies using configurable trust policies
    AvatarRidoDecember 5, 2018Dec 5, 201812/5/18

    For the past several months we have focused on various features to improve package security and trust. Around a year back, we had announced our plans on various signing functionalities that we have been implementing at a steady pace. We enabled package author signing and NuGet.org repository signing earlier this year.

    NuGet.org starts repo-signing packages
    AvatarRidoAugust 10, 2018Aug 10, 201808/10/18

    In May, we implemented Stage 1 and enabled support for any NuGet.org user to submit signed packages to NuGet.org. Today, we are announcing Stage 2 of our NuGet package signing journey – tamper proofing the entire package dependency graph.
    What is a Repository Signature?

    Introducing signed package submissions to NuGet.org
    AvatarRidoMay 22, 2018May 22, 201805/22/18

    In September 2017, we announced our plans to improve the security of the NuGet ecosystem by introducing the ability for package authors to sign packages. Today, we want to announce support for any NuGet.org user to submit signed packages to NuGet.org.

    NuGet.org will only support MSA/AAD starting June 1st, 2018
    Anand GauravAnand GauravMay 15, 2018May 15, 201805/15/18

    We had previously announced the deprecation of NuGet.org’s home-grown authentication in favor of Microsoft accounts (MSA) that will allow us to add support for additional security systems such as two-factor authentication (2FA). We will be disabling the NuGet.org’s home-grown authentication mechanism starting June 1st,

    NuGet Package Signing
    AvatarRidoSeptember 14, 2017Sep 14, 201709/14/17

    In our NuGet Fall 2017 Roadmap, we highlighted security as the main area of investment over the next few months. This blog post describes a major part of that roadmap in greater detail – package signing.
    We started talking about supporting signed packages on NuGet.org a while ago.

    NuGet Package Identity and Trust
    AvatarDaniel JacobsonApril 17, 2017Apr 17, 201704/17/17

    Update on 10/16/2017: Package ID Prefix Reservation is now live. The documentation can be found here.
    We want to start this post with a huge thanks to you, the NuGet community. Over the last several months we have been talking to many of you to get feedback on NuGet package identity and trust.

    NuGet – Ending Windows XP support
    Karan NandwaniKaran NandwaniJanuary 19, 2017Jan 19, 201701/19/17

    At NuGet, we are constantly improving our security. One of the steps we are taking is to move our HTTPS end points to meet industry standards for algorithms and protocols. This means that connecting to nuget.org services from machines that don’t support modern cipher algorithms will no longer be supported (such as TLS 1.0 support in Windows XP).

    Changes to Expiring API Keys
    AvatarHarikrishna MenonAugust 25, 2016Aug 25, 201608/25/16

    In June, we published a blog post announcing Expiring API Keys. We received a lot of great feedback from the community about it. In retrospect, we did not do a great job explaining the motivation and reasoning for this security measure to the community.

    NuGet API key expiration
    AvatarMaarten BalliauwJune 22, 2016Jun 22, 201606/22/16

    Update 6/22 (2:15 P.M PST): We have a lot of feedback coming in from the community on this topic. This change will not have any impact for another 90 days at the minimum. We are reviewing your feedback and will discuss further how to achieve our goal of improved security of NuGet.org.

    • 1
    • of
    • 2
    • 
    Relevant Links

    NuGet.org

    NuGet documentation

    Release Notes

    Announcements

    Report a client bug

    Report a NuGet.org bug

    Topics
  • NuGet.org
  • Release announcement
  • Feature Announcement
  • Visual Studio
  • Other announcements
  • Security
  • Incident
  • Roadmap
  • Insights
  • Debugging
  • Archive
  • November 2019
  • September 2019
  • August 2019
  • July 2019
  • April 2019
  • December 2018
  • November 2018
  • August 2018
  • July 2018
  • May 2018
  • April 2018
  • March 2018
  • February 2018
  • September 2017
  • August 2017
  • July 2017
  • April 2017
  • March 2017
  • February 2017
  • January 2017
  • December 2016
  • November 2016
  • October 2016
  • September 2016
  • August 2016
  • June 2016
  • May 2016
  • April 2016
  • March 2016
  • February 2016
  • January 2016
  • November 2015
  • October 2015
  • September 2015
  • August 2015
  • July 2015
  • June 2015
  • March 2015
  • February 2015
  • December 2014
  • November 2014
  • October 2014
  • September 2014
  • August 2014
  • July 2014
  • June 2014
  • May 2014
  • April 2014
  • March 2014
  • December 2013
  • November 2013
  • October 2013
  • September 2013
  • August 2013
  • July 2013
  • June 2013
  • May 2013
  • April 2013
  • March 2013
  • February 2013
  • December 2012
  • October 2012
  • September 2012
  • August 2012
  • June 2012
  • May 2012
  • April 2012
  • March 2012
  • Stay informed

    Login
    What's new
    • Surface Pro X
    • Surface Laptop 3
    • Surface Pro 7
    • Windows 10 apps
    • Office apps
    Microsoft Store
    • Account profile
    • Download Center
    • Microsoft Store support
    • Returns
    • Order tracking
    • Store locations
    • Buy online, pick up in store
    • In-store events
    Education
    • Microsoft in education
    • Office for students
    • Office 365 for schools
    • Deals for students & parents
    • Microsoft Azure in education
    Enterprise
    • Azure
    • AppSource
    • Automotive
    • Government
    • Healthcare
    • Manufacturing
    • Financial services
    • Retail
    Developer
    • Microsoft Visual Studio
    • Windows Dev Center
    • Developer Network
    • TechNet
    • Microsoft developer program
    • Channel 9
    • Office Dev Center
    • Microsoft Garage
    Company
    • Careers
    • About Microsoft
    • Company news
    • Privacy at Microsoft
    • Investors
    • Diversity and inclusion
    • Accessibility
    • Security
    English (United States)
    • Sitemap
    • Contact Microsoft
    • Privacy & cookies
    • Terms of use
    • Trademarks
    • Safety & eco
    • About our ads
    • © Microsoft 2019