ProGet 2023 will offer a number of improvements, like better NuGet symbols support, but will mainly focus on our Software Composition Analysis (SCA) features such as vulnerability scanning and license detection. We’re also developing our own “offline” vulnerability database called ProGet Vulnerability Central (PGVC), which will give you quick insight into vulnerable packages.
Many of these features will be available as “previews” in ProGet 2022, including some cool features in this week’s planned maintenance release (2022.20).
What is ProGet Vulnerability Central (PGVC)?
ProGet Vulnerability Central (PGVC) is an offline aggregation of leading vulnerability databases, including GitHub Security Advisories, PyPA, and Global Security Database, and will be bundled into ProGet starting with version 2022.20.
Unlike third-party vulnerability services (such as OSS Index) that require the use of an API or an overnight download, PGVC’s vulnerability data is available instantly, even to remote packages. If ProGet can connect to the Internet, it downloads PGVC updates daily. Otherwise, PGVC data is updated every time you update ProGet.
For example, if you browse to a remote package (e.g. Newtonsoft.Json 12.0.1) in a feed connected to nuget.org, you will immediately see a security vulnerability notification:
And just like in previous editions of ProGet, users of a paid edition can block downloads and assess these security vulnerabilities.
To enable this feature, navigate to Reporting & SCA > Vulnerabilities.
Improved NuGet Symbol Support (.snupack)
NuGet feeds in ProGet 2023 support symbol packages (i.e., a
.snupkg file) that are stored alongside the main package (i.e., the
.nupkg file). When this feature is enabled, you can use the
dotnet nuget push command to push both packages to the same feed.
This is available as a preview feature in ProGet 2022.20. If you have already enabled symbol serving on your NuGet feed and want to try this combined approach, you can change the symbol serving setting from
Legacy (.symbols.nupkg) to
Mixed (both formats). For more information, see the updated Source and Symbol Server documentation.
If you use the Integrated Web Server to host ProGet, you can change the web server ports and select a certificate for HTTPS directly on the Administration page. This is available in ProGet 2022.19 as a preview feature.
See our documentation on Configuring HTTPS on the Integrated Web Server to learn more.
What Else is Coming?
A few other improvements are planned, including:
- Web-based Universal Package Editor, which will let you create and update Universal Packages within the ProGet UI
- Better Feed-creation Experience as well as other UX improvements, such as replacing “feed usage type” with “feed features”, etc.
Otherwise, many of the changes will be behind the scenes and involve centralizing package information in the database. This will make it easier for us to add new feed types and related features.
Ship Date & Preview Features
We don’t have a definitive ship date yet but we are aiming for Q2/Q3.
We have started ProGet 2023 Upgrade Notes, and you can track the development status in the “2023 Preview Feature” Issues in our public issue tracker.