4 Filtering Practices for NuGet.org
by Eric Seng, on Feb 17, 2022 3:11:00 PM
NuGet.org is the best place to get NuGet packages and jump-start your projects, but how can you quickly vet content when time is tight?
Developers are always on the lookout for unwanted or malicious packages, but it never hurts to ensure teams are following best practices to streamline the process.
We’ve curated four quick filtering tips that will help browse and download from NuGet.org. There are four great first steps towards a package approval workflow:
1. Use Your Company’s Prefix
All packages created in your organization should start with the name of your company (e.g. Kramerica.*). This is helps with naming recommendations from Microsoft: ensures uniqueness, uses namespace-like names with dot notation.
Using the company name avoids conflict with public packages and protects you from dependency confusion attacks.
Reserving (or “blocking”) you company’s prefix on open-source repository means illegitimate packages won’t sneak into your supply chain.
2. Manually Approve Infrequently Updated Packages
Using tools like ProGet, you can set up connector filters between your private repository and open-source repositories (e.g. NuGet.org). You can then set these filters to automatically approve or deny packages.
Packages that are infrequently updated, but are important to development (like NEwtonsoft.Json, for example), don’t need to automatically approved or denied.
It’s better to have infrequently updated packages go through a manual approval process, so they can be more thoroughly examined. This ensures nothing major is missed that may affect your development.
3. Automatically Approve Frequently Updated Packages
On the other side of the coin, integral packages that are updated multiple times a week are a pain to manually approve each time.
Take AWSSDK.Core – it’s an integral package engineers need access to and is updated twice a week. Instead of constantly having a manager approve the package via a workflow, set your connector filter to approve these types of packages.
4. Trust ID Prefix Reservation
Organizations can apply for a ID Prefix Reservation number for packages hosted on NuGet.org. Once approved, only said organization can publish with that prefix. For example, “System.” is reserved by Microsoft and is used for integral .NET packages.
It’s like being verified on social media, but for NuGet.org.
Applying for an ID Prefix Reservation covers you for the first best practice, using your company name, so it’s highly recommended.
Filter Unwanted Packages from Online
These best practices are the first step for sanitizing your NuGet.org experience. There are several other quick steps you can take, like regularly checking for vulnerabilities, or filtering for specific open-source licenses.
We’ve written a guide to help any organization up their NuGet package use in the Enterprise. Sign up below: