Menu
Free Pack
Download BuildMaster Free Trial

4 Filtering Practices for NuGet.org

by Eric Seng, on Feb 17, 2022 3:11:00 PM

NuGet.org is the best place to get NuGet packages and jump-start your projects, but how can you quickly vet content when time is tight?

Developers are always on the lookout for unwanted or malicious packages, but it never hurts to ensure teams are following best practices to streamline the process.

We’ve curated four quick filtering tips that will help browse and download from NuGet.org. There are four great first steps towards a package approval workflow:

1. Use Your Company’s Prefix

All packages created in your organization should start with the name of your company (e.g. Kramerica.*). This is helps with naming recommendations from Microsoft: ensures uniqueness, uses namespace-like names with dot notation.

Using the company name avoids conflict with public packages and protects you from dependency confusion attacks.

Reserving (or “blocking”) you company’s prefix on open-source repository means illegitimate packages won’t sneak into your supply chain.

2. Manually Approve Infrequently Updated Packages

Using tools like ProGet, you can set up connector filters between your private repository and open-source repositories (e.g. NuGet.org). You can then set these filters to automatically approve or deny packages.

Packages that are infrequently updated, but are important to development (like NEwtonsoft.Json, for example), don’t need to automatically approved or denied.

It’s better to have infrequently updated packages go through a manual approval process, so they can be more thoroughly examined. This ensures nothing major is missed that may affect your development.

3. Automatically Approve Frequently Updated Packages

On the other side of the coin, integral packages that are updated multiple times a week are a pain to manually approve each time.

Take AWSSDK.Core – it’s an integral package engineers need access to and is updated twice a week. Instead of constantly having a manager approve the package via a workflow, set your connector filter to approve these types of packages.

4. Trust ID Prefix Reservation

Organizations can apply for a ID Prefix Reservation number for packages hosted on NuGet.org. Once approved, only said organization can publish with that prefix. For example, “System.” is reserved by Microsoft and is used for integral .NET packages.

It’s like being verified on social media, but for NuGet.org.

idreservationnugetorg

Applying for an ID Prefix Reservation covers you for the first best practice, using your company name, so it’s highly recommended.

Filter Unwanted Packages from Online

These best practices are the first step for sanitizing your NuGet.org experience. There are several other quick steps you can take, like regularly checking for vulnerabilities, or filtering for specific open-source licenses.

We’ve written a guide to help any organization up their NuGet package use in the Enterprise. Sign up below:

Topics:ProGetNuGet

Related Posts

About Inedo

Inedo is a software product company bringing you the "tech behind the tech."

Makers of Windows-first, enterprise DevOps tools BuildMaster CI/CD, ProGet private package management, and Otter IaC. Maximize developer time, minimize release risk, and empower stakeholders to bring their vision to life faster, all with the people and technology you have right now.

Follow us on social media

Follow Inedo on YouTube Follow Inedo on Facebook Follow Inedo Twitter New call-to-action

Free e-books

Free PowerShell Book NuGet for the Enterprise Guide Jenkins CICD Guide Free CICD Book Free dotnet book free IaC book