MyGet Blog

Package management made easier!

NAVIGATION - SEARCH

MyGet's NuGet and NPM news from the community (November 2016)

It’s November, the holiday season is almost there. In our fourth MyGet's NuGet and NPM news from the community, let's look at some interesting blog posts and articles found on the Internet, curated by our MyGet founders Xavier and Maarten. Follow @MyGetTeam on Twitter for more!

NuGet news

NuGet news, curated by MyGetThe NuGet team just released NuGet 3.5, with mostly performance improvements, features and new target frameworks like netstandard and netcoreapp. The performance improvement during package restore is phenomenal, definitely worth upgrading. And you can now package SemVer 2.0 packages as well (and publish them to MyGet).

They also published a release candidate of 4.0, with support for adding NuGet references in the project file. Which is great as we can now use MSBuild variables in our dependency definitions.

More releases at Microsoft's Connect conference. There's Visual Studio 2017 RC as well as a new .NET Core version (1.1).

Armin Reiter wrote a post titled Powershell package management – NuGet, Chocolatey and Co. He describes what OneGet is and how PowerShell package management (which is now integrated in Windows 10 as well) can be used to install and manage modules and software on our system.

Rick Strahl wrote a post on .NET Standard 2.0 - Making Sense of .NET Again. He covers what .NET Standard 2.0 means to developers and how it fits into the future of .NET and .NET Core.

NPM news

NPM news, curated by MyGetA fresh npm@latest version has landed, 4.0.2 (and a prerelease 4.0.3, adding Node 7 support and a simplified lifecycle for publish events.

Ever wondered what a package manager is made of? Why are lockfiles considered bad practice for libraries but good for apps? Shubheksha Jalan wrote a nice blog post about Javascript Package Managers 101

But what is a dependency? Is it simply code we depend on? Guy Podjarny describes the 5 dimensions of an npm dependency in detail.

What are the bots up to on npm? That was the question Adam Baldwin asked himself after analyzing who else is downloading and running / testing random modules on npm. Interesting finds, for example a package that phones home after being installed.

In 7 npm tricks to knock your wombat socks off, Tierney Coren describes a couple of tips and tricks with the npm command line. For example adding npm completion under bash, or making sure packages you install actually work with the current Node version using "engine-strict".

Elijah Manor and his team started exploring running npm scripts in a git pre-commit hook and run linting before a commit. This technique ensures no invalid JavaScript code can be committed to source control.

If you have any news to share or have other feedback, let us know using the comments below or reach out on Twitter.

Happy packaging!

Learning NuGet Semantic Version Ranges with SemVer Explorer

When authoring NuGet packages, you can declare package dependency versions using Semantic Versioning. NuGet allows specifying dependencies as floating ranges, using interval notation or using fixed version numbers, as explained in the NuGet docs.

MyGet SemVer Explorer allows you to specify a SemVer dependency range, and will check the target package repository for the package versions that match.

NuGet dependency range explorer

Version ranges can be simple (e.g. 6.1.* to match all packages >= 6.1.0) or more complex using interval notation (e.g. (8.0,9.0.1) to match versions that are between 8.0 and 9.0.1. SemVer explorer lets you try these ranges and see which versions of an actual package match. Once satisfied, version ranges can be used in a packages.config or project.json document for use with NuGet or the .NET Core command line.

Can I target MyGet feeds?

Definitely! By default, the tool is configured to query the v3 NuGet.org repository at https://api.nuget.org/v3/index.json. You can simply change the target feed URL to the v3 NuGet feed of a MyGet repository you have access to, and we'll query that one instead.

Can I target private MyGet feeds?

If you have an access token that grants you read-access to the MyGet repository, you can leverage MyGet's support for pre-authenticated feed URLs. Make sure you target the pre-authenticated v3 NuGet endpoint. See our documentation for further guidance.

Have fun exploring the various semantic version constraints NuGet provides! And happy packaging!

MyGet's NuGet and NPM news from the community (October 2016)

Here we are again! Our third installment of MyGet's NuGet and NPM news from the community. Each month, we bring you some interesting blog posts and articles found on the Internet, curated by our MyGet founders Xavier and Maarten. Follow @MyGetTeam on Twitter for more!

NuGet news

NuGet news, curated by MyGetWondering what's happening with .NET Core tooling? Microsoft released a blog post with more background information on Visual Studio '15'. Looks like NuGet package references will become part of the project file.

.NET Core 1.1 Preview 1 was just released. It includes support for additional Linux distributions and has many updates, new middlewares and so on.

What's up with all these target frameworks in NuGet and .NET Core? Immo Landwerth sheds some light on NETStandard, discussing how it will solve the code sharing problem for .NET developers across all platforms.

Jeremy Miller wrote a war story converting a complicated codebase to CoreCLR.

Were you using NuGet.Core in your code? Try the new client libraries instead, with support for v3 feeds. Andrei Marukovich wrote a good introduction on the new client libraries that covers some basic operations.

Still learning NuGet? Erik Dietrich wrote a blog post "How To Put Your Favorite Source Code Goodies on NuGet" where he explains the simple process of taking a piece of code, packaging it up and publishing it out there.

On Emin Atac's blog: Inside the NuGet bootstraping process. He looks into PowerShellGet and how it initializes the NuGet PowerShell module provider and brings the required dependencies to our machine.

Filip W.'s proud of Elon Musk planning to go to Mars. Meanwhile, we get to experience this.

NPM news

NPM news, curated by MyGetA fresh version of npm landed, 3.10.9, mostly containing bug fixes in the shrinkwrap and uninstall commands. A pre-release of 4.0.1 also appeared, with some really nice changes in how search works (now streamign results instead of buffering).

Not ony a fresh npm, also a fresh Node.js! The team just baked version 7.0.0 with an updated V8 engine (5.4) which brings performance and reliability fixes.

Want to know how the folks at npm deploy? They just blogged about it. A git push is all it takes, at least on the surface. Quite a few tools and conventions are used under the hood to make that work smoothly.

Hello, Yarn! - Facebook announced a new JavaScript package manager which is fully compatible with NPM and introduces really good installation and resolution performance. We're keeping a close eye on this one!

A great series of blog posts on using Node.js at Scale - npm Best Practices has started. It is a series covering bigger Node.js installations, fordevelopers who already learned the basics of Node from writing clean code to deploying to monitoring.

Follow the leader! The folks at npmjs.com released some boiler plate code for following, replicating or doing other things based on newly uploaded packages. Pretty cool if you want to drink from the firehose!

If you have any news to share or have other feedback, let us know using the comments below or reach out on Twitter.

Happy packaging!

Checking potential vulnerabilities in project dependencies

Software projects nowadays are based on many third party and open source libraries. It is important to be aware of any potential security vulnerabilities in these components, to ensure our own software project is secure. Thanks to OSSIndex and Vor Security, we now have a vulnerability report ready for your MyGet feed!

While still in preview, every feed now has a Vulnerabilities tab which reports potential vulnerabilities in packages on that feed, whether NuGet, npm or Bower.

vulnerability-report

The vulnerability report provides us with an overview of potential vulnerabilities in our dependencies. We can also see the percentage of packages with potential vulnerabilities versus the percentage of packages with no known vulnerabilities.

Give it a go, we’re looking forward to your feedback on this new feature! Leave your comments below or reach out on Twitter.

Happy packaging!

MyGet's NuGet and NPM news from the community (September 2016)

We tried it last month, and feedback was good. That’s why we have a second edition of our NuGet and NPM community news from the past few weeks. In this post, we bring you some interesting blog posts and articles, curated by our MyGet founders Xavier and Maarten. Follow @MyGetTeam on Twitter for more!

NuGet news

NuGet news, curated by MyGetThe NuGet team released a new documentation site, with new quick-start tutorials and end-to-end scenarios. A nice improvement from the old docs, check it out!

The folks at Cake started a blog series on which services they are using and for what purpose. We're honored that their first post is titled "How does Cake use MyGet?".

Nick Randolph blogged "NetStandard, what is it and why do I care?" - a nice and easy digestible post linking to Oren Novotny's more elaborate Portable- is dead, long live NetStandard.

Cori Drew mentioned searching for "nuget kitten dies puppy". Still using msbuild package restore? That is a great search indeed! If you haven’t done yet, learn about switching to proper NuGet package restore.

Using Azure Automation? Tao Yang wrote a blog post demonstrating how to Script Azure Automation Module Imports Directly from MyGet or PowerShell Gallery, re-using components in automation workflows.

The Dotnet Watch Tool is covered in a blog post by Muhammad Rehan Saeed. He demonstrates using it to shorten the feedback loop while developing, by automatically loading changed source files without having to rebuild the entire project.

David Fowler is experimenting with "channels" (or "zero copy streams"), making the good old Stream object in .NET obsolete. He released a preview feed on MyGet, where you can experiment with Channels. David posted some samples as well.

Sitecore CMS now supports NuGet for distributing Sitecore packages. They wrote an extensive FAQ on how to work with their feeds and how to install packages into your web application. And even nicer: they are hosted on MyGet. Thanks guys!

The new Windows Management Framework (WMF) 5.1 added OneGet support for basic authentication against secured package feeds, as well as proxy support. That's pretty neat, as you can now distribute custom PowerShell modules using private feeds.

NPM news

NPM news, curated by MyGetNpm 2.15.11 and 3.10.8 have been released. The version 2 branch does not seem to have any noteworthy changes apart from some dependency updates. The version 3 branch got some updates to npm shrinkwrap, and some bugfixes.

TypeScript 2.0 was released with new features like additional types, optional parameters, expression operators, ... We quite like the way TypeScript makes JavaScript more type safe, and the language itself is close to the language we use to build MyGet, C#.

Tierney Coren wrote 11 Simple npm Tricks That Will Knock Your Wombat Socks Off. In this post, he demonstrates some of the lesser used but really helpful commands npm offers, like opening a package's GitHub repo in the browser. Or automating _npm init_ with useful defaults. And 9 more of those!

Ashley G. Williams has presented A Brief History, a great presentation on modular design. What goes into a module? How do you decide? Tip: it's not about what goes in modules, it's how we compose them all together.

Interested in Streams and Async / Await in Nodejs? Paul Cowan uses Babel to transpile asynchronous, non-blocking code into JavaScript using the async and await keywords that are transpiled into promises.

“This” is not always “this”. Peleke Sengstacke wrote about how scope works in JavaScript in his Grokking Scope in JavaScript.

Tim Severien wrote a tutorial on using ESLint to monitor code quality and detect common code issues, resulting in higher quality code. A nice, thorough explanation on how to set up ESLint and use it.

Let’s see if we can do this type of post next month as well. If you have any news to share or have other feedback, let us know using the comments below or reach out on Twitter.

Happy packaging!

MyGet 2.2 Release Notes

MyGet 2.2 was released on August 19, 2016.

Highlights

This 2.2 release of MyGet again adds some new functionality to the service. Major highlights of this release are:

Features

MyGet (all plans)

The following applies to all MyGet plans:

MyGet (paid plans)

Obviously all paid plans also get the enhancements made available on the free plan. The following applies to the MyGet Starter and Professional plans:

  • Billing: new profile section providing access to your invoices
  • Billing: ability to configure a different email address for billing

MyGet Enterprise

The enterprise plan has all functionality from the paid subscription plans, and more! The following applies only to the MyGet Enterprise plan:

  • User management: we added support to block user registration so that an invite-only environment can be created
  • User management: we introduced a new Feed Creator role, allowing MyGet Enterprise administrators to delegate feed creation permissions to a non-administrator account

MyGet Build Services

  • Improved build log viewer with warning and error navigation, log level coloring and deep linking support
  • The build log now also recognizes Kiln source control: commit SHA now also has a hyperlink to Kiln source repository
  • Made performance optimizations to the Build Sources page


Bug Fixes & Other Improvements

  • NuGet: Preserve Chocolatey-specific additions to the NuGet package manifest (.nuspec) when pushing packages upstream
  • NuGet: Fixed an issue with NuGet packages that caused Summary metadata not to be populated properly when uploaded through the web site
  • NuGet: Fixed an issue causing failures when proxying Sonatype Nexus feeds on calls to GetUpdates() and Search()
  • Bower: now also detecting bower.json in subdirectories of uploaded bower packages
  • NPM: fixed an issue causing 404 errors when proxying upstream scoped packages
  • Usability: improved ordering of SemVer and non-SemVer package versions in the same feed
  • Usability: no longer allow 0 as value for package retention rules
  • Usability: when filtering package views, the Delete All button should not be visible to reduce potential confusion and avoid accidental deletes
  • Fixed an issue causing pushing to upstream package source to fail downloading the package from source feed on MyGet Enterprise with custom domain
  • Support Github-style code blocks in markdown

We love hearing from you, so keep that feedback coming! MyGet is built for you!

Happy packaging!

Building NuGet and npm using Atlassian Bitbucket Pipelines

Bitbucket Pipelines is a new continuous integration service (still in beta) from Atlassian, built into Bitbucket. Let’s have a look at how we can use Bitbucket pipelines to build, package and publish a .NET Core library to MyGet so we can consume it in our own projects.

How does Bitbucket pipelines work?

To configure a build on Bitbucket, we’ll need a bitbucket_pipelines.yml file which describes the steps to execute as part of the pipeline. Whenever a commit is made to our source repository on Bitbucket, whether git or Mercurial based, a Docker image is started in which our pipeline will be executed.

Here’s a full write-up on how a .NET Core build would work.

How to package and publish a NuGet package to MyGet?

First of all, we’ll need a bitbucket_pipelines.yml file which loads a .NET Core-enabled Docker image. The pipeline itself will have to run package restore, compile the source code, optionally run tests, then package the library and publish it to our MyGet feed.

We have created a sample library at https://bitbucket.org/myget/sample-pipelines-dotnet/, from which the bitbucket_pipelines.yml file can be copied into your own project. A few environment variables need to be configured for the pipeline (see the header of the bitbucket_pipelines.yml file) to make sure it can publish to our MyGet feed.

Once the pipeline completes, we can look at the build output and find the resulting NuGet package on our MyGet feed. The full build output is available as well.

image

How to package and publish an npm package to MyGet?

First of all, we’ll need a bitbucket_pipelines.yml file which loads a Docker image which has node and npm installed. The pipeline itself will have to run npm install, optionally run tests, then package the library and publish it to our MyGet feed.

We have created a sample library at https://bitbucket.org/myget/sample-pipelines-npm/, from which the bitbucket_pipelines.yml file can be copied into your own project. The header of this file lists a few environment variables that have to be configured for the Bitbucket pipeline. When run completes, we can consult the build output:

Publishing npm from BitBucket

Happy packaging!

MyGet's NuGet and NPM news from the community

Many are returning from summer vacation, others have been enjoying the tranquility of summer holiday. Whichever side you’re on, we at MyGet have been watching the NuGet and NPM community news in the past few weeks. In this post, we bring you some interesting blog posts and articles, curated by our MyGet founders Xavier and Maarten. Follow @MyGetTeam on Twitter for more!

NuGet news

NuGet news, curated by MyGetOn the NuGet blog, the NuGet client 3.5 RC has been announced, with support for new target frameworks and lots of performance improvements. Additionally, the NuGet team started working on better documentation, now available as a preview on http://docspreview.nuget.org.

More from the NuGet team: they made some changes to the expiring API keys policy. At MyGet we’ve always made this opt-in, and the NuGet.org gallery will now do the same.

New to NuGet? Rohit Chopra has you covered with his article “NuGet – A Powerful way to share your code”. While focused on NuGet, it’s a nice summary of why you want to use a package manager in your projects. Xiao Ling has a step-by-step post on creating and publishing .NET Core packages.

Building things in Unity? Wondering what NuGet is? Ashley Davis has you covered with his introduction to using Unity and NuGet. The Unity solution templates don’t easily allow working with NuGet, but there are some easy workarounds. A good example is demonstrated, installing JSON.NET into a Unity project.

Have you been consuming NuGet, and just started looking into creating your own NuGet packages to share them with team mates or with the world? Learn about publishing your first .NET Core NuGet package with AppVeyor and MyGet  - Andrew Lock gives a good step-by-step tutorial on what you need in code, and how AppVeyor and MyGet can be used to build and distribute your code.

On a similar topic, Maarten Balliauw has a post on Building NuGet (.NET Core) using Atlassian Bitbucket Pipelines. Pipelines is Atalassian’s continuous integration service that runs on Docker and Linux. And since .NET Core is a first class citizen on that platform, why not use it to build and test NuGet packages?

NPM news

NPM news, curated by MyGetLet’s start on the tooling side. Node has gotten two new releases, 4.5.0 and 6.4.0. Mostly bugfixes, better profiling support and improvements in objects and function contexts for debuggers. On the npm side, there’s now 2.15.10 and 3.10.7, with improvements to how scoped dependencies are handled and several other bugfixes.

Did you know the two millionth package version was just published to npm? If you have as well, congratulations! This is a pretty epic milestone in the Node.js community.

Laurie Voss, COO at npm, has a great talk titled “Abstractions, npm past, present, future”. It covers what is npm and where it came from, where the ecosystem stands today and what the plans are for the future. Highly recommended!

New to node? Have a look at Node Hero’s blog post series! These thirteen articles cover everything from getting started with node and npm, to building a web app, security, monitoring and all other aspects of building a node application.

Npmjs.org added web hook support a while back. Julian Gruber did a proof-of-concept where updated dependencies are automatically deployed in the application. Not the best idea, given that your deployment may break because of an updated dependency, but still quite cool. Package update? Deploy!

Into the Internet of Things? One such thing is the International Space Station! Dave Johnson has a nice post Node.js IoT: Tracking the ISS through the Sky where he uses JavaScript to capture GPS coordinates from the IIS and compares it to your home location to create a real-time tracker.

We’re thinking about doing this type of post each month. Let us know if you’d like that or not, using the comments below or reach out on Twitter.

Happy packaging!

Deprecation notice: SymbolSource integration will end on November 1, 2016

On November 1, 2016, MyGet will end integration with SymbolSource.org, making our built-in symbol server the only option for symbols hosting with MyGet.

When working with NuGet feeds, symbols packages can be pushed so that consumers of the package can step through the source code and integrate with Visual Studio and tools like WinDbg. MyGet has always offered two options for handling symbols packages: using our built-in symbol server or using SymbolSource.org.

With the advent of .NET Core and native debugging on platforms like Linux and Mac OS X, we’re working closely with Microsoft on providing the best symbols-based debugging experience, an experience which we can only guarantee when using our built-in symbol server.

Please update your Visual Studio configuration and/or continuous integration servers by November 1, 2016 to make use of MyGet’s symbol server. Your feed’s “Feed Details” tab provides the correct URL’s for pushing and consuming symbols packages.

Note that the SymbolSource.org URL can still be used for consuming existing symbols packages after November 1, 2016. Account synchronization from MyGet with SymbolSource.org will end. We recommend updating your systems to make use of MyGet's built-in symbol server to ensure continuity of working with symbols packages after November 1, 2016.

Happy packaging!

Keeping feeds clean with retention rules

MyGet Package Retention Rules help clean up your NuGet npm feedMany developer teams use MyGet for storing their continuous integration and/or nightly builds of NuGet, npm, Bower and VSIX packages. As more and more packages get added, it may become harder to manage them all. Some packages may be used in projects, while others are not. Let’s go over the options available for housekeeping.

By default, MyGet keeps all package versions available on our feeds. Every package pushed is there forever, unless manually removed or removed by package retention. By setting retention rules, it is possible to automatically trim the list of packages to X latest packages, keeping into account package usage in projects and package dependency trees.

Configuring retention rules

Retention rules are defined per feed. Some feeds may have more aggressive retention rules defined, other may not have them enabled at all. From the Retention Rules, we can define:

  • the maximum number of stable versions to keep
  • the maximum number of prerelease versions to keep
  • whether to keep depended packages or not – enabling this makes sure package restores always complete successfully by keeping the dependency tree in its entirety
  • whether to allow removal of packages that have downloads – enabling this option ensures that packages that are being used in projects never get deleted

Setting retention rules

Keeping a specific package around

Retention rules are quite brute-force: they will always remove all packages that match the configured rules. Luckily, MyGet lets us “pin” packages which we want to keep around. For example, we may want to only keep the latest 10 pre-release versions while still keeping around the 20th pre-release version we’re still using in our projects.

From the package details page, we can define which package versions should never be considered by retention rules by using the Pin button next to the package.

Pinning packages so they do not get removed

We can pin package per version, or all versions at once using the button at the top of the Package History list. Of course, we can also Unpin packages using the same approach. Once a package is unpinned, retention rules are allowed to remove them.

Custom retention rules using web hooks

Using the built-in retention rules may not be enough. For example, what if we want to run retention rules based on other conditions than the latest version? What if we want to only remove packages when there is a full moon? Using web hooks, we can subscribe to certain feed events (like “package added”) and run our custom logic to optionally remove packages from our feed. We have a complete example available that helps getting started with web hooks.

Learn more about package retention in our documentation.

Happy packaging!