MyGet Blog

Package management made easier!

NAVIGATION - SEARCH

Setting an expiration time for your MyGet access tokens

From a security perspective, it is always good to have secrets that are only valid for a given amount of time. This ensures that these secrets have to be rolled over more often, resulting in a better overall security policy. Today, MyGet introduces expiring access tokens and API keys to accommodate this workflow.

From your profile page, you can manage your access tokens. The list of access tokens will always contain a primary key, and additional access tokens can be created.

Manage MyGet API keys

When creating (or editing) an access token, we can set a description to identify where the access token is being used. We can now also (optionally) set an expiration time after which the token can no longer be used. This can be done for additional tokens, as well as for the primary access token.

Create MyGet access key for accessing NuGet server

This change is live on all MyGet plans, so go ahead and set the expiration time for your access tokens!

Happy packaging!

Using build services to create Chocolatey packages

Chocolatey is a Machine Package Manager, somewhat like apt-get, built with Windows in mind. It lets us install software onto our machine, supports updates and dependencies, much like NuGet or npm do. MyGet has always supported feeds containing Chocolatey packages, making it easy to distribute software packages across teams or with customers. In this post, we’ll show you a trick on how to build Chocolatey packages using MyGet build services. It’s the least we can do as a Belgian company – our country is known for chocolates after all…

MyGet Build Services has a convention-type build approach that will create NuGet, npm and VSIX packages whenever required files or project types are available. By adding a build.cmd or build.ps1 file, this convention can be overridden – just the thing we want to do to create Chocolatey packages.

Using a little bit of PowerShell, we can call into Chocolatey’s choco.exe which handles packaging and verification. The following can be copy/pasted in a build.ps1 file in the root of a GitHub, BitBucket or VSTS repository:

Write-Host "Building Chocolatey packages..." $nuspecs = Get-ChildItem -Path $PSScriptRoot -Filter *.nuspec -Recurse foreach ($nuspec in $nuspecs) { choco pack $nuspec.FullName } $artifactsFolder = "./artifacts" Remove-Item -Path $artifactsFolder -Force -Recurse -ErrorAction SilentlyContinue New-Item $artifactsFolder -Force -Type Directory | Out-Null Move-Item *.nupkg $artifactsFolder Write-Host "Finished building Chocolatey packages."

Once a build is triggered on MyGet, this script will execute and create (and upload) Chocolatey packages to our MyGet feed, which we can then install on our system.

Happy packaging!

Using service messages to explicitly add a package to MyGet

MyGet build services is a convention-based build system that converts source code into NuGet, Npm and Vsix packages. It will compile code, run tests and collect the packages that were created and add them to your MyGet feed. Sometimes, for example when using custom build scripts or using gulp or grunt to run the build, we can’t always detect which packages were created. To add these packages to your feed, you can use service messages.

By writing a service message (a specially formatted string) to the build output, you can influence part of the build process. For example fail the build, update the version number, setting environment variables and so on. We recently added the publishPackage service message, which lets you specify additional packages to add to your feed when the build succeeds. The following example pushes the mypackage.zip to your feed as a Bower package:

##myget[publishPackage path='mypackage.zip' type='bower']

Check our documentation for additional options and remarks and give it a try. We’d love to hear your thoughts!

Happy packaging!

MyGet 2.1 Release Notes

MyGet 2.1 was released on February 12, 2016.

Highlights

This 2.1 release of MyGet again adds some new functionality to the service. Major highlights of this release are:

This means, from now on, you can now also use MyGet to host your symbols, publicly or secured.

MyGet 2.1 Highlights

Features

MyGet (all plans)

The following applies to all MyGet plans:

MyGet (paid plans)

Obviously all paid plans also get the enhancements made available on the free plan. The following applies to the MyGet Starter and Professional plans:

  • Security: Feed privilege claim tokens now expire after 15 days when unused
  • Billing: we now allow for yearly billing to reduce the administrative overhead of billing cycles

MyGet Enterprise

The enterprise plan has all functionality from the paid subscription plans, and more! The following applies only to the MyGet Enterprise plan:

  • Support for restricting feed creation to administrators only

MyGet Build Services

  • Support for explicitly publishing artifacts using service messages
  • Support for BitBucket API v2.0 and switch to OAuth 2.0
  • Support for xUnit v2.0
  • Support GitLab POST hooks
  • Performance improvements in build hook payload parsers
  • Web Hooks: new Build Queued web hook
  • New option: toggle access to build log for feed consumers

Bug Fixes

  • Various performance improvements in the web site
  • Bower: license analysis now also checks Bower package licenses
  • Usernames on feed security page now link to the user profile page
  • npm: proxy dist-tags from upstream when available
  • Fixed a bug where in some cases uploading a ZIP file Bower package threw an exception
  • Fixed a bug where in some cases pushing an npm package upstream to npmjs.com failed
  • Fixed a bug where editing a package source was not possible when the package source is unavailable

We love hearing from you, so keep that feedback coming! MyGet is built for you!

Happy packaging!

Two of my packages are treated as one. Help!

Every once in a while, our support gets a question that is similar to the following:

When requesting the package details for some versions of the NuGet packages in our feed it seems like the service encounters an error preparing the ATOM document, also resulting in NuGet failing to download the package.

Here's an example URL: https://www.myget.org/F/chucknorris/api/v2/Packages(Id='MyPackage',Version='1.2.20160209.1-master')

Is something wrong with MyGet? Definitely not! Let’s look at the packages for this feed:

  • MyPackage 1.2.20160209.1-master
  • MyPackage 1.2.20160209.1-dev

Can you spot the error? It’s very subtle, so let us help here. The version number has three dots (“.”) in it, which means it should be treated as a major.minor.patch.build type of version number, which is numeric. MyGet takes the hint and will strip off the –master and –dev in the above versions, treating both packages as one.

Clearly, the intention here was to use Semantic Versioning (SemVer): the –master and –dev suffixes to the version number were intended to provide a label in the version number. But semantic versioning is in the form of major.minor.patch-label, which means one dot less in the version number should be used. So in this case, the packages should be re-versioned and re-uploaded with the correct version number.

Don’t you guys have validation for this? is one of the questions we’d expect. We do, but it’s opt-in because many of our users start out with non-SemVer packages on their feeds and we don’t want to block those from being uploaded either. From a feed’s Package Settings tab, enable the Forbid packages which are non-compliant with Semantic Version? option.

Forbid packages which are non-compliant with Semantic Version?

This will prevent malformed semantic versions from being uploaded to your feed and prevent the above error from ever happening to you.

Happy packaging!

Dropbox as a package source for NuGet, npm, Bower and VSIX packages

Wouldn’t it be awesome if creating a NuGet, npm, Bower or VSIX feed was as easy as just copying packages into a Dropbox folder? Awesomeness is here: we’ve added Dropbox as a package source type to MyGet. This allows us to link a Dropbox folder to a MyGet feed and automatically upload packages so they can be consumed with the popular package managers out there.

Synchronizing NuGet packages with Dropbox

The Dropbox package source makes it easy to move packages into MyGet. For example, migrating from a network share to MyGet is as easy as copy-paste. Have a build server that drops artifacts into a Dropbox folder? MyGet will add the synchronized artifacts to your feed. Right now we download packages from Dropbox on a schedule (every 15 minutes).

Give it a try and let us know how it goes – feedback is welcome through the comments below or via the MyGetTeam Twitter account.

Happy packaging!

Adding another MyGet feed as a package source - Feed presets

Many people are using multiple MyGet feeds in their development flow, and have good reasons to do so. Some are pushing packages from one feed to another as they promote them through quality gates. Others are proxying upstream feeds or filtering packages downstream.

MyGet supports many types of package sources, and as flexibility is great, configuration can be a little tedious or even error prone.
Why would we ask our users to provide us with their MyGet feed url if we know what feeds the user collaborates on? We realized we could do better. In addition to the already rich list of presets, we have added a convenient button that lists your MyGet feeds.



It works the same way as the presets, and will populate your package source name and URL. This convenience helps avoid wasting time configuring your package management workflow and ensures the upstream feed is configured correctly.

Happy packaging!

PS: At MyGet, reducing friction is a feature. One that we consider most important! After all, that's how we have been able to deliver a smooth package management experience, serving over 16 billion package downloads over the past few years. Have a feature request or an enhancement you'd like to see? Please reach out to us!

Improved support for localized satellite NuGet packages

At MyGet, we live and breath a culture of componentization, and we are very happy to see package authors adopting and sharing these practices within their organizations. One of these practices is the usage of NuGet's localized NuGet packages feature. The adoption of localized satellite packages is a good indicator of package author maturity. Using a better practice should be rewarding and free of friction. One of our Dear Users provided us with great feedback on how he leveraged MyGet to release localized packages by pushing them upstream. However, some unnecessary friction was involved, which had to be removed.

Localized NuGet Packages

As a NuGet package author, you can provide a localized experience for your libraries. The NuGet client has supported the creation of localized satellite packages since version 1.8.

For those unfamiliar with the concept, here's a basic package graph demonstrating the idea:

My.Framework.1.0.0-alpha0001.nupkg

  • Meta package, installing My.Framework and all localized satellite packages
  • Depends on: all satellite packages (My.Framework.Core.nl, My.Framework.Core.fr, My.Framework.Core.el, ...)
My.Framework.Core.1.0.0-alpha0001.nupkg
  • Package containing an actual framework library (e.g. in lib/net45/My.Framework.Core.dll)
  • No dependencies for the sake of the demo (your libraries most likely have dependencies :))
My.Framework.Core.nl.1.0.0-alpha0001.nupkg
My.Framework.Core.fr.1.0.0-alpha0001.nupkg
My.Framework.Core.el.1.0.0-alpha0001.nupkg
  • 3 localized satellite packages for the My.Framework.Core package
  • Depends on the actual framework package being localized: My.Framework.Core.1.0.0-alpha0001.nupkg
  • Only contains localization resources (e.g. lib/net45/nl/My.Framework.Core.resources.dll, lib/net45/nl/My.Framework.Core.xml)
Or visualized in a graph, here's the dependency tree:


To facilitate discovery of these satellite packages, we added a convenient Localization tab on the package details page if localized satellite packages are detected.


Releasing localized NuGet packages

Ideally, releasing a package that has localized satellite packages from MyGet to another feed, should be a click of a button away, publishing the entire package-set at once. Optionally, one might also want to adjust the prerelease tag and release notes of this package set, either per package individually, or for all at once.

The Push Upstream feature (also check our docs) has been upgraded to now also detect package dependencies and localized satellite packages!

This means that, as in the above sample scenario, you can now publish the entire localized package-set in one go by pushing the My.Framework meta package upstream.


In addition, you can also edit (or simply remove!) the prerelease tag and/or release notes for each package individually, or for all of them at once!

Simply click the edit button  next to one of the packages, modify the fields, and click the water-drop icon  to apply the changes to all other packages in the dialog.


Of course, you can still exclude individual packages from this list if you want to by clicking the  button next to the respective package.

We love this kind of feedback and hope you find this change useful, so keep the feedback coming!

Happy Packaging!

Introducing debugging, source code and symbols for NuGet packages

Shortly after we launched MyGet, we teamed up with SymbolSource.org to provide support for .NET debugger symbols. Today, we’re happy to announce a second option: integrated MyGet symbols support! MyGet symbols support lets consumers of our NuGet packages step through the source code and integrate with Visual Studio and tools like WinDbg. Additionally, symbols and sources can be consumed from within MyGet as well.

Head over to our docs and learn how to get started with MyGet symbols support!

image

How do I get started?

Documentation is available that will help you get started with MyGet symbols very quickly. Symbols in .NET can be tricky sometimes, so if things don’t work out as expected we’ve also compiled a list of PDB troubleshooting tips.

To make things easy, the endpoint for pushing symbols packages is the same as that for your regular NuGet packages: https://www.myget.org/F/<feedname>/api/v2/package. MyGet will determine the type of package and act accordingly. This makes pushing symbols packages from your build server, like TeamCity or Visual Studio Team Services similar to pushing regular NuGet packages.

Where do my symbols packages go when I use MyGet Build Services?

For new feeds, symbols packages are pushed to your MyGet feed by default. For existing feeds, symbols will be uploaded to SymbolSource (if this was enabled). From the build configuration, you can select where to push symbols packages.

What happens to the SymbolSource integration?

SymbolSource integration is still available. Our customers asked very loudly for integrated symbols support, so we’re delivering on that. We are still providing the option to use SymbolSource with your MyGet feeds. In fact, they have some great new features planned as well!

Head over to our docs and learn how to get started with MyGet symbols support!

Happy packaging! (and efficient debugging, of course)

Package details showing GitHub project README

We’re happy to introduce a few user interface enhancements which have been available for all users of npm private feeds on MyGet. We’ve now rolled these out to the package details page for NuGet, npm, Bower and Vsix packages. These pages now display all “at-a-glance” information on the right. Package owners, authors, license information and downloads can be seen from here.

The wider part of the package details page now displays the README.md contents retrieved from GitHub. That is, if the GitHub repository is accessible for us. This makes it easier for consumers of your feed to see installation instructions, links to documentation and so on from the package details page.

MyGet showing GitHub readme contents on package details page

We're looking forward to hearing your feedback through the comments below. Or tweet us via @MyGetTeam.

Happy packaging!