MyGet Blog

Package management made easier!


Checking potential vulnerabilities in project dependencies

Software projects nowadays are based on many third party and open source libraries. It is important to be aware of any potential security vulnerabilities in these components, to ensure our own software project is secure. Thanks to OSSIndex and Vor Security, we now have a vulnerability report ready for your MyGet feed!

While still in preview, every feed now has a Vulnerabilities tab which reports potential vulnerabilities in packages on that feed, whether NuGet, npm or Bower.


The vulnerability report provides us with an overview of potential vulnerabilities in our dependencies. We can also see the percentage of packages with potential vulnerabilities versus the percentage of packages with no known vulnerabilities.

Give it a go, we’re looking forward to your feedback on this new feature! Leave your comments below or reach out on Twitter.

Happy packaging!

MyGet's NuGet and NPM news from the community (September 2016)

We tried it last month, and feedback was good. That’s why we have a second edition of our NuGet and NPM community news from the past few weeks. In this post, we bring you some interesting blog posts and articles, curated by our MyGet founders Xavier and Maarten. Follow @MyGetTeam on Twitter for more!

NuGet news

NuGet news, curated by MyGetThe NuGet team released a new documentation site, with new quick-start tutorials and end-to-end scenarios. A nice improvement from the old docs, check it out!

The folks at Cake started a blog series on which services they are using and for what purpose. We're honored that their first post is titled "How does Cake use MyGet?".

Nick Randolph blogged "NetStandard, what is it and why do I care?" - a nice and easy digestible post linking to Oren Novotny's more elaborate Portable- is dead, long live NetStandard.

Cori Drew mentioned searching for "nuget kitten dies puppy". Still using msbuild package restore? That is a great search indeed! If you haven’t done yet, learn about switching to proper NuGet package restore.

Using Azure Automation? Tao Yang wrote a blog post demonstrating how to Script Azure Automation Module Imports Directly from MyGet or PowerShell Gallery, re-using components in automation workflows.

The Dotnet Watch Tool is covered in a blog post by Muhammad Rehan Saeed. He demonstrates using it to shorten the feedback loop while developing, by automatically loading changed source files without having to rebuild the entire project.

David Fowler is experimenting with "channels" (or "zero copy streams"), making the good old Stream object in .NET obsolete. He released a preview feed on MyGet, where you can experiment with Channels. David posted some samples as well.

Sitecore CMS now supports NuGet for distributing Sitecore packages. They wrote an extensive FAQ on how to work with their feeds and how to install packages into your web application. And even nicer: they are hosted on MyGet. Thanks guys!

The new Windows Management Framework (WMF) 5.1 added OneGet support for basic authentication against secured package feeds, as well as proxy support. That's pretty neat, as you can now distribute custom PowerShell modules using private feeds.

NPM news

NPM news, curated by MyGetNpm 2.15.11 and 3.10.8 have been released. The version 2 branch does not seem to have any noteworthy changes apart from some dependency updates. The version 3 branch got some updates to npm shrinkwrap, and some bugfixes.

TypeScript 2.0 was released with new features like additional types, optional parameters, expression operators, ... We quite like the way TypeScript makes JavaScript more type safe, and the language itself is close to the language we use to build MyGet, C#.

Tierney Coren wrote 11 Simple npm Tricks That Will Knock Your Wombat Socks Off. In this post, he demonstrates some of the lesser used but really helpful commands npm offers, like opening a package's GitHub repo in the browser. Or automating _npm init_ with useful defaults. And 9 more of those!

Ashley G. Williams has presented A Brief History, a great presentation on modular design. What goes into a module? How do you decide? Tip: it's not about what goes in modules, it's how we compose them all together.

Interested in Streams and Async / Await in Nodejs? Paul Cowan uses Babel to transpile asynchronous, non-blocking code into JavaScript using the async and await keywords that are transpiled into promises.

“This” is not always “this”. Peleke Sengstacke wrote about how scope works in JavaScript in his Grokking Scope in JavaScript.

Tim Severien wrote a tutorial on using ESLint to monitor code quality and detect common code issues, resulting in higher quality code. A nice, thorough explanation on how to set up ESLint and use it.

Let’s see if we can do this type of post next month as well. If you have any news to share or have other feedback, let us know using the comments below or reach out on Twitter.

Happy packaging!

MyGet 2.2 Release Notes

MyGet 2.2 was released on August 19, 2016.


This 2.2 release of MyGet again adds some new functionality to the service. Major highlights of this release are:


MyGet (all plans)

The following applies to all MyGet plans:

MyGet (paid plans)

Obviously all paid plans also get the enhancements made available on the free plan. The following applies to the MyGet Starter and Professional plans:

  • Billing: new profile section providing access to your invoices
  • Billing: ability to configure a different email address for billing

MyGet Enterprise

The enterprise plan has all functionality from the paid subscription plans, and more! The following applies only to the MyGet Enterprise plan:

  • User management: we added support to block user registration so that an invite-only environment can be created
  • User management: we introduced a new Feed Creator role, allowing MyGet Enterprise administrators to delegate feed creation permissions to a non-administrator account

MyGet Build Services

  • Improved build log viewer with warning and error navigation, log level coloring and deep linking support
  • The build log now also recognizes Kiln source control: commit SHA now also has a hyperlink to Kiln source repository
  • Made performance optimizations to the Build Sources page

Bug Fixes & Other Improvements

  • NuGet: Preserve Chocolatey-specific additions to the NuGet package manifest (.nuspec) when pushing packages upstream
  • NuGet: Fixed an issue with NuGet packages that caused Summary metadata not to be populated properly when uploaded through the web site
  • NuGet: Fixed an issue causing failures when proxying Sonatype Nexus feeds on calls to GetUpdates() and Search()
  • Bower: now also detecting bower.json in subdirectories of uploaded bower packages
  • NPM: fixed an issue causing 404 errors when proxying upstream scoped packages
  • Usability: improved ordering of SemVer and non-SemVer package versions in the same feed
  • Usability: no longer allow 0 as value for package retention rules
  • Usability: when filtering package views, the Delete All button should not be visible to reduce potential confusion and avoid accidental deletes
  • Fixed an issue causing pushing to upstream package source to fail downloading the package from source feed on MyGet Enterprise with custom domain
  • Support Github-style code blocks in markdown

We love hearing from you, so keep that feedback coming! MyGet is built for you!

Happy packaging!

Building NuGet and npm using Atlassian Bitbucket Pipelines

Bitbucket Pipelines is a new continuous integration service (still in beta) from Atlassian, built into Bitbucket. Let’s have a look at how we can use Bitbucket pipelines to build, package and publish a .NET Core library to MyGet so we can consume it in our own projects.

How does Bitbucket pipelines work?

To configure a build on Bitbucket, we’ll need a bitbucket_pipelines.yml file which describes the steps to execute as part of the pipeline. Whenever a commit is made to our source repository on Bitbucket, whether git or Mercurial based, a Docker image is started in which our pipeline will be executed.

Here’s a full write-up on how a .NET Core build would work.

How to package and publish a NuGet package to MyGet?

First of all, we’ll need a bitbucket_pipelines.yml file which loads a .NET Core-enabled Docker image. The pipeline itself will have to run package restore, compile the source code, optionally run tests, then package the library and publish it to our MyGet feed.

We have created a sample library at, from which the bitbucket_pipelines.yml file can be copied into your own project. A few environment variables need to be configured for the pipeline (see the header of the bitbucket_pipelines.yml file) to make sure it can publish to our MyGet feed.

Once the pipeline completes, we can look at the build output and find the resulting NuGet package on our MyGet feed. The full build output is available as well.


How to package and publish an npm package to MyGet?

First of all, we’ll need a bitbucket_pipelines.yml file which loads a Docker image which has node and npm installed. The pipeline itself will have to run npm install, optionally run tests, then package the library and publish it to our MyGet feed.

We have created a sample library at, from which the bitbucket_pipelines.yml file can be copied into your own project. The header of this file lists a few environment variables that have to be configured for the Bitbucket pipeline. When run completes, we can consult the build output:

Publishing npm from BitBucket

Happy packaging!

MyGet's NuGet and NPM news from the community

Many are returning from summer vacation, others have been enjoying the tranquility of summer holiday. Whichever side you’re on, we at MyGet have been watching the NuGet and NPM community news in the past few weeks. In this post, we bring you some interesting blog posts and articles, curated by our MyGet founders Xavier and Maarten. Follow @MyGetTeam on Twitter for more!

NuGet news

NuGet news, curated by MyGetOn the NuGet blog, the NuGet client 3.5 RC has been announced, with support for new target frameworks and lots of performance improvements. Additionally, the NuGet team started working on better documentation, now available as a preview on

More from the NuGet team: they made some changes to the expiring API keys policy. At MyGet we’ve always made this opt-in, and the gallery will now do the same.

New to NuGet? Rohit Chopra has you covered with his article “NuGet – A Powerful way to share your code”. While focused on NuGet, it’s a nice summary of why you want to use a package manager in your projects. Xiao Ling has a step-by-step post on creating and publishing .NET Core packages.

Building things in Unity? Wondering what NuGet is? Ashley Davis has you covered with his introduction to using Unity and NuGet. The Unity solution templates don’t easily allow working with NuGet, but there are some easy workarounds. A good example is demonstrated, installing JSON.NET into a Unity project.

Have you been consuming NuGet, and just started looking into creating your own NuGet packages to share them with team mates or with the world? Learn about publishing your first .NET Core NuGet package with AppVeyor and MyGet  - Andrew Lock gives a good step-by-step tutorial on what you need in code, and how AppVeyor and MyGet can be used to build and distribute your code.

On a similar topic, Maarten Balliauw has a post on Building NuGet (.NET Core) using Atlassian Bitbucket Pipelines. Pipelines is Atalassian’s continuous integration service that runs on Docker and Linux. And since .NET Core is a first class citizen on that platform, why not use it to build and test NuGet packages?

NPM news

NPM news, curated by MyGetLet’s start on the tooling side. Node has gotten two new releases, 4.5.0 and 6.4.0. Mostly bugfixes, better profiling support and improvements in objects and function contexts for debuggers. On the npm side, there’s now 2.15.10 and 3.10.7, with improvements to how scoped dependencies are handled and several other bugfixes.

Did you know the two millionth package version was just published to npm? If you have as well, congratulations! This is a pretty epic milestone in the Node.js community.

Laurie Voss, COO at npm, has a great talk titled “Abstractions, npm past, present, future”. It covers what is npm and where it came from, where the ecosystem stands today and what the plans are for the future. Highly recommended!

New to node? Have a look at Node Hero’s blog post series! These thirteen articles cover everything from getting started with node and npm, to building a web app, security, monitoring and all other aspects of building a node application. added web hook support a while back. Julian Gruber did a proof-of-concept where updated dependencies are automatically deployed in the application. Not the best idea, given that your deployment may break because of an updated dependency, but still quite cool. Package update? Deploy!

Into the Internet of Things? One such thing is the International Space Station! Dave Johnson has a nice post Node.js IoT: Tracking the ISS through the Sky where he uses JavaScript to capture GPS coordinates from the IIS and compares it to your home location to create a real-time tracker.

We’re thinking about doing this type of post each month. Let us know if you’d like that or not, using the comments below or reach out on Twitter.

Happy packaging!

Deprecation notice: SymbolSource integration will end on November 1, 2016

On November 1, 2016, MyGet will end integration with, making our built-in symbol server the only option for symbols hosting with MyGet.

When working with NuGet feeds, symbols packages can be pushed so that consumers of the package can step through the source code and integrate with Visual Studio and tools like WinDbg. MyGet has always offered two options for handling symbols packages: using our built-in symbol server or using

With the advent of .NET Core and native debugging on platforms like Linux and Mac OS X, we’re working closely with Microsoft on providing the best symbols-based debugging experience, an experience which we can only guarantee when using our built-in symbol server.

Please update your Visual Studio configuration and/or continuous integration servers by November 1, 2016 to make use of MyGet’s symbol server. Your feed’s “Feed Details” tab provides the correct URL’s for pushing and consuming symbols packages.

Note that the URL can still be used for consuming existing symbols packages after November 1, 2016. Account synchronization from MyGet with will end. We recommend updating your systems to make use of MyGet's built-in symbol server to ensure continuity of working with symbols packages after November 1, 2016.

Happy packaging!

Keeping feeds clean with retention rules

MyGet Package Retention Rules help clean up your NuGet npm feedMany developer teams use MyGet for storing their continuous integration and/or nightly builds of NuGet, npm, Bower and VSIX packages. As more and more packages get added, it may become harder to manage them all. Some packages may be used in projects, while others are not. Let’s go over the options available for housekeeping.

By default, MyGet keeps all package versions available on our feeds. Every package pushed is there forever, unless manually removed or removed by package retention. By setting retention rules, it is possible to automatically trim the list of packages to X latest packages, keeping into account package usage in projects and package dependency trees.

Configuring retention rules

Retention rules are defined per feed. Some feeds may have more aggressive retention rules defined, other may not have them enabled at all. From the Retention Rules, we can define:

  • the maximum number of stable versions to keep
  • the maximum number of prerelease versions to keep
  • whether to keep depended packages or not – enabling this makes sure package restores always complete successfully by keeping the dependency tree in its entirety
  • whether to allow removal of packages that have downloads – enabling this option ensures that packages that are being used in projects never get deleted

Setting retention rules

Keeping a specific package around

Retention rules are quite brute-force: they will always remove all packages that match the configured rules. Luckily, MyGet lets us “pin” packages which we want to keep around. For example, we may want to only keep the latest 10 pre-release versions while still keeping around the 20th pre-release version we’re still using in our projects.

From the package details page, we can define which package versions should never be considered by retention rules by using the Pin button next to the package.

Pinning packages so they do not get removed

We can pin package per version, or all versions at once using the button at the top of the Package History list. Of course, we can also Unpin packages using the same approach. Once a package is unpinned, retention rules are allowed to remove them.

Custom retention rules using web hooks

Using the built-in retention rules may not be enough. For example, what if we want to run retention rules based on other conditions than the latest version? What if we want to only remove packages when there is a full moon? Using web hooks, we can subscribe to certain feed events (like “package added”) and run our custom logic to optionally remove packages from our feed. We have a complete example available that helps getting started with web hooks.

Learn more about package retention in our documentation.

Happy packaging!

Improved build log viewer with error navigation

We have just deployed a newer version of our build log viewer. When using MyGet’s build services to compile and package NuGet, npm or VSIX packages, the build log viewer now has colored output as well as line numbers that have hyperlinks. Want to share a certain line in the build log with a colleague? Click the line number and send the link so they can open the build log right where you left.

By making less important build output less prominent and by highlighting more important messages, reading and analyzing the build log becomes much easier: less important messages have a gray color tone, normal messages are white. Warnings and errors are highlighted in yellow and red, making them much easier to spot.

Build log with colored output

When warnings or errors are found in a build log, MyGet now shows additional navigation buttons at the top. Next to the number of warnings or errors, the up and down arrows can be clicked to jump to the next important message in your build log.

Warning and error navigation

We’re looking forward to hearing your thoughts on this improvement. Let us know through the comments below or drop us a note via e-mail or Twitter.

Happy packaging!

MyGet by the numbers

As it is a slower time of year and many people are taking some vacation, we decided it would be a nice time to collect some numbers around MyGet. Of course we can’t share all of our statistics, but it’s always fun to look at them. MyGet has a shared tenant,, hosting and serving NuGet, npm, Bower and VSIX packages. And debugger symbols, of course. This shared tenant will be the focus of this post. Our MyGet Enterprise plans, which run on their own dedicated tenant infrastructure, are not included in these statistics.

Number of machines

Our web application is hosted on Microsoft Azure across three different regions. The shared tenant has its primary location in the West Europe region, and a secondary in US East. Both locations run 3 front-end web server machines and 2 back-end machines for handling anything that doesn’t have to happen real-time. These machines are all general purpose “A3” machines. We have a tertiary deployment in US West for some Enterprise customers, where a similar deployment lives.

Since we use auto-scaling based on time of day, we don’t have the same amount of machines throughout the day. On average, we run 10 machines for our front-end.

Another deployment lives in a private datacenter and hosts part of our build services. We also run our CI systems in this private datacenter. Azure is great, but also super expensive for some workloads. Hosting this workload ourselves reduces the operational cost for build services with a factor 6. This infrastructure is all SSD based, and we’re getting loads more horsepower out of the VM’s running here. To give an example: the Visual Studio 2015 Update 3 install ran for 4 hours on our Azure build agents, the private VM’s did the update in half an hour.

Number of packages and downloads

Our shared tenant currently hosts over 1 million unique packages. These packages have been downloaded 17,305,790,397 times so far. Yes, that’s over 17 billion. We handle roughly 400 million downloads each month. Some of our Enterprise customers are pushing similar numbers on their instances.

If we look at package types, roughly 50% of packages are NuGet and symbols packages, including Chocolatey and Octopus Deploy. 30% of packages are npm, with Bower and VSIX following at around 10% each.

Storage, traffic and bandwidth

Right now, our shared MyGet tenant consumes 3.2 TB of storage for just packages and metadata, including backups in secondary Azure regions.

Each month, users of push 2.4 TB of data into our system. Many feeds contain CI packages and retain only the latest 100 nightly builds. Other feeds contain 100 MB of Octopus Deploy artifacts, being updated daily. On the consumption side, we have 8 TB of traffic being consumed each month, spread across our Azure bill and the Switzerland-based KeyCDN.

We used to run off the Azure CDN, but found that KeyCDN has been more reliable at half the price. We still have the Azure CDN configured so we can fail-over in case it’s needed. So far, this hasn’t been required. Swiss efficiency #ftw!


When we first introduced build services, we envisioned making building NuGet (and later npm) packages as easy as possible. We have a number of open source projects running their builds on MyGet, as well as a number of companies enjoying the convention-based builds.

MyGet Build Services has produced over 65,000 successful builds (producing packages) so far. On average, these builds take 2 minutes to complete, with some people maxing out the 30 minute build time we allow.

Support requests

Ask any MyGet user and they will confirm we offer an excellent and speedy support. We typically manage to respond within the hour, unless we’re asleep. Which happens for a good 7 hours each day when night falls over the CET time zone. Our fastest response  so far providing a solution to the customer was 38 seconds.

We handle a good 45 support cases each day. Some of those are simple: we can often respond with a link to documentation. Others are more complicated and challenging. And if we can, we submit a PR to your project to resolve any code or configuration issues.

The busiest day of the week? Thursday. By far. It seems that is the day where everybody realizes the week is over halfway and things must be shipped. Unexpected to us, holidays are also quite busy. It seems many developers sneak in a few hours of coding time on those days and often want us to be part of that.

If we look at technologies, 80% of questions or client configuration problems are related to NuGet. 9% of requests are related to npm. And less than 1% for Bower and VSIX. What with the other 10%? These are typically orientation questions to see if MyGet is a good fit, or if MyGet fits in the customer’s architecture or development practice.

When we started this adventure, we never thought these numbers would become true. Thanks for making this happen and being a big part of this!

Happy packaging!

Setting an expiration time for your MyGet access tokens

From a security perspective, it is always good to have secrets that are only valid for a given amount of time. This ensures that these secrets have to be rolled over more often, resulting in a better overall security policy. Today, MyGet introduces expiring access tokens and API keys to accommodate this workflow.

From your profile page, you can manage your access tokens. The list of access tokens will always contain a primary key, and additional access tokens can be created.

Manage MyGet API keys

When creating (or editing) an access token, we can set a description to identify where the access token is being used. We can now also (optionally) set an expiration time after which the token can no longer be used. This can be done for additional tokens, as well as for the primary access token.

Create MyGet access key for accessing NuGet server

This change is live on all MyGet plans, so go ahead and set the expiration time for your access tokens!

Happy packaging!