MyGet Blog

Package management made easier!

NAVIGATION - SEARCH

MyGet's NuGet and NPM news from the community (March 2017)

Here's a fresh episode of MyGet's NuGet and NPM news from the community! Like each month, we'll look at some interesting blog posts and articles found on the Internet, curated by our MyGet founders Xavier and Maarten. Follow @MyGetTeam on Twitter for more!

NuGet news

Let's start with the big one: Visual Studio 2017 has been released. A new IDE with a revamped project system (bye project.json), .NET Core tooling and more. Oh, and a fresh NuGet.exe 4.0.

Sean Feldman shares a great blog post about leveraging MyGet web hooks and Azure Functions for sending out notifications.

In VSIX Continuous Delivery using Cake, AppVeyor and MyGet (do make sure to read the entire series), Alistair Chapman covers setting up a CI/CD pipeline using best-of-breed tools.

Steve Desmond released a new tool called LibYear. It is an addon to dotnet.exe  and scans a project for outdated package references. It also features an update  command to update all referenced dependencies in one go.

NuGet Package Explorer is now a Windows Store application.

Just like ReSharper has been doing since forever, Visual Studio 2017 now suggests installing NuGet packages for missing types.

The .NET Core folks started an announcement repository to which you can subscribe to be notified of announcements and changes in .NET Core.

Matt Warren wrote a post with pointers to the .NET Core internals source code. Great list of resources if you want to dive deep into the new .NET.

Ivan Gavryliuk posted NuGet Versioning Hell. Not a rant, but a post on the importance of proper versioning.

NPM news

In the 4.3 branch, NPM released v4.3.3. A fresh NPM version v4.4.1 has landed! Nothing special though, just making sure all NodeJS versions are supported. There is also v4.4.2, bringing along a number of bugfixes. And v4.4.3. And v4.4.4. Or maybe just install the latest v4.5.0.

NPM has an RFC open related to file type dependency specifiers. It makes depending on files inside of our package.json 's dependencies easier. It can point to a package on disk, either compressed or extracted.

Nihar Sawant wrote a post on developing an interactive command line application using Node.He uses the commander  package to build a sample application, which is pretty nifty and handles the async and promises nature of Node in an easy to read manner.

Happy packaging!

Visual Studio 2017 and .NET Core support on MyGet

With MyGet build services, we can link a GitHub or BitBucket repository to MyGet and create packages automatically. Today, we're happy to release support for the new project format that was introduced with Visual Studio 2017 last week. With this support also came the latest SDK's, F# 4.1 support, a new NPM version and many more enhancements to our build services.

Building .NET Core NuGet pacages

Ever since the first release of "project K", we have supported building what became .NET Core projects. Some scripting was required to build a NuGet package from a project.json file though. With the introduction of Visual Studio 2017 and NuGet 4.0, building NuGet packages for .NET Core projects has become very easy.

NuGet has become a part of the MSBuild pipeline, which means just building a project with the correct flags enabled will result in a NuGet package being created. Let's see how

From any .NET Core project (in the new .csproj format)'s settings, we can navigate to the Package tab and enable Generate NuGet package on build. That's... it! We can add some package metadata, publish our source code to GitHub, and have MyGet build it for us.


By default, no debugger symbols package will be generated that can help consumers of our NuGet package to step into our source code. It's simple enough to enable this feature though. From the solution explorer, use the Edit ProjectName.csproj context menu and add two MSBuild properties: IncludeSymbols and IncludeSource.

<Project SDK="Microsoft.NET.Sdk">

  <PropertyGroup>
<TargetFramework>netcoreapp1.0</TargetFramework>
<Authors>Maarten Balliauw</Authors>
<Company>MyGet</Company>
<Description>Hello World for .NET Core.</Description> <Copyright>Maarten Balliauw</Copyright> <PackageTags>hello world core</PackageTags>
<GeneratePackageOnBuild>True</GeneratePackageOnBuild>
<IncludeSymbols>True</IncludeSymbols>
<IncludeSource>True</IncludeSource>

</PropertyGroup> </Project
>

Commit, push, and let MyGet handle the build and serve up debugger symbols.

Happy packaging! (and building)

MyGet webhook for Microsoft Teams / Office 365 Groups

It's been possible for a while to let MyGet notify external services through webhooks whenever an event happens on our feeds, such as a package added/deleted. Today, we've added support for Microsoft Teams / Office 365 Groups. We can use it to have MyGet post events to a Microsoft Teams room or Office 365 group - increasing visibility of changes on the MyGet feed with members of our team.

How to configure?

To configure a MyGet webhook for Microsoft Teams / Office 365 Groups, head over to the team (or group) and configure a new Incoming Webhook connector. The name can be anything we want, and the icon, too. A nice square MyGet logo is available from our media repository. Once we save the webhook, we can copy its URL - we'll need this one on the MyGet side of things!


In MyGet, we can add a new Microsoft Teams webhook under the feed's Web hooks tab. All we need to do here is paste the URL we just copied from the Microsoft Teams / Office 365 side, pick the events we're interested in, and click Add.


From now on, when one of the selected events happen in MyGet, we will get notified of this.


Happy packaging!

Maven packages just arrived on MyGet

Let's go straight to the meat: we just shipped Maven support! If you're packaging .jar and .war (or Android .aar) and have a pom.xml to go with them, you can now add these to your MyGet feeds (or should we start calling them repositories).

Maven support is enabled on all MyGet accounts - starting today, you access to the Maven features described in our documentation.

Which features are available?

We currently support almost all features we have available for other package managers: uploading your own packages (via the web UI as well as via mvn or Gradle) and adding packages from upstream repositories like Maven Central. Packages can then be consumed in IntelliJ IDEA or Eclipse, using Maven or Gradle. It's possible to proxy upstream repositories into your MyGet feed. You can manage permissions and users, inspect package licenses and vulnerabilities, ...

A Maven repository on MyGet can also be used as a staging area: packages and snapshots can be published on MyGet, and once they are stable, pushed upstream to another repository out there - similar to what is possible for NuGet and NPM.

We're looking into supporting build services as well (theoretically you can already create a build.bat and invoke `mvn deploy` from it), but we'd love your feedback on what the perfect convention-based build for Maven/Gradle would look like.

Awesome! How do I get started?

Quite easy: head over to www.myget.org, sign in (or register) and create a feed. Our getting started documentation has some more details on how to upload your first Maven package to MyGet.

We're really excited about introducing Maven support on MyGet! You can now use MyGet to securely host and collaborate on NuGet, symbols and sources, Chocolatey, PowerShell, NPM, Bower, Maven and VSIX packages.

Happy packaging!

MyGet's NuGet and NPM news from the community (January 2017)

Happy 2017! We hope you had some good holidays and are now enjoying the world of NuGet and NPM again. In this episode of MyGet's NuGet and NPM news from the community, we will look at some interesting blog posts and articles found on the Internet, curated by our MyGet founders Xavier and Maarten. Follow @MyGetTeam on Twitter for more!

NuGet news

NuGet news, curated by MyGetThe NuGet team did another update of their documentation. They have now merged with docs.microsoft.com. Makes sense, with NuGet being such a big part of .NET development.

Support for Windows XP in NuGet is ending on April 8, 2017.

In NuGet, Dependency Management & a single point of package truth, Bobby Johnson published an interesting technique of consolidating all packages folders into one location, making NuGet consume less disk space and avoiding assembly reference conflicts where possible.

Oren Novotny is Multi-targeting the world: a single project to rule them all. His post talks about how you can now use a single project to build platform-specific libraries for all project types with Visual Studio 2017.

Jereme Evans walks us through How to create a NuGet package, set up CI, and other fancy things. The post describes how to create a project with source code on GitHub, using continuous integration on MyGet, publishing to NuGet.org.

Dropcraft is a new NuGet-based app deployment and composition framework. In short, it allows running a simple command, download and extract a NuGet package. The downloaded package can be an app, or a plugin to an app, and composed at runtime.

Steve Smith shares how to re-install packages - useful to help VS in fixing any NuGet references that may be broken.

The new .NET Core tools will be based on Visual Studio project files, so time to change back from project.json to *.csproj. Nate McMaster blogs on how to migrate project.json to csproj and provides snippets on how to do things like multi-targetting, setting metadata, ...

NPM news

NPM news, curated by MyGetNode v6.9.3 (LTS) was released, a well as a brand new v7.4.0.

And a fresh npm@4.1.2 landed as well, with package.json symlink support, updated dependencies, and some additional test coverage.

Brett Nelson continues his blog post series on NPM scripts. In Getting Started with NPM Scripts - Delete Things!, he demonstrates adding custom npm commands (scripts) to perform cleanup steps which many people would use Grunt/Gulp/... for. The scripts approach seems much cleaner and straightforward!

In A way to manage nodejs and npm on windows, Dominique St-Amand explains how to update npm on Windows to the latest version in an easy way. Much better than the horror it is to run npm update -g npm!

Happy packaging!

Configure which feed a token can push packages to - introducing feed-scoped access tokens

Many development teams are making use of a continuous integration server like TeamCity, Jenkins or VSTS to build their projects and push generated NuGet, npm, Bower and VSIX packages to their MyGet feed. When having multiple feeds, it is a good practice to limit the feeds this access token/API key can push packages to, ensuring the surface area of the specific access token is limited to just the feeds the access token requires access to.

In short, scoped access tokens:

  • Are a good security best-practice: use minimum required permissions for a specific operation
  • Avoid services/users accidentally pushing packages by using read-only tokens where possible
  • Allow pushing packages without the ability to get access to other packages on the feed (write-only)

New access tokens and existing access tokens can be scoped in terms of what they can do. We now let you to create read-only or write-only access tokens, optionally limiting write access to just one specific feed.

Create new access token scoped to a given feed

Next to scopes, the access token expiration date and time can also be specified, making it possible to create a time-limited access token that has to be recreated to continue having access to the feed.

Happy packaging!

MyGet's NuGet and NPM news from the community (December 2016)

We've just passed Christmas (Merry Christmas!) and are heading for the new year... Not a lot of people are working, yet we have our fifth installment of MyGet's NuGet and NPM news from the community. Let's look at some interesting blog posts and articles found on the Internet, curated by our MyGet founders Xavier and Maarten. Follow @MyGetTeam on Twitter for more!

NuGet news

NuGet news, curated by MyGetNever hurts to do a little self-promotion. We joined the On .NET podcast to have a chat about MyGet and NuGet in general.

More on .NET Standard by Jonathan Mezach - Sharing code across .NET platforms with .NET Standard. Jonathan provides some good insight in the why and how of the .NET Standard.

Not a bad thing: in the Multiple Versions of .NET Core Runtimes and SDK Tools SxS Survival Guide, Nicolò Carandini expands on the .NET Core runtimes and differences between Long Time Support and bleeding edge versions and how to run them side by side.

Fernando Arias Marques blogged about Dynamically adding a MyGet feed to your VSTS build process, introducing a nice, dynamic and secure way of consuming MyGet feeds and pushing packages to MyGet from VSTS.

NPM news

NPM news, curated by MyGetA fresh npm release! 4.0.5 has been published, mainly bringing bugfixes and dependency updates. There's also a prerelease of 4.1.0, which includes the new npm doctor command which help in diagnosing common issues.

Meanwhile, the npm folks are reaching out for feedback on a bunch of RFC's for npm@5. There are proposals to make npm faster, improve shrinkwrap. Keep an eye on the RFC's an weigh in if there's something you are passionate about!

Have you tried ndm (the Npm Desktop Manager)? It's a nice tool to browse and manage a project's npm packages, much like the git GUI tools available but for npm.

If you have any news to share or have other feedback, let us know using the comments below or reach out on Twitter.

Happy packaging! And happy new year!

MyGet's NuGet and NPM news from the community (November 2016)

It’s November, the holiday season is almost there. In our fourth MyGet's NuGet and NPM news from the community, let's look at some interesting blog posts and articles found on the Internet, curated by our MyGet founders Xavier and Maarten. Follow @MyGetTeam on Twitter for more!

NuGet news

NuGet news, curated by MyGetThe NuGet team just released NuGet 3.5, with mostly performance improvements, features and new target frameworks like netstandard and netcoreapp. The performance improvement during package restore is phenomenal, definitely worth upgrading. And you can now package SemVer 2.0 packages as well (and publish them to MyGet).

They also published a release candidate of 4.0, with support for adding NuGet references in the project file. Which is great as we can now use MSBuild variables in our dependency definitions.

More releases at Microsoft's Connect conference. There's Visual Studio 2017 RC as well as a new .NET Core version (1.1).

Armin Reiter wrote a post titled Powershell package management – NuGet, Chocolatey and Co. He describes what OneGet is and how PowerShell package management (which is now integrated in Windows 10 as well) can be used to install and manage modules and software on our system.

Rick Strahl wrote a post on .NET Standard 2.0 - Making Sense of .NET Again. He covers what .NET Standard 2.0 means to developers and how it fits into the future of .NET and .NET Core.

NPM news

NPM news, curated by MyGetA fresh npm@latest version has landed, 4.0.2 (and a prerelease 4.0.3, adding Node 7 support and a simplified lifecycle for publish events.

Ever wondered what a package manager is made of? Why are lockfiles considered bad practice for libraries but good for apps? Shubheksha Jalan wrote a nice blog post about Javascript Package Managers 101

But what is a dependency? Is it simply code we depend on? Guy Podjarny describes the 5 dimensions of an npm dependency in detail.

What are the bots up to on npm? That was the question Adam Baldwin asked himself after analyzing who else is downloading and running / testing random modules on npm. Interesting finds, for example a package that phones home after being installed.

In 7 npm tricks to knock your wombat socks off, Tierney Coren describes a couple of tips and tricks with the npm command line. For example adding npm completion under bash, or making sure packages you install actually work with the current Node version using "engine-strict".

Elijah Manor and his team started exploring running npm scripts in a git pre-commit hook and run linting before a commit. This technique ensures no invalid JavaScript code can be committed to source control.

If you have any news to share or have other feedback, let us know using the comments below or reach out on Twitter.

Happy packaging!

Learning NuGet Semantic Version Ranges with SemVer Explorer

When authoring NuGet packages, you can declare package dependency versions using Semantic Versioning. NuGet allows specifying dependencies as floating ranges, using interval notation or using fixed version numbers, as explained in the NuGet docs.

MyGet SemVer Explorer allows you to specify a SemVer dependency range, and will check the target package repository for the package versions that match.

NuGet dependency range explorer

Version ranges can be simple (e.g. 6.1.* to match all packages >= 6.1.0) or more complex using interval notation (e.g. (8.0,9.0.1) to match versions that are between 8.0 and 9.0.1. SemVer explorer lets you try these ranges and see which versions of an actual package match. Once satisfied, version ranges can be used in a packages.config or project.json document for use with NuGet or the .NET Core command line.

Can I target MyGet feeds?

Definitely! By default, the tool is configured to query the v3 NuGet.org repository at https://api.nuget.org/v3/index.json. You can simply change the target feed URL to the v3 NuGet feed of a MyGet repository you have access to, and we'll query that one instead.

Can I target private MyGet feeds?

If you have an access token that grants you read-access to the MyGet repository, you can leverage MyGet's support for pre-authenticated feed URLs. Make sure you target the pre-authenticated v3 NuGet endpoint. See our documentation for further guidance.

Have fun exploring the various semantic version constraints NuGet provides! And happy packaging!

Checking potential vulnerabilities in project dependencies

Software projects nowadays are based on many third party and open source libraries. It is important to be aware of any potential security vulnerabilities in these components, to ensure our own software project is secure. Thanks to OSSIndex and Vor Security, we now have a vulnerability report ready for your MyGet feed!

While still in preview, every feed now has a Vulnerabilities tab which reports potential vulnerabilities in packages on that feed, whether NuGet, npm or Bower.

vulnerability-report

The vulnerability report provides us with an overview of potential vulnerabilities in our dependencies. We can also see the percentage of packages with potential vulnerabilities versus the percentage of packages with no known vulnerabilities.

Give it a go, we’re looking forward to your feedback on this new feature! Leave your comments below or reach out on Twitter.

Happy packaging!