NPM security advisory

TL;DR: If you are using NPM and have installed the package eslint-scope 3.7.2, we recommend you to revoke your MyGet access tokens. Security Advisory At MyGet, we’re always closely monitoring security events in the package management space, and we want you to be aware of a vulnerability incident that hit npm users today. The full incident report can be read on the npmjs.org status page. A well-known popular npm package, eslint-scope (version 3.7.2) was published...

Accidental account deleted notification - what happened

On May 17, 2018, a subset of 2.500 MyGet users accidentally received an automated e-mail informing their account was deleted due to inactivity (while no user data was in fact, removed). We want to apologize for this accidental e-mail, and detail our investigation into why this happened. Since a couple of weeks, we are tracking inactive users on our free plan, for two reasons. First, of course, it would be nice if those users become...

MyGet symbol server helps mitigate CVE-2018-1037

On April 10, 2018, Microsoft released a security update, CVE-2018-1037 , describing how Visual Studio can improperly disclose limited contents of uninitialized memory while compiling program database (PDB) files. The memory leaked is limited to typically low-risk variables used in the application build environment, and only information that the Visual Studio executable uses when compiling projects. If your PDB/symbol files are shared publicly, this information could be extracted. Visual Studio versions have been patched, so...

Deprecating Facebook, OpenID and StackExchange login to MyGet

TL;DR: MyGet will retire Facebook, OpenID and StackExchange login to MyGet on March 9, 2018. Historically, MyGet has been using the Microsoft Azure Access Control Service (ACS). It allowed our users to easily create a MyGet account from an existing third-party login system, like Microsoft Account, Google Account, GitHub authentication, … With Microsoft sunsetting the ACS service and having to migrate to a different service, we are re-evaluating which third-party login types we want to...

MyGet 2017.2 Release Notes

We are happy to announce MyGet 2017.2 was released on December 13, 2017! Full release notes are available from our docs. Highlights Next to some new features and many fixes, this 2017.2 release of MyGet again adds some new functionality to the service. Major highlights of this release are: We added PHP Composer support, and welcome PHP developers to the MyGet family! (Announcement | Docs) In fact, this also resulted in a bug fix on...

Inspecting audit logs in MyGet Enterprise

A couple of weeks back, we released an audit log viewer on MyGet Enterprise. Administrators of a MyGet Enterprise plan can inspect every action that happens on their MyGet instance and see who did what, when, and where. From the MyGet Enterprise administration dashboard, all actions performed on the Enterprise installation can be consulted: The list of audit entries is searchable and can be exported to a CSV file so additional querying can be done...

PHP Composer packages just arrived on MyGet

Good news everyone! We just shipped PHP Composer support on MyGet! If you are building PHP applications and libraries, you can now package them and add these to your MyGet feeds. PHP Composer support is available for all MyGet accounts - check the PHP Composer features described in our documentation Which features are available? We currently support almost all features we have available for other package managers. Of course you can upload your own packages...

Using a private MyGet feed with JetBrains Rider

JetBrains just released a new .NET IDE: Rider. At MyGet, we’ve been using Rider for our internal development since it was announced. So far, we have really enjoyed this IDE built around ReSharper! And since it comes with a lightning-fast NuGet client, let’s see how we can consume packages from a MyGet feed. Adding a MyGet feed package source The first step in connecting Rider to a MyGet feed is adding it as a package...