public-feeds-upstream-sources.md

title	description	ms.service	ms.topic	ms.date	monikerRange
Enable and add upstream sources to a public feed	How to enable and add upstream sources to a public feed in Azure Artifacts	azure-devops-artifacts	tutorial	03/02/2023	<= azure-devops

Use upstream sources in a public feed

Azure Artifacts enables developers to manage their dependencies from a single feed. Using upstream sources, you can consume packages from feeds and public registries such as NuGet.org, and npmjs.com. In this article, you'll learn how to:

[!div class="checklist"]

• Create a public feed
• Enable upstream sources
• Add a new upstream source

Prerequisites

• An Azure DevOps organization. Create an organization, if you don't have one already.

• An Azure DevOps project. Create a new project if you don't have one already.

• Set your project visibility to public.

Create a public feed

A public feed is a project-scoped feed in a public project. Public feeds inherit the visibility settings of the hosting project.

1. Sign in to your Azure DevOps organization, and then select your public project.

2. Select Artifacts, and then select Create Feed.

   :::image type="content" source="../media/new-feed-devops.png" alt-text="A screenshot showing the create feed button in Azure Artifacts.":::

3. Give your feed a Name, and then select Project: PublicProject (Recommended) for its scope.

   :::image type="content" source="../media/new-public-feed.png" alt-text="A screenshot showing how to create a new public feed.":::

4. Select Create when you're done.

Important

Public feeds do not support upstreaming to a private Artifacts feed. If you are using a public Azure Artifacts feed, you can only upstream to public registries (NuGet.org, npmjs) or other Public Azure Artifacts feeds.

Add an upstream source

1. Sign in to your Azure DevOps organization, and then select your public project.

2. Select Artifacts, and then select your public feed.

3. Select the gear icon to access your Feed Settings.

4. Select Upstream Sources, and then select Add Upstream.

   :::image type="content" source="../media/public-feed-add-upstream.png" alt-text="A screenshot showing how to add an upstream source in a public feed.":::

5. Select your upstream source Type. In this example, we'll be adding NuGet.org as an upstream source.

   :::image type="content" source="../media/public-feed-upstream-types.png" alt-text="A screenshot showing the different types of upstream sources.":::

6. Configure your source, and then select Add when you're done.

   :::image type="content" source="../media/public-feed-configure-upstream.png" alt-text="A screenshot showing how to configure your upstream source.":::

7. Select Save to save your new upstream source.

   :::image type="content" source="../media/save-upstream.png" alt-text="A screenshot showing how to save the newly added upstream source.":::

Important

Package lock files are required to save NuGet and Dotnet packages from upstream sources to a public feed.

Restore packages

Run the following command in your project directory to restore your packages:

::: moniker range="azure-devops"

NuGet

nuget.exe restore

Dotnet

dotnet restore --interactive

Npm

npm install

Maven

mvn install

Gradle

gradle build

Python

pip install

Cargo

cargo build

---

::: moniker-end

::: moniker range=">= azure-devops-2020 < azure-devops"

NuGet

nuget.exe restore

Dotnet

dotnet restore --interactive

Npm

npm install

Maven

mvn install

Gradle

gradle build

Python

pip install

---

::: moniker-end

::: moniker range="azure-devops-2019"

NuGet

nuget.exe restore

Npm

npm install

Maven

mvn install

Gradle

gradle build

Python

pip install

---

::: moniker-end

Note

You must be a Feed and Upstream Reader (Collaborator) or higher to install new package versions from upstream. Anonymous users can only install packages that exist in their feed.

Q&A

Q: I'm trying to restore my packages but I keep getting a 401 unauthorized error?

The contents of a feed can only be changed by an authenticated and authorized identity who has appropriate permissions on the feed. This includes saving packages into the feed from an upstream source. Unauthenticated (anonymous) users can download packages already saved into a feed, but cannot save new packages from an upstream into the feed.

Maintainers of a project should save all needed versions of packages into the public feed. This can be done by restoring a project using an identity that can supply credentials to the feed when prompted, and ensuring that the identity used has Feed and Upstream Reader (Collaborator) or higher permissions on the public feed.

If anonymous users who are restoring packages for a project are repeatedly being blocked by requests for credentials (401 response), the following approaches will reduce or eliminate the issue:

1. Avoid using package version ranges in your project configuration. Explicit package versions will ensure that packaging clients only request the exact version needed.

2. Where supported, utilize lock files for your packaging ecosystem so that the packaging clients only request the specific versions needed for the project during a restore/install operation.

Q: I'm trying to restore my packages using Visual Studio, but I'm noticing that they're getting pulled from a different source?

A: Make sure that Visual Studio is using the source referenced in your nuget.config file and not from the local NuGet package manager. See Package sources for more details.

You can also use the NuGet CLI to force NuGet to use the source in your config file by running the following command:

nuget restore -config <PATH_TO_NUGET_CONFIG_FILE>

Related articles

• Search for packages in upstream sources
• Set up upstream sources
• Configure upstream behavior