protect-oss-packages-with-upstream-sources.md

title	description	ms.service	ms.date	monikerRange	recommendations
How to use upstream sources in your Azure Artifacts feed	Use upstream sources in Azure Artifacts to consume packages from public registries	azure-devops-artifacts	06/03/2022	<= azure-devops	true

Tutorial: How to use upstream sources

[!INCLUDE version-lt-eq-azure-devops]

Using upstream sources in your feed enables you to manage your application dependencies from a single feed. Using upstream sources makes it easy to consume packages from public registries while having protection against outages or compromised packages. You can also publish your own packages to the same feed and manage all your dependencies in one location.

This tutorial will walk you through how to enable upstream sources on your feed and consume packages from public registries such as NuGet.org or npmjs.com.

In this tutorial, you will:

[!div class="checklist"]

• Create a new feed and enable upstream sources.
• Set up your configuration file.
• Run an initial package restore to populate your feed.
• Check your feed to view the saved copy of the packages you consumed from the public registry.

Create a feed and enable upstream sources

::: moniker range=">= azure-devops-2019"

1. Sign in to your Azure DevOps organization, and then navigate to your project.

2. Select Artifacts, and then select Create Feed to create a new feed.

   :::image type="content" source="../media/new-feed-button-azure-devops-newnav.png" alt-text="Screenshot showing the create feed button.":::

3. Provide a name for your feed, and choose its visibility. Make sure you check the Include packages from common public sources checkbox to enable upstream sources, and then select Create when you're done.

   :::image type="content" source="../media/new-feed-dialog.png" alt-text="Screenshot showing the create a new feed window.":::

::: moniker-end

Note

To add a feed from a different organization as an upstream source, the target feed owner must share the target view with All feeds and people in organizations associated with my Microsoft Entra tenant by navigating to Feed Settings > Views > Select the ellipsis button on the right for the specified view > Edit .

Set up the configuration file

Now that we created our feed, we need to update the config file to point to our feed. To do this we must:

1. Get the source's URL
2. Update the configuration file

npm

::: moniker range=">= azure-devops-2019"

1. Select Artifacts, and then select Connect to feed.

   :::image type="content" source="../media/connect-to-feed-azure-devops-newnav.png" alt-text="Screenshot showing how to connect to a feed.":::

2. On the left side of the page, select the npm tab.

3. Follow the instructions in the Project setup section to set up your config file.

   :::image type="content" source="../media/connect-to-feed-npm-registry-azure-devops-newnav.png" alt-text="Screenshot showing how to set up your project.":::

::: moniker-end

If you don't have a .npmrc file already, create a new one in the root of your project (in the same folder as your package.json). Open your new .npmrc file and paste the snippet you just copied in the previous step.

NuGet

1. Select Artifacts, and then select your feed.

2. Select Connect to feed, and then choose NuGet.exe.

   :::image type="content" source="../media/nuget-connect-to-feed.png" alt-text="Screenshot showing how to connect to NuGet feeds.":::

3. Copy the XML snippet in the Project Setup section.

4. Create a new file named nuget.config in the root of your project.

5. Paste the XML snippet in your config file.

Pip

1. Select Artifacts, and then select your feed from the dropdown list.

2. Select Connect to feed, and then select pip under the Python section.

   :::image type="content" source="../media/project-setup-pip.png" alt-text="A screenshot showing how to connect to a feed with pip projects.":::

3. Create a virtual environment if you haven't done so already.

4. Add a pip.ini (Windows) or pip.conf (Mac/Linux) file to your virtualenv and paste the following snippet:

   [global]
   index-url=https://pkgs.dev.azure.com/ORGANIZATION-NAME/_packaging/FEED-NAME/pypi/simple/

Maven

1. Select Artifacts, and then select your feed from the dropdown list.

2. Select Connect to feed, and then select Maven.

   :::image type="content" source="../media/project-setup-maven.png" alt-text="A screenshot showing how to connect to a feed with Maven projects.":::

3. Add the following snippet to the <repositories> and <distributionManagement> sections in your pom.xml:

   <repository>
     <id>[FEED-NAME]</id>
     <url>https://pkgs.dev.azure.com/[ORGANIZATION-NAME]/_packaging/[FEED-NAME]/maven/v1</url>
     <releases>
       <enabled>true</enabled>
     </releases>
     <snapshots>
       <enabled>true</enabled>
     </snapshots>
   </repository>

4. Add a <server> to your settings.xml file:

   <settings xmlns="http://maven.apache.org/SETTINGS/1.0.0"
             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
             xsi:schemaLocation="http://maven.apache.org/SETTINGS/1.0.0
                                 https://maven.apache.org/xsd/settings-1.0.0.xsd">
     <servers>
       <server>
         <id>[FEED-NAME]</id>
         <username>[ORGANIZATION-NAME]</username>
         <password>[PERSONAL_ACCESS_TOKEN]</password>
       </server>
     </servers>
   </settings>

5. Create a personal access token with Packaging > Read & write scopes and paste your personal access token into the <password> tag in your settings.xml file.

Gradle

1. Select Artifacts, and then select your feed from the dropdown list.

2. Select Connect to feed, and then select Gradle.

   :::image type="content" source="../media/project-setup-gradle.png" alt-text="A screenshot showing how to connect to a feed with Gradle projects.":::

3. Add the following snippet to the repositories and publishing sections in your build.gradle file:

   maven {
       url 'https://pkgs.dev.azure.com/[ORGANIZATION-NAME]/_packaging/[FEED-NAME]/maven/v1'
       name '[FEED-NAME]'
       authentication {
           basic(BasicAuthentication)
       }
   }

4. Add a <server> to your settings.xml file:

   <settings xmlns="http://maven.apache.org/SETTINGS/1.0.0"
             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
             xsi:schemaLocation="http://maven.apache.org/SETTINGS/1.0.0
                                 https://maven.apache.org/xsd/settings-1.0.0.xsd">
     <servers>
       <server>
         <id>[FEED-NAME]</id>
         <username>[ORGANIZATION-NAME]</username>
         <password>[PERSONAL_ACCESS_TOKEN]</password>
       </server>
     </servers>
   </settings>

5. Create a personal access token with Packaging > Read & write scopes. Paste your personal access token into the <password> tag in your settings.xml file.

---

Restore packages

Now that you enabled upstream sources and set up your configuration file, we can run the package restore command to query the upstream source and retrieve the upstream packages.

::: moniker range="azure-devops"

npm

Remove the node_modules folder from your project and run the following command in an elevated command prompt window:

npm install --force

Your feed now should have a saved copy of any packages you installed from upstream.

Note

The --force argument will force pull remotes even if a local copy exists.

NuGet

1. Clear your local cache:

   nuget locals -clear all

2. Restore your NuGet packages:

   nuget.exe restore

Your feed now should have a saved copy of any packages you installed from upstream.

dotnet

Run the following command in your project directory:

dotnet restore --interactive

Your feed now should have a saved copy of any packages you installed from upstream.

Python

Run the following command in your project directory:

pip install

Your feed now should have a saved copy of any packages you installed from upstream.

Maven

Run the following command in your project directory:

mvn install

Your feed now should have a saved copy of any packages you installed from upstream.

Gradle

Run the following command in your project directory:

gradle build

Your feed now should have a saved copy of any packages you installed from upstream.

Cargo

Run the following command in your project directory:

cargo build

Your feed now should have a saved copy of any packages you installed from upstream.

---

::: moniker-end

::: moniker range=">= azure-devops-2020 < azure-devops"

npm

Remove the node_modules folder from your project and run the following command in an elevated command prompt window:

npm install --force

Your feed now should have a saved copy of any packages you installed from upstream.

Note

The --force argument will force pull remotes even if a local copy exists.

NuGet

1. Clear your local cache:

   nuget locals -clear all

2. Restore your NuGet packages:

   nuget.exe restore

Your feed now should have a saved copy of any packages you installed from upstream.

dotnet

Run the following command in your project directory:

dotnet restore --interactive

Your feed now should have a saved copy of any packages you installed from upstream.

Python

Run the following command in your project directory:

pip install

Your feed now should have a saved copy of any packages you installed from upstream.

Maven

Run the following command in your project directory:

mvn install

Your feed now should have a saved copy of any packages you installed from upstream.

Gradle

Run the following command in your project directory:

gradle build

Your feed now should have a saved copy of any packages you installed from upstream.

---

::: moniker-end

::: moniker range="azure-devops-2019"

npm

Remove the node_modules folder from your project and run the following command in an elevated command prompt window:

npm install --force

Your feed now should have a saved copy of any packages you installed from upstream.

Note

The --force argument will force pull remotes even if a local copy exists.

NuGet

1. Clear your local cache:

   nuget locals -clear all

2. Restore your NuGet packages:

   nuget.exe restore

Your feed now should have a saved copy of any packages you installed from upstream.

Python

Run the following command in your project directory:

pip install

Your feed now should have a saved copy of any packages you installed from upstream.

Maven

Run the following command in your project directory:

mvn install

Your feed now should have a saved copy of any packages you installed from upstream.

Gradle

Run the following command in your project directory:

gradle build

Your feed now should have a saved copy of any packages you installed from upstream.

---

::: moniker-end

Related articles

• Set up upstream sources
• Universal Packages upstream sources
• Feed permissions
• Publish packages to NuGet.org