0

We are using Azure Devops to publish a private nuget server. Currently we have only published 5 of our own nuget packages, however a subset of third-party nuget packages are also showing. I do not have any upstream sources enabled.

enter image description here

Is this normal behavior? I am able to delete them, but it's not clear how they are ending up there in the first place. We are not pushing them. Any help is appreciated.

Rob

voodoobilly
  • 405
  • 7
  • 18

2 Answers2

0

Try to open the packages that not yours, and check the Publisher in the package. Publisher lists Who and How publish the package.

enter image description here

Cece Dong - MSFT
  • 29,631
  • 1
  • 24
  • 39
  • In the vast majority of cases it says that I am the publisher, which seems odd. I’ve only explicitly pushed the 5 nuget packages we used. I did read something that an attempt is made to cache frequently used packages to protect against outages, etc: https://learn.microsoft.com/en-us/azure/devops/artifacts/concepts/upstream-sources?view=azure-devops#saving-packages-from-upstream-sources-continuity. Is that the behavior I’m seeing and is it configurable? Or do we just need to use views to filter? – voodoobilly Feb 25 '20 at 12:46
  • 1
    But you mentioned you do not have any upstream sources enabled? Can you see how you publish the packages (under the name in Publisher)? – Cece Dong - MSFT Feb 26 '20 at 10:58
  • Under Publisher it says 'using NuGet VS VSIX/5.4.0 (Microsoft Windows NT 10.0.18362.0, Enterprise/16.0)'. But this isn't anything I've specifically enabled in Visual Studio and I don't see anything like it in my VS Extensions list. – voodoobilly Feb 26 '20 at 13:15
  • I was very incorrect -- turns out I did have upstream sources enabled. I was sure I had them turned off. – voodoobilly Feb 26 '20 at 17:24
0

This is because you have upstream sources:

Using upstream sources, you can conveniently store packages from various sources in a single feed - including those that you publish, as well as those you consume from other feeds and public registries such as NuGet.org, npmjs.com, Maven Central, and PyPI. Once upstream sources enabled, a copy of any package installed from upstream will be automatically saved to your feed

to disable them just go to your feed settings and delete all of them if you do not want this ability. enter image description here

for more info about upstream sources: Upstream sources overview

RoyMalka
  • 76
  • 7