Azure Artifacts - Sprint 183 Update

Features

Changes to Azure Artifacts upstream behavior

Previously, Azure Artifacts feeds presented package versions from all of its upstream sources. This upstream includes package versions originally pushed to an Azure Artifacts feed (internally sourced) and package versions from common public repositories like npmjs.com, NuGet.org, Maven Central, and PyPI (externally sourced).

This sprint introduces a new behavior that provides additional security for your private feeds by limiting access to externally sourced packages when internally sources packages are already present. This feature offers a new security layer, which prevents malicious packages from a public registry being inadvertently consumed. These changes will not affect any package versions that are already in use or cached in your feed.

To learn more about common package scenarios where you need to allow externally sourced package versions along with a few other scenarios where no blockage to the public packages is needed and how to configure the upstream behavior, see documentation Configure upstream behavior - Azure Artifacts | Microsoft Docs

Next steps

Note

These features will roll out over the next two to three weeks.

Head over to Azure DevOps and take a look.

How to provide feedback

We would love to hear what you think about these features. Use the help menu to report a problem or provide a suggestion.

Make a suggestion

You can also get advice and your questions answered by the community on Stack Overflow.