Security, Licensing, and Troubleshooting
- 10 minutes to read
Licensing
If you are working within a team, a license holder (typically a team lead or executive) assigns individual DevExpress licenses to each developer using the Assign Licenses menu on our website. An individual DevExpress license assigned to a developer grants this developer the right to use the DevExpress Unified Component Installer or individual NuGet feed credentials.
Which NuGet feed should a team of multiple developers use for a shared CI/CD pipeline?
For a general CI/CD pipeline, use individual NuGet channel credentials for a developer with a valid DevExpress license. This developer can use licensed DevExpress products in Visual Studio or another IDE. All other developers on the team that use DevExpress products must also have valid DevExpress licenses.
If the primary license owner has assigned all available licenses to developers on a team, the license owner cannot use their NuGet feed for a shared CI/CD pipeline or any other development purposes. Primary license owners without a license cannot install DevExpress products (whether it is done through NuGet or the Unified Component Installer). For additional license-related information, please refer to the following: Licensing: EULAs and FAQ | DevExpress.
Certain DevExpress packages have disappeared from my online NuGet feed, or I can no longer access older versions of packages (only the latest version is available).
We offer trial/evaluation versions for the latest versions. Licensed users are able to access earlier versions via the DevExpress Download Manager or their personal online NuGet feed.
DevExpress NuGet packages may “disappear” in the following instances:
- You are using an unlicensed/trial version and your 30-day trial has expired.
- Your license manager reassigned your personal license to someone else in your organization (in which case your NuGet feed converts to trial mode and access to DevExpress packages is disabled automatically).
How do I find unlicensed DevExpress packages in my project?
To help avoid unintentional license/EULA violations, we send an email notification when a NuGet package trial begins: Start your 30-day trial. Applications that reference DevExpress trial packages display trial/eval banners and watermarks: When using a trial version.
Users sometimes mistake certain features for capabilities that ship as part of DevExpress DXperience or our platform-specific subscriptions. Check your projects for the following to avoid unintended use or a license/EULA violation:
DevExpress Office File API Complete
The DevExpress.Document.Processor NuGet package (or
DevExpress.Docs.v24.1.dllin .NET Framework) ships as part of the Universal Subscription and the Office File API Complete Subscription. DXperience, WinForms, WPF, ASP.NET and Blazor, Reporting, and DevExtreme Complete subscriptions do not include the DevExpress Office File API Complete (for example, PdfDocumentProcessor, Workbook/Worksheet, Zip Compression, Barcode Generation, Unit Conversion, and some “paid” RichEditDocumentServer APIs).DevExpress Business Intelligence Dashboard
The DevExpress.Dashboard.Core NuGet package (or
DevExpress.Dashboard.v24.1.Core.dllin .NET Framework) ships as part of the DevExpress Universal Subscription. DXperience and platform-specific subscriptions do not include BI Dashboard.XAF (Cross-Platform .NET UI & Web API)
The DevExpress.ExpressApp NuGet package (or
DevExpress.ExpressApp.v24.1.dllin .NET Framework) ships as part of the DevExpress Universal Subscription. DXperience and platform-specific subscriptions do not include XAF (Cross-Platform .NET UI & Web API).
If you are unsure whether your code uses APIs from these DevExpress packages, you can search for and remove them by using Solution Explorer. Compilation errors in your project will display API usage location.
Note
DevExpress license terms (as defined in the DevExpress EULA) prohibit the use of a single DevExpress license by multiple software developers (for build and development purposes within Visual Studio or other IDEs). Each engineer who develops solutions using DevExpress products must own/purchase a valid license.
If you own the appropriate number of DevExpress licenses, but need licensing related clarification for your CI/CD system, be sure to submit a support ticket via the DevExpress Support Center. We’ll do our best to accommodate your specific business requirements (where possible). If you have licensing related questions, please refer to the following webpage: Licensing: EULAs and FAQ | DevExpress.
Security
How do I protect my private NuGet feed and safely consume the feed from external systems?
DevExpress NuGet feed URL and authorization keys are not encrypted. You should protect this sensitive information against unauthorized use. Do not share nuget.config and other secret files (with a DevExpress NuGet feed URL or authorization key) on GitHub, public DevExpress Support Center tickets, Stack Overflow, or other public online resources. If you accidentally exposed your NuGet feed to the public, submit a DevExpress Support Center ticket so that we can regenerate your NuGet feed.
To help protect private NuGet feeds in your CI/CD system and other secured environments such as Azure DevOps, Docker, Kubernetes, GitHub, or GitLab, we support NuGet authentication using personal access tokens. Options include:
- GitHub Actions
- GitLab
- Azure DevOps
- .NET CLI (the dotnet tool) or NuGet CLI
- Docker and Kubernetes – If you use BuildKit to build a Docker image, you can specify the
--secretflag to safely pass the NuGet source URL.
Note
Storing passwords in clear text is highly discouraged. For additional information on secure credential management, refer to the following Microsoft help topic: Consuming packages from authenticated feeds - Security best practices for managing credentials.
How do I regenerate my NuGet API key (feed) if it was exposed?
Your NuGet API key contains sensitive information. As such, you should protect it from unauthorized use. If you NuGet API key has been compromised in any manner, you need to regenerate it as soon as possible. Situations which may require you to regenerate a NuGet API key may include, but are not limited to, the following:
- You included your NuGet API key in a public forum post, GitHub repository, log file, or an unauthorized location by mistake.
- Members of your team with access to your NuGet Feed have left your organization.
- You know or suspect that your NuGet API key has been stolen or compromised.
To regenerate the NuGet API key, you must:
Navigate to https://nuget.devexpress.com/.
- Log in if you are logged out.
- Click Regenerate Feed and follow the instructions.
Our organization uses a firewall/proxy. What should our IT admins whitelist to access the DevExpress NuGet server?
Your IT administrators should double-check that nuget-cdn.devexpress.com and nuget.devexpress.com are added to the list of allowed sites or whitelisted using the fully qualified domain name (FQDN) rather than the IP address.
IT administrators may be interested to know that the DevExpress NuGet server hosts packages on Amazon CloudFront and there is a redirect to nuget-cdn.devexpress.com from nuget.devexpress.com (internal CI/CD and other systems must support ‘http redirection’ and TLS 1.2). nuget.devexpress.com is protected by CloudFlare (you should grant access to CloudFlare edge servers).
If these recommendations do not help, please ask your IT administrators to test access to our website using standard tools such as ping and tracert. Read the following article for additional information in this regard: How to Use TRACERT to Troubleshoot TCP/IP Problems in Windows.
I received a ‘403 - Forbidden. Access is denied’ or ‘Response status code does not indicate success: 403’ error when using nuget.devexpress.com
It is likely that access to external sites such as https://www.devexpress.com is blocked for certain machines/networks by your IT department. Use Down for Everyone or Just Me or a similar third-party tool to check if our website is down.
If our website is not accessible from your company network, please review the previous question/solution.
Our NuGet server implements various security measures to prevent distributed denial-of-service (DDoS) attacks and unauthorized usage. In rare instances (when we detect anomalous or malicious activity), DevExpress may blacklist certain NuGet clients or external IP addresses. In such instances, contact DevExpress Support (via the DevExpress Support Center) to unblock the external IP address.
Reliability
Should I use the NuGet v2 or NuGet v3 protocol?
Use the NuGet v3 protocol to access DevExpress packages:
https://nuget.devexpress.com/{your-feed-authorization-key}/api/v3/index.json(Feed URL Authorization)https://nuget.devexpress.com/api/v3/index.json(Password-based Authorization - use “DevExpress” as your user name and your feed authorization key as your password)
Microsoft (for https://nuget.org) and many third-parties (such as CI/CD systems and other vendors) have deprecated the NuGet v2 protocol. The NuGet v3 protocol is faster and more reliable than NuGet v2. You can access DevExpress NuGet packages (temporarily) using the legacy/deprecated NuGet v2 protocol (https://nuget.devexpress.com/{your-feed-authorization-key}/api/).
Note
We strongly recommend that you migrate to NuGet v3 as NuGet v2 will be removed from https://nuget.devexpress.com in the future.
I cannot use the online DevExpress NuGet feed. I want to set up my own NuGet server.
We don’t recommend setting up a NuGet server because of additional maintenance requirements (including the need to maintain package sync between your server and our latest versions). However, this setup can be beneficial in high-security environments without Internet access, or in advanced CI/CD system scenarios where internal package caching is necessary to improve performance\security. You can obtain our NUPKG files from c:\Program Files\DevExpress 24.1\Components\System\Components\packages\setup and set up your own NuGet server.
Read the following help topic for additional information: Hosting your own NuGet feeds.
Cache NuGet packages for the best performance and reliability
We strongly recommend that you configure your CI/CD pipelines to cache NuGet packages. Caching NuGet packages will help your team reduce build time and also avoid downtime should outages occur (with https://nuget.devexpress.com/ or with external NuGet servers like https://www.nuget.org/). For instance, with Azure DevOps, you can follow best practices outlined in the following document: Cache NuGet packages | Microsoft Azure DevOps documentation. Contact your CI/CD system vendor for additional information/guidance or review our NuGet feed integration help topic for technical assistance.
Troubleshooting
Unable to find package ‘DevExpress.XXX’. Existing packages must be restored before performing an install or update (Visual Studio or CI/CD).
If you encounter package installation or update issues in Visual Studio or CI/CD, reset your NuGet package cache with the dotnet tool in Visual Studio itself. In Visual Studio 2017 and higher, you must:
- Navigate to Tools | NuGet Package Manager and click Package Manager Settings.
- Click Clear All NuGet Storage.
Read the following Microsoft help topic for additional information in this regard: Clearing local folders.
I use VS Code/JetBrains Rider. How to set up the DevExpress NuGet online feed in VS Code/JetBrains Rider?
Read the following sections to register the DevExpress NuGet feed and add DevExpress NuGet packages to your project:
Unable to load the service index for source nuget.devexpress.com. The content at nuget.devexpress.com is not a valid JSON object.
Error
<feed name> Unable to load the service index for source https://nuget.devexpress.com/…/api.
The content at 'https://nuget.devexpress.com/…/api' is not a valid JSON object.
Unexpected character encountered while parsing value: <. Path '', line 0, position 0.
Solution
Open and modify the
nuget.configfile as follows:<?xml version="1.0" encoding="utf-8"?> <configuration> <packageSources> <add key="DevExpress" value="https://nuget.devexpress.com/{Your-DevExpress-NuGet-Feed}/api/v3/index.json" /> </packageSources> </configuration>- Restart Visual Studio.
Read the following Microsoft article to find the location of nuget.config: Config file locations and uses.
This error may be unrelated to DevExpress:
- Visual Studio - Nuget - Unable to load the service index for source
- Nuget connection attempt failed “Unable to load the service index for source”
Note
Storing passwords in clear text is highly discouraged. For additional information on secure credential management, refer to the following Microsoft help topic: Consuming packages from authenticated feeds - Security best practices for managing credentials.
Unable to read data from transport connection: ‘An existing connection was forcibly closed by the remote host’.
This error may be unrelated to DevExpress. Reports related to this type of exception can be found in the following public resources:
- NuGet.exe from command line gives “existing connection was forcibly closed by the remote host” error
- Nuget.exe: An existing connection was forcibly closed by the remote host
- Error: Unable to read data from the transport connection: An existing connection was forcibly closed by the remote host
- How to enable TLS 1.2 on clients
Review standard NuGet issues (with NUxxx error codes) if this topic did not address your specific NuGet-related issue.
If you are experiencing NuGet errors, please isolate the error and search public resources for additional guidance (the following Microsoft article should help you isolate non-DevExpress-related issues): Errors and warnings.