NuGet: Security, Licensing, and Reliability Considerations
- 4 minutes to read
How to Protect Your Private NuGet Feed and Safely Consume the Feed From External Systems
Our NuGet feed URL and authorization key are not encrypted. You should protect this sensitive information against unauthorized use by untrusted third parties. For instance, do not share nuget.config and other secret files with our NuGet feed URL or authorization key on GitHub, public Support Center tickets, Stack Overflow, and on other public online resources. If you accidentally exposed your NuGet feed to the public, submit a new ticket to the DevExpress Support Center so that we can regenerate your NuGet feed.
To help protect private NuGet feeds in your CI/CD system and other secured environments such as Azure DevOps, Docker, or Kubernetes, we support NuGet authentication using personal access tokens. Options include:
- Azure DevOps – Either store your private NuGet URL in nuget.config, or do not expose your authorization key and specify it within Azure’s portal UI. Alternatively, store your private NuGet URL in an Azure Key Vault secret and pass it to the Azure CLI script as an environment variable.
- .NET CLI (the dotnet tool) or NuGet CLI – Pass the authorization key as a parameter to your CLI commands when you add NuGet packages.
- Docker and Kubernetes – If you use BuildKit to build a Docker image, you can specify the
--secret
flag to safely pass the NuGet source URL.
NuGet Licensing Best Practices for Multi-License Holders & CI/CD
If you are working within a team, a license holder (typically a team lead or company owner) assigns individual DevExpress licenses to each developer using the Assign Licenses menu on our website. An individual DevExpress license assigned to a developer grants this developer the right to use the DevExpress Unified Component Installer or individual NuGet feed credentials.
Question: Which NuGet feed should a team of multiple developers use for a shared CI/CD pipeline?
Answer: For a shared CI/CD pipeline, use individual NuGet feed credentials for a developer with a valid DevExpress license (it does not matter whether this individual is a team lead/developer/company owner). This developer can also develop with valid DevExpress products within Visual Studio or another IDE. All other developers within the team who use DevExpress products must also own valid DevExpress licenses.
If the primary license holder assigned all available licenses to developers within the team, the license holder cannot use their NuGet feed for a shared CI/CD pipeline or any other development purposes. Nothing changes regarding NuGet in this regard – this has always been the case for our Unified Component Installer – primary license holders without a license cannot install our products (whether through NuGet or the Unified Installer).
Note
Our licensing rules (as defined in the DevExpress EULA) prohibit the use of a single DevExpress license by multiple developers for build and development purposes within Visual Studio or other IDEs – each developer who uses our products must own a license. If you own the appropriate number of developer licenses, but need licensing related clarification for your CI/CD system, be sure to submit a ticket via the DevExpress Support Center. We’ll do our best to accommodate your specific business situation (where possible). If you have questions regarding our license and terms of use, please email info@devexpress.com.
Cache NuGet Packages for the Best Performance and Reliability
We strongly recommend that you configure your CI/CD pipelines to cache NuGet packages. Caching NuGet packages will help your team reduce your build time and also avoid any downtime should outages occur (with https://nuget.devexpress.com/ or with external NuGet servers like https://www.nuget.org/). For instance, with Azure DevOps, you can follow best practices outlined in the following document: Cache NuGet packages | Microsoft Azure DevOps documentation. Contact to your CI/CD system vendor for more information and review our NuGet feed integration help topic for additional assistance.