Dependency confusion and Nuget proxying #36768
Unanswered
simonjduff
asked this question in
Packages
Replies: 2 comments
-
We are also aware of this issue and would like to know the road map plan to configure and support public proxying behind the private registry. We currently use a different tool and can configure multiple upstream proxy feeds. If the requested package isn't currently in the private registry, it reaches out to the proxy feeds, finds the public package and caches it on the local server. |
Beta Was this translation helpful? Give feedback.
0 replies
-
Thank you for asking a good question @simonjduff, I'm glad you found our community 🙂 |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Using multiple nuget repositories can create an attack vector. A malicious actor creating a package with the same name in the public repository as a private package you have might be downloaded rather than your intended private package.
Microsoft has published a whitepaper on the topic.
The recommended solution for nuget is to use a single repository feed, which proxies the public nuget feed. This would mean that private packages would be selected first. I don't see any way to configure such upstream proxying for nuget in Github.
I did find a blog post from GitHub from 2019 which talks about this problem, and a solution for npm, though not for nuget.
Is anyone aware of a solution to this problem? Or is this a known flaw with GitHub packages and I should look to other providers?
Beta Was this translation helpful? Give feedback.
All reactions