Changes to Azure Artifacts Upstream Behavior

Changes to Azure Artifacts Upstream Behavior

We live in a world that has walls and those walls need to be guarded by people with swords. Eh… not a literal sword in this case😀, but with behaviors that can help keep your assets more secure and protect against bad actors.

We live in a world that has walls and those walls need to be guarded by people with swords.

Eh… not a literal sword in this case, but with behaviors that can help keep your assets more secure and protect against bad actors.

Previously, Azure Artifacts feeds presented package versions from all of its upstream sources. This includes package versions that were originally pushed to an Azure Artifacts feed (internally sourced) and package versions from common public repositories like npmjs.com , NuGet.org , Maven Central, and PyPI (externally sourced).

Today, we’re excited to announce a new behavior that provides additional security for your private feeds by limiting access to externally sourced packages when internally sources packages are already present. This provides a new layer of security, which prevents malicious packages from a public registry being inadvertently consumed. These changes will not affect any package versions that are already in use or cached in your feed.

The security behavior applies:

  • when an internally sourced version is already in your feed, or
  • when consuming a package from your feed for the first time (i.e. it is not yet in your feed), and at least one of the versions available from an upstream is internally sourced.

With the new behavior, any versions from the public registry will be blocked and not made available to download. You are able to configure the upstream behavior to allow externally sourced package versions if you choose to.

Learn more about common package scenarios where you need to allow externally sourced package versions along with a few other scenarios where no blockage to the public packages is needed and how to configure the upstream behavior.

Organizations that wish to opt out of this additional protective behavior can disable a newly added organization-wide security policy. To do this,

  1. Go to organization settings
  2. Click on policies under the security section
  3. In the security policies section, toggle off ‘Additional protections when using public package registries’

Other Resources

Learn more about protecting private package feeds: Ways to Mitigate Risk Using Private Package Feeds

azure & cloud devops

What is Geek Coin

What is GeekCash, Geek Token

Best Visual Studio Code Themes of 2021

Bootstrap 5 Tutorial - Bootstrap 5 Crash Course for Beginners

Nest.JS Tutorial for Beginners

Hello Vue 3: A First Look at Vue 3 and the Composition API

Multi-cloud Spending: 8 Tips To Lower Cost

Mismanagement of multi-cloud expense costs an arm and leg to business and its management has become a major pain point. Here we break down some crucial tips to take some of the management challenges off your plate and help you optimize your cloud spend.

How to Extend your DevOps Strategy For Success in the Cloud?

DevOps and Cloud computing are joined at the hip, now that fact is well appreciated by the organizations that engaged in SaaS cloud and developed applications in the Cloud. During the COVID crisis period, most of the organizations have started using cloud computing services and implementing a cloud-first strategy to establish their remote operations. Similarly, the extended DevOps strategy will make the development process more agile with automated test cases.

AWS DevOps vs Azure DevOps | Difference Between AWS Devops And Azure Devops

This Edureka "AWS DevOps vs Azure DevOps" video will give a detailed comparison of how AWS and Azure fare in handling and supporting DevOps approach on the respective cloud platforms along with latest trends and numbers in the domain.

Building an Azure DevOps-based ARM CI/CD for Azure Cloud

Learn how to building an Azure DevOps-based ARM CI/CD for Azure Cloud. This blog series focuses on presenting complex DevOps projects as simple and approachable via plain language and lots of pictures.

Create, Build, Deploy and Configure an Azure Function with Azure DevOps and Azure CLI

How to create, build, deploy and configure an Azure Function using Azure DevOps, Azure CLI and Powershell.