Dependency confusion and Nuget proxying

[simonjduff]

Using multiple nuget repositories can create an attack vector. A malicious actor creating a package with the same name in the public repository as a private package you have might be downloaded rather than your intended private package.

Microsoft has published a whitepaper on the topic.

The recommended solution for nuget is to use a single repository feed, which proxies the public nuget feed. This would mean that private packages would be selected first. I don't see any way to configure such upstream proxying for nuget in Github.

I did find a blog post from GitHub from 2019 which talks about this problem, and a solution for npm, though not for nuget.

Is anyone aware of a solution to this problem? Or is this a known flaw with GitHub packages and I should look to other providers?

[GregJCook]

We are also aware of this issue and would like to know the road map plan to configure and support public proxying behind the private registry.

We currently use a different tool and can configure multiple upstream proxy feeds. If the requested package isn't currently in the private registry, it reaches out to the proxy feeds, finds the public package and caches it on the local server.

[ossanna16]

Thank you for asking a good question @simonjduff, I'm glad you found our community 🙂

[PadreSVK]

HI, is there any update? We would like to migrate to Github Packages with our nugets but inability of GH packages to configure nuget upstream like in Azure DevOps is blocker.

[mdtoro-wyn]

This is a good topic. I'd like to use a Nuget proxy feature in github packages as Nexus has natively.