Skip to main content

Azure Pipelines and NuGet Package Source Mapping–Not best friends (yet)

I think everyone has encountered the frustrating scenario where your .NET solution builds perfectly on your local machine but mysteriously fails in Azure Pipelines. Most of the time there is a mistake you made that is easy to fix but sometimes it is the build tooling itself that causes the problem. And that is unfortunately exactly the case when using NuGet Package Source mapping in Azure Pipelines.

What is Package Source Mapping?

Package Source Mapping in NuGet, introduced in version 6.0, is a security-enhancing feature that allows developers to explicitly define which package sources should be used for specific packages in a project. Traditionally, NuGet would scan all configured sources—public or private—to find and restore packages, which could pose risks by inadvertently pulling packages from untrusted locations.

With Package Source Mapping, developers can centralize and control package restoration by specifying patterns that map packages to designated sources in the nuget.config file. Here is an example:

This ensures that, for example, internal packages are only retrieved from private feeds, while public packages come from trusted sources like nuget.org, thereby strengthening the software supply chain.

The problem: The magic feed prefix

We discovered the problem when we noticed that the dotnet restore build task was ignoring the package sources configured in our nuget.config file.

error NU1100: Unable to resolve 'MyPackage 1.0.0' for 'net90'. PackageSourceMapping is enabled, the following source(s) were not considered: feed-mycompany.be, nuget.org.

When drilling deeper into the build logs we discovered that Azure Pipelines will not use the available nuget.config file but uses a copy where it first applied some changes. And it were these changes that caused the problem.

The core issue lies in how Azure Pipelines handles NuGet feed names when using package source mappings. When you define a feed in your nuget.config file, Azure Pipelines automatically adds a feed- prefix to your feed names, breaking the mapping between your package sources and their corresponding package patterns.

Here is our original nuget.config:

And here is the copy that Azure Pipelines created:

Notice how the feed name became feed-company.be in the package sources section, but the package source mapping still references company.be. This mismatch causes NuGet to ignore your private feed entirely, leading to package resolution failures.

Why this happens?

This behavior stems from how Azure Pipelines processes NuGet configurations internally. The pipeline tasks modify your nuget.config file during execution, adding prefixes to feed names to avoid conflicts. However, they don't update the package source mapping section to match these renamed feeds.

The issue has been documented in several GitHub issues:

The workaround: Embrace the ‘feed’ prefix

Since Microsoft hasn't fixed this issue, you'll need to work around it by anticipating the feed prefix in your configuration.

As a workaround I updated my nuget.config to include a package source mapping containing the feed- prefix:

More information

NuGet - Package Source Mappings

[BUG]: dotnet restore with source mapping and private feed does not work · Issue #20910 · microsoft/azure-pipelines-tasks

.net - Dotnet Restore Fails "PackageSourceMapping is enabled, the following source(s) were not considered:" On Build Agent - Stack Overflow

Labels:

Popular posts from this blog

Kubernetes–Limit your environmental impact

Reducing the carbon footprint and CO2 emission of our (cloud) workloads, is a responsibility of all of us. If you are running a Kubernetes cluster, have a look at Kube-Green . kube-green is a simple Kubernetes operator that automatically shuts down (some of) your pods when you don't need them. A single pod produces about 11 Kg CO2eq per year( here the calculation). Reason enough to give it a try! Installing kube-green in your cluster The easiest way to install the operator in your cluster is through kubectl. We first need to install a cert-manager: kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.14.5/cert-manager.yaml Remark: Wait a minute before you continue as it can take some time before the cert-manager is up & running inside your cluster. Now we can install the kube-green operator: kubectl apply -f https://github.com/kube-green/kube-green/releases/latest/download/kube-green.yaml Now in the namespace where we want t...
Read more

Azure DevOps/ GitHub emoji

I’m really bad at remembering emoji’s. So here is cheat sheet with all emoji’s that can be used in tools that support the github emoji markdown markup: All credits go to rcaviers who created this list.
Read more

DevToys–A swiss army knife for developers

As a developer there are a lot of small tasks you need to do as part of your coding, debugging and testing activities.  DevToys is an offline windows app that tries to help you with these tasks. Instead of using different websites you get a fully offline experience offering help for a large list of tasks. Many tools are available. Here is the current list: Converters JSON <> YAML Timestamp Number Base Cron Parser Encoders / Decoders HTML URL Base64 Text & Image GZip JWT Decoder Formatters JSON SQL XML Generators Hash (MD5, SHA1, SHA256, SHA512) UUID 1 and 4 Lorem Ipsum Checksum Text Escape / Unescape Inspector & Case Converter Regex Tester Text Comparer XML Validator Markdown Preview Graphic Col...
Read more