Skip to main content

Azure Pipelines and NuGet Package Source Mapping–Not best friends (yet)

I think everyone has encountered the frustrating scenario where your .NET solution builds perfectly on your local machine but mysteriously fails in Azure Pipelines. Most of the time there is a mistake you made that is easy to fix but sometimes it is the build tooling itself that causes the problem. And that is unfortunately exactly the case when using NuGet Package Source mapping in Azure Pipelines.

What is Package Source Mapping?

Package Source Mapping in NuGet, introduced in version 6.0, is a security-enhancing feature that allows developers to explicitly define which package sources should be used for specific packages in a project. Traditionally, NuGet would scan all configured sources—public or private—to find and restore packages, which could pose risks by inadvertently pulling packages from untrusted locations.

With Package Source Mapping, developers can centralize and control package restoration by specifying patterns that map packages to designated sources in the nuget.config file. Here is an example:

This ensures that, for example, internal packages are only retrieved from private feeds, while public packages come from trusted sources like nuget.org, thereby strengthening the software supply chain.

The problem: The magic feed prefix

We discovered the problem when we noticed that the dotnet restore build task was ignoring the package sources configured in our nuget.config file.

error NU1100: Unable to resolve 'MyPackage 1.0.0' for 'net90'. PackageSourceMapping is enabled, the following source(s) were not considered: feed-mycompany.be, nuget.org.

When drilling deeper into the build logs we discovered that Azure Pipelines will not use the available nuget.config file but uses a copy where it first applied some changes. And it were these changes that caused the problem.

The core issue lies in how Azure Pipelines handles NuGet feed names when using package source mappings. When you define a feed in your nuget.config file, Azure Pipelines automatically adds a feed- prefix to your feed names, breaking the mapping between your package sources and their corresponding package patterns.

Here is our original nuget.config:

And here is the copy that Azure Pipelines created:

Notice how the feed name became feed-company.be in the package sources section, but the package source mapping still references company.be. This mismatch causes NuGet to ignore your private feed entirely, leading to package resolution failures.

Why this happens?

This behavior stems from how Azure Pipelines processes NuGet configurations internally. The pipeline tasks modify your nuget.config file during execution, adding prefixes to feed names to avoid conflicts. However, they don't update the package source mapping section to match these renamed feeds.

The issue has been documented in several GitHub issues:

The workaround: Embrace the ‘feed’ prefix

Since Microsoft hasn't fixed this issue, you'll need to work around it by anticipating the feed prefix in your configuration.

As a workaround I updated my nuget.config to include a package source mapping containing the feed- prefix:

More information

NuGet - Package Source Mappings

[BUG]: dotnet restore with source mapping and private feed does not work · Issue #20910 · microsoft/azure-pipelines-tasks

.net - Dotnet Restore Fails "PackageSourceMapping is enabled, the following source(s) were not considered:" On Build Agent - Stack Overflow

Labels:

Popular posts from this blog

Azure DevOps/ GitHub emoji

I’m really bad at remembering emoji’s. So here is cheat sheet with all emoji’s that can be used in tools that support the github emoji markdown markup: All credits go to rcaviers who created this list.
Read more

Kubernetes–Limit your environmental impact

Reducing the carbon footprint and CO2 emission of our (cloud) workloads, is a responsibility of all of us. If you are running a Kubernetes cluster, have a look at Kube-Green . kube-green is a simple Kubernetes operator that automatically shuts down (some of) your pods when you don't need them. A single pod produces about 11 Kg CO2eq per year( here the calculation). Reason enough to give it a try! Installing kube-green in your cluster The easiest way to install the operator in your cluster is through kubectl. We first need to install a cert-manager: kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.14.5/cert-manager.yaml Remark: Wait a minute before you continue as it can take some time before the cert-manager is up & running inside your cluster. Now we can install the kube-green operator: kubectl apply -f https://github.com/kube-green/kube-green/releases/latest/download/kube-green.yaml Now in the namespace where we want t...
Read more

Podman– Command execution failed with exit code 125

After updating WSL on one of the developer machines, Podman failed to work. When we took a look through Podman Desktop, we noticed that Podman had stopped running and returned the following error message: Error: Command execution failed with exit code 125 Here are the steps we tried to fix the issue: We started by running podman info to get some extra details on what could be wrong: >podman info OS: windows/amd64 provider: wsl version: 5.3.1 Cannot connect to Podman. Please verify your connection to the Linux system using `podman system connection list`, or try `podman machine init` and `podman machine start` to manage a new Linux VM Error: unable to connect to Podman socket: failed to connect: dial tcp 127.0.0.1:2655: connectex: No connection could be made because the target machine actively refused it. That makes sense as the podman VM was not running. Let’s check the VM: >podman machine list NAME         ...
Read more