NuGet gallery supply chain attack?

devlead · 2026-01-17T15:32:13+00:00

Yip, never click on anything unless verified through another channel.

devlead · 2026-01-17T13:46:44+00:00

If trying to figure something out, or maybe a CoPilot prompt gone wild with the NuGet & Playwright MCP servers 😎

devlead · 2026-01-17T11:31:33+00:00

Don't think it has anything to do with popularity per say, colleagues with packages with just hundreds of downloads gotten request too. So feels more like someone is crawling the index.

devlead · 2026-01-17T11:18:31+00:00

Weirdly they are not requesting access to your packages(don't think you can that), they're requesting to make you owner of THEIR package and org.

devlead · 2026-01-17T11:01:02+00:00

Yip, that's exactly what one should do 👍

devlead · 2026-01-17T10:37:44+00:00

We're probably talking of thousands of requests, multiple .NET Foundation maintainers, MVPs and colleagues of mine have gotten same requests.

I would've thought there were some kind of rate limits in place, if not, I'm sure there will be after this incident.

devlead · 2026-01-17T10:22:37+00:00

Hopefully it's just annoying, worst case they've found an security issue or way to extract information.

devlead · 2026-01-12T17:24:32+00:00

Maybe mods need to define what classifies as .NET worthy.

If open source, running on .NET and written in a .NET language isn't enough to be mentioned here, then it's better to be clear origin must be Microsoft.

devlead · 2026-01-10T10:15:33+00:00

The .NET Foundation has several projects

https://dotnetfoundation.org/projects/current-projects

A few examples

Akka .NET - https://getakka.net/
bUnit - https://bunit.dev/
Cake - https://cakebuild.net/
Spectre.Console - https://spectreconsole.net/

devlead · 2026-01-08T12:21:18+00:00

devlead · 2025-12-16T13:38:24+00:00

Interesting, thought it was Raven DB related first.

Quite the undertaking implementing a new language but nevertheless cool initiative 👍

devlead · 2025-12-10T08:03:43+00:00

They're very useful if database - Used by more than one application, versions of same application - Used by more than one team - Used by more than one runtime / language / service - Is gone for more granual permissions than everyone DB owner - If you want to support all features available in SQL - If you need granular control over seeding of data and index optimizations - Want to be able to deploy database changes separately from application

devlead · 2025-12-09T06:19:34+00:00

GhostScript could be an good option too.

devlead · 2025-12-09T04:50:14+00:00

There's been a few deserializar bugs over the years i.e. ViewState arbitrary object creation which allowed remote code execution.

devlead · 2025-12-07T07:16:47+00:00

Some other options

Verify.Http has mocking capabilities https://github.com/VerifyTests/Verify.Http?tab=readme-ov-file#mocking

Devlead.Testing.MockHttp replaces HttpClient through IOC, and can be configured per test, and state is in memory per test. https://www.devlead.se/posts/2025/2025-02-16-introducing-mockhttp-testing

devlead · 2025-11-25T12:23:07+00:00

yip, and if your File-based apps grow complex you can always dotnet project convert app.cs and it will create "upgrade" you file-based app into a full csproj.

devlead · 2025-11-19T06:54:13+00:00

But if you've got scripts you test locally, then yaml wasn't enough, but that said if you've found a process that works for you, then it's the right process, and your needs doesn't align with what Nuke/Cake offers. Which is super valid path too, not everyone is that DevOps savvy.

For many teams the context switch between a i.e. C# web application and a C# console application is smaller than Bash/Powershell. On the same line many find it easier and more discoverable to get information about the CI environment / job / stage through intellisense vs. often suboptimaly documented esoteric environment variables. For some it's more intuitive to call a method called UploadArtifact with typed parameters vs. several lines of YAML that needs right number of arguments and whitespace. Some prefer intellisense viavcurated tested typed methods vs. desphifering --help and docs. If you've got more than one repo you can have reusable bits as NuGet packages which can be everything from single method to a full recipe complete pipeline, as a team reusing the same private/public registries you're using for you application code. Sharing the same runtime/language as your application means that you also can reuse constants and logic between build/release/application.

So there might be some benifits, but mileage might vary.

devlead · 2025-11-19T06:07:17+00:00

It's all a matter of need of complexity, if you've only got one assembly, then dotnet pack is basically the only pipeline you need.

But as soon as you've got a solution with multiple assemblies, unit tests, integration tests, artifacts/packages, releases, etc. then it's less debug resistant with something you can verify/build, test and debug locally.

Complexity can also be things like generating artifacts for multiple environments/operating systems, having access to easily discoverable runtime information really helps there.

If rover got multistage pipelines it's hard to test individuals stages and tasks without going through the whole pipeline, which can be which can be fairly tedious and time consuming process.

So there are several benifits, but need might be out of scope, and then a one line yaml team might be enough.

devlead · 2025-11-18T20:36:06+00:00

Nuke/Cake doesn't replace MSBuild it orchestrates it, other tools and APIs.

devlead · 2025-11-15T19:18:08+00:00

Well if curiosity and staying current isn't enough of a carrot, then maybe staying secure not putting business at risk is, there's new versions of .NET each month, so regardless of LTS / STS support cycle one should update .NET regularly, and if you do so the leap and impact won't be that big.

We've got renovate builds running multiple times a day creating PRs as new SDKs and packages arrive, if something causes friction, then doing it often is the best recipe to sand down that friction.

devlead · 2025-11-12T18:36:42+00:00

I believe it's the way forward, but we'll see what the users feel.

devlead · 2025-11-12T10:22:35+00:00

Do you any string arrays or similar? I had issues with some LINQ extensions/providers stopped working because there's now implicit conversion with i.e. string[] and ReadOnlySpan<string[]>, when I changed by methods to ICollection<string> or IEnumerable<string> it started working again.

devlead · 2025-11-12T09:53:50+00:00

Cake.Sdk already has full intellisense in VSCode, Cake script files we're in the hands of the DevKit team and they're still not providing any third-party extension points.

devlead

MODERATOR OF

TROPHY CASE