Mark package as deprecated or vulnerable on local source

[OskarKlintrot]

I want to mark a package as deprecated and another as vulnerable for testing purposes. Is this possible when using a local source or is this only a feature on nuget.org?

[PathogenDavid]

I don't believe you can do this with a local source.

The NuGet.org test environment is great for testing stuff like this. Anything you do on it will not be reflected on the real NuGet.org. The API url is https://apiint.nugettest.org/v3/index.json

It's also worth pointing out that the integration environment isn't always up-to-date with respect to the real NuGet.org, so you might not want to test packages with dependencies. (EG: Newtonsoft.Json is only at version 7.0.1-beta3 whereas the real latest is 13.0.1.)

[OskarKlintrot]

NuGet.Client only supports deprecation and vulnerability on HTTP feeds (in fact, possibly only on NuGet's V3 protocol, not the V2 protocol). So, no, it's not supported on local feeds. But it's also not technically limited to nuget.org. Any NuGet V3 HTTP server can theoretically implement it. But I don't test different server implementations, so I don't know which, if any, support it.

Ok, good to know! I think you might be able to deprecate packages on Azure Artifacts. I don't think you can mark packages as vulnerable though.

[PathogenDavid]

Do you mean I can upload and deprecate a package there? Feels a bit sketchy relaying on someone else's test env...

Yes. The NuGet team has explicitly advertised using nugettest for this purpose.

[OskarKlintrot]

Unfortunately, the docs also say:

Note that packages uploaded to int.nugettest.org may not be preserved.

It sounds more like a place to test your packages and not to be used for integration testing (which is what I want and probably should have mentioned earlier). It sounds like the best option is to use it just to see what the response looks like and then mock the requests instead. I poked around on Azure Artifacts but I could not find a way to deprecate and/or mark a package as vulnerable so that didn't work out.

[PathogenDavid]

Ah yeah, that wouldn't be ideal for your situation then. It sounds like you're making your own NuGet API client? Honestly I don't think anyone would fault you for uploading a dummy package or two to NuGet.org just for your tests.

[OskarKlintrot]

Yep, I'm writing a little tool to replace Nukeeper (that has been deprecated and started to crash on our Azure DevOps agents); https://github.com/OskarKlintrot/UpdatR. I created new feeds on Azure DevOps only to find out that you can't deprecate packages there... I found a deprecated package on nuget.org that most likely will never get new versions and another package with a vulnerable version that I now use in my e2e tests. I would have preferred to manage the packages myself on my own feed but it works just fine :)