Home: No Way to Control Order of Sources with nuget sources

This is by design, sources are unordered and they are searched by order of the quickest response rather than by order of how they show up in file.

Does that also apply to NuGet 2.x and older versions of Visual Studio (2010 - 2013)?

Why does Visual Studio show up and down arrows, allowing users to reorder the list of sources?

(I currently have a Word document to help developers in my group setup their systems for development, and I already have instructions to move a source to the top using the GUI, and I'm converting a lot of those system setup steps into a PowerShell script.)

I also faced a similar issue with the source sequence. I have a local repository and an internal feed to host my own packages. When building, projects will be packaged and dump to the local repository so that sub sequence reference will refer to the local repository. When I finished build, the packages from the local repository will be uploaded to the internal feed.

Now, my problem is, I set the local repository to be before the internal feed, thinking that it should always try to get from local repository before moving to internal feed. However, it doesn't seems to be so as I always encounter problem on either cannot find new packages, or it's using the older packages version from the internal feed which was build previously.

Even if you says that it'll choose the fastest response, I still don't think it makes sense. The local repository should be faster than internal feed server, but the actual runs says otherwise.

Are you versioning the packages on your builds or keeping the same version? If it's the latter that could be the cause of the issue

Yes, you're right. What we're doing is something as follow:

• We develop using version 1.0

• In build, we change the version to the actual version.

• Build, package, and then for the projects that requires those packages, we use Nuget Update to update them to the actual version.

But I actually wonder, why it didn't get it from local folder but instead take it from the internal feed? Any way for us to trace how nuget choose from which source?

This would be quite handy also to evaluate temporary fixes to packages. I.e. if a package likely contains (or triggers) a bug, then it's useful to be able to make a change to that package, and see if that change really fixes downstream dependencies you care about, and then repeat that process a few times until you settle on the most appropriate fix (which you then can publish as usual).

@yishaigalatzer
I think this is a good design but looking for more clarity on this issue...
Is package source search order by quickest response specific to nuget.exe client? Otherwise why does Visual Studio NuGet Package Manager Settings allow you to order the available package sources? There is also contradictory documentation on docs.microsoft.com (see step 4):
https://docs.microsoft.com/en-us/nuget/consume-packages/package-restore#build-time-restore-in-visual-studio

I would also like an answer to the questions @zachweg raised. Why is the documentation conflicting? What is the _actual_ behavior? If order _doesn't_ matter, why does Visual Studio allow it to be changed? If order _does_ matter, how do I control the order when multiple sources are added from different nuget.config files?

Please allow for order, I rely on order.

I agree that we should have control over the order. I'm also not convinced that it even goes by fastest response as that hasn't been my experience, but in any case, as others have pointed out, some people want to be able to specify a preferred source. There could be an option to enable or disable the "poll for fastest source" feature, and it could be enabled by default but something we can control.

It doesn't use the fastest. I have a local repo setup on my disk which it doesn't attempt to use

I need the ability to order/prioritize sources, please add.

I have a VERY valid use case for needing this, Azure DevOps private feed has a feature called "upstream sources" that is almost useless if we cannot guarantee order.

We have our private feed with upstream to nuget.org, but because searches are not upstreamed we also have to add nuget.org directly to nuget.config, so that developers can find new packages from Nuget Manager in Visual Studio. Since we can not force order, upstream sources sometimes work and sometimes not, we would like to force all already-downloaded packages to go to our private feed and only first-timers going to nuget.org. Without forced order we have this broken functionality when upstream source is sometimes used and sometimes not, also having statistic on number of download requests from private feed useless.

Likewise, I would much rather have the order be deterministic rather than the whim of internet latency (or otherwise randomly). This will be particularly important as packages migrate to Github from Nuget.org, where it will be necessary to check the "normative" source first and the "legacy source" as fallback.

It's clear that internet latency has nothing to do with it, or my local drive would win every time (which it doesn't).

It also seems clear that nuget.org doesn't mind all of the requests for private packages and corresponding IP addresses leaking into their server logs, or they'd likely have had motivation to get this breaking change fixed long ago.

Somebody mentioned that they couldn't find the comment I referred to in #7398 - "@AceHack - see my comments about different techniques that one can control order in my comment from today on #3676"

When looking for a package, a NuGet search in the following order:
1) in the global package folder
2) in fallback folders configured
3) in file: feeds configured in nuget.config files
4) in http: feeds configured in nuget.config files

Would love to understand people's motivation for desiring ordering.

We strongly believe you should not have different content in the same identity package (Foo.Bar.1.2.3.nupkg found on any feed should be identical)

Somebody mentioned that they couldn't find the comment I referred to in #7398 - "@AceHack - see my comments about different techniques that one can control order in my comment from today
We strongly believe you should not have different content in the same identity package (Foo.Bar.1.2.3.nupkg found on any feed should be identical)

And we strongly agree with that, but it isn't the problem. I have existing packages on Nuget.org but for current and future development I want to publish to GitHub package hosting since it supports event hooks and other niceties. So, all my consumer will need both feeds since new versions of my packages will be on Github but old version and other necessary packages will be on Nuget.org. With that setup, particularly when preview packages are involved, things get random -- they neither consistently work or fail. That's just nuts.

I find this strange I have been using VS for years, I haven't had to make NuGet Packages for a while but when I did I was able to order the Package sources in order of importance. I believe I used VS 2012 at the time. I am trying to do that now and noticed this issue

Is there any work around to control the order of nuget package sources ?

@rrelyea I see where you're coming from; ordinarily a package should be the same on each feed so, by that logic, the order is unimportant. However, here's a concrete example of what I'm trying to achieve to see why I think it's important that the package sources _should_ be searched in the order they are specified (or some other way of controlling the search order).

As part of my build I create a (relatively complicated) package and then have an integration test to use that package on a test project. Since I want it to use the version that I just created, I specify the RestoreSources to include the directory where the package I just built is (it's the only thing in that folder). However, because it's a dotnet core project, it also needs Microsoft.AspNetCore.App.Ref, so I must use the nuget.org feed too. However, the nuget feed always gets searched for before my local directory, meaning the integration test isn't actually testing the package I just built but the one on nuget.org.

I don't think this is a unique requirement to be able to test your locally generated package, CoreRT does the same thing so any help to achieve this would be appreciated.

Can we at least get this issue open again please? Thanks.

Order is also important when you’d like to mix private and public feeds and not leak private package requests to public servers. Of course, entities running public feeds don’t necessarily mind sucking up all of that private request data, and may not be motivated to restore deterministic feed order.

My use case is identical to Longsarg (from Dec 14, 2019 above). I admit this is not necessarily NuGet's problem to solve, but Azure Artifacts has the ability to have upstream sources in an Azure Artifact feed. It however does not index the upstream feed therefore I am unable to search for nuget.org packages from the Visual Studio package manager UI when I only have the Azure Artifacts feed defined in the package sources. I am only able to find a nuget.org package when I also have the public nuget feed configured in the VS package sources. If I am able to find the package, I could theoretically pull it from the Azure Artifact feed because I have upstream sources configured in the Azure Artifact feed. And if I can pull them through the Azure Artifact feed, the pacakge will be saved locally in the Azure Artifact feed which is what I'm looking for.

I could get around the Azure Artifact limitation if I could configure both my Azure Artifact feed and the public nuget.org feed in the Visual Studio package manager sources and have the Azure Artifact feed be the primary download feed. Essentially, I'd use the nuget.org feed for searching and the Azure Artifact feed for pulling and storing the packages.

I don't know if that makes it any clearer. And even though this isn't exactly a NuGet issue, I think it would be a useful feature to have. Thanks!

We have local artifactory in the office which is a preferred source, but we can't remove nuget official repo since new packages can only be found there.

@Belorus I'm hoping this story will improve with #10214 / #6867 when you can restrict the feed that should be searched for each package. That way you can whitelist the packages you know to always go on your company's feed.

In the meantime, as a workaround, you might want to consider using Nexus repository as your main feed, and put it in front of your office artifactory feed and nuget.org.

Nexus has a concept of proxy repository where it can get a package from nuget.org automatically if it doesn't exist in its cache, and it also has the concept of repository groups, which can aggregate multiple nuget feeds and make them look like a single feed. So that way you can point Visual Studio to a single feed (your company's Nexus instance) and let it do its magic for you.

@samcragg

I think you are looking for https://github.com/NuGet/Home/issues/6579.
Your problem wouldn't be addressed easily by source priority because the global packages folder is not a cache, so never refreshed. Meaning if you make edits for the package, you'd need to delete the global packages folder. At that point, you're better off using a in development package version, that won't clash with the publicly available ones.

Thanks for the link to that issue @nkolev92 - looks like I'm not the only one who wants to test their packages locally before publishing them 🙂

I'm not actually concerned about the global cache, as for my integration tests I specify the folder to restore the packages to, so I ensure the folder is nuked before running any of the integration tests:

dotnet restore -v:q --no-cache --packages "path/to/temporary/test/directory"

I've manually checked and can confirm that the package isn't in my local NuGet cache when running the above.

The problem I have is I specify the RestoreSources in the csproj file but the order is ignored, meaning it always searches NuGet before my local directory. To be honest, I'd be happy if there was an option to search them all and use the latest version it finds, but that doesn't seem to be the behaviour (I still don't understand why a search on NuGet is prefered over a local folder - from a performance perspective this makes no sense).

Hope that clarifys a little why I think the order is so important - it's the one thing blocking me at the moment.

NuGet checks local feeds prior to checking online feeds. Pretty confident about that :) If you have a minimal repro, we'd love to get another issue about that.

See: https://docs.microsoft.com/en-us/nuget/concepts/package-installation-process