3.1.1.1. Azure Artifacts Feeds and Upstream Sources

3.1.1.1. Azure Artifacts Feeds and Upstream Sources

Azure Artifacts provides universal package management within Azure DevOps — supporting NuGet, npm, Maven, Python, and universal packages in a single feed. Upstream sources allow a feed to proxy public registries (npmjs.org, nuget.org), caching packages locally for availability and security. Once cached, packages serve from your feed even if the public registry goes down. GitHub Packages offers similar functionality integrated directly with GitHub repositories, using repository permissions for access control. The critical security concern is dependency confusion: an attacker publishes a higher-version package with the same name as your internal package on a public registry. The package manager prefers the higher version, pulling malicious code. Prevention: scope internal packages (@company/auth), configure upstream allow-lists, and use Azure Artifacts' built-in protection mechanisms.

Azure Artifacts feed design follows a hub-and-spoke model. Organization-scoped feeds serve packages to all projects; project-scoped feeds restrict visibility. Upstream sources chain feeds together: a team feed proxies the organization feed, which proxies public registries. This creates a caching hierarchy that improves both performance and security.

Feed permissions control who can publish: Readers consume packages, Collaborators save packages from upstream sources, Contributors publish new packages. For production package feeds, restrict publishing to CI pipelines only — never allow developer workstations to publish directly, as this bypasses quality gates.

GitHub Packages uses repository permissions for access control and supports npm, Maven, NuGet, Docker, and RubyGems. Packages are namespaced to the organization or user, reducing naming collisions. The GitHub Actions setup-* actions automatically configure authentication to GitHub Packages, making CI publishing seamless. For organizations using both Azure DevOps and GitHub, Azure Artifacts can serve as the centralized feed with GitHub Packages as a publishing target for open-source projects.

Feed retention policies prevent unlimited package growth. Configure maximum package versions to retain — keeping the latest 10 versions of each package while automatically cleaning older versions. Packages promoted to @Release view are exempt from retention, ensuring production-referenced packages are never deleted.

NuGet, npm, and Maven each have different resolution behaviors for version ranges. Understanding these is critical for security: npm's ^1.0.0 accepts any 1.x.x version, meaning a compromised 1.99.0 would be installed automatically. Lockfiles (package-lock.json, packages.lock.json) pin exact versions, preventing automatic resolution to compromised versions.

Feed permissions follow a tiered model: Readers can consume packages, Contributors can publish, and Owners can manage feed settings and upstream sources. For multi-team organizations, create project-scoped feeds for team packages and organization-scoped feeds for shared libraries. Package retention policies prevent feeds from growing unbounded — configure maximum versions per package and automatic cleanup of pre-release versions older than 30 days. Universal packages extend Azure Artifacts beyond language-specific registries, supporting arbitrary files (Terraform modules, ML models, build tools) with the same versioning and permission model. NuGet, npm, Maven, and Python feeds each have specific authentication patterns — credential providers for NuGet, .npmrc for npm, settings.xml for Maven — all configured through Azure Artifacts connection instructions.

Package versioning discipline prevents the 'works on my machine' problem at the dependency level. Pre-release versions (1.2.0-beta.1) enable early testing without polluting the stable feed. Azure Artifacts supports pre-release semantics natively, filtering them from default feed views unless explicitly requested. Retention policies should preserve at least 3 stable versions of each package while aggressively pruning pre-release versions older than 14 days. Feed auditing logs every publish, consume, and delete operation — essential for tracing a dependency regression to a specific package version change.

Azure Artifacts supports feed-level retention policies that automatically clean up old package versions. Configure minimum versions to keep (typically 3-5) and maximum age for pre-release packages. Organization-wide feed policies enforce consistent retention across all team feeds, preventing individual feeds from consuming excessive storage. Feed analytics show consumption patterns — which packages are actively consumed and which are candidates for deprecation.