From 1829394a0a0b73d6d6c71eb93d4b9e4745a7f8c3 Mon Sep 17 00:00:00 2001 From: Andy Zivkovic Date: Thu, 23 Apr 2026 07:48:37 +0930 Subject: [PATCH 1/2] Add info about data.nuget.org --- docs/api/implementation-guide.md | 4 ++++ docs/concepts/Auditing-Packages.md | 10 +++++++++- docs/concepts/Security-Best-Practices.md | 4 ++++ docs/nuget-org/overview-nuget-org.md | 8 ++++++++ docs/reference/errors-and-warnings/NU1905.md | 3 +++ docs/reference/nuget-config-file.md | 5 +++++ 6 files changed, 33 insertions(+), 1 deletion(-) diff --git a/docs/api/implementation-guide.md b/docs/api/implementation-guide.md index 81abfb542..ccc7adda0 100644 --- a/docs/api/implementation-guide.md +++ b/docs/api/implementation-guide.md @@ -112,6 +112,10 @@ NuGet does not require that resources in the [service index](./service-index.md) However, there are several reasons why some companies choose to block nuget.org at the firewall, or have on-prem feeds on a disconnected network. To avoid connectivity issues, we recommend serving vulnerability data from your own web app, so that NuGet clients only make HTTP connections to the host the feed is installed on. +As an alternative to caching or proxying, users can ask their network administrator to allow access to `https://data.nuget.org/v3/index.json` and configure it as an [audit source](../concepts/Auditing-Packages.md#audit-sources). +This endpoint only serves vulnerability data, not packages, so it might be allowed even when `api.nuget.org` is blocked. +When users configure `data.nuget.org` as an audit source, your feed may not need to implement the `VulnerabilityInfo` resource. + ✔️ DO cache or proxy the vulnerability pages in your own web app ❌ DO NOT advertise api.nuget.org in your service index or vulnerability index without a configuration to turn this off. diff --git a/docs/concepts/Auditing-Packages.md b/docs/concepts/Auditing-Packages.md index 72d185b5a..affa2abb0 100644 --- a/docs/concepts/Auditing-Packages.md +++ b/docs/concepts/Auditing-Packages.md @@ -62,11 +62,19 @@ Since a common mitigation for package substitution attacks is [to use a single p The data source for nuget.org's vulnerability database is [GitHub Advisory Database](https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anuget). Note that the [V2 protocol is deprecated](../nuget-org/overview-nuget-org.md#api-endpoint-for-nugetorg), so if your nuget.config is still using the V2 endpoint, you must migrate to the V3 endpoint. +nuget.org provides two service index endpoints that can be used as an audit source: + +- `https://api.nuget.org/v3/index.json` — The full nuget.org service index, which includes all NuGet resources (package download, search, vulnerability data, and more). +- `https://data.nuget.org/v3/index.json` — A vulnerability-data-only service index that doesn't include package content or other resources. + +The `data.nuget.org` endpoint is useful for organizations that block access to `api.nuget.org` at the network level. +Because this endpoint only serves vulnerability data and not packages, network administrators who block `api.nuget.org` to prevent package downloads might be willing to allow `data.nuget.org` if asked. + ```xml - + ``` diff --git a/docs/concepts/Security-Best-Practices.md b/docs/concepts/Security-Best-Practices.md index d28f60fb0..dc212c77e 100644 --- a/docs/concepts/Security-Best-Practices.md +++ b/docs/concepts/Security-Best-Practices.md @@ -175,6 +175,10 @@ For example: ``` +> [!TIP] +> If your organization blocks access to `api.nuget.org`, consider asking the network administrator to allow `https://data.nuget.org/v3/index.json` and configure it as an [audit source](Auditing-Packages.md#audit-sources) for [NuGet Audit](Auditing-Packages.md). +> This endpoint only serves vulnerability data, not packages, so it might be allowed even when `api.nuget.org` is blocked. + ### NuGet feeds **📦 Package Consumer** diff --git a/docs/nuget-org/overview-nuget-org.md b/docs/nuget-org/overview-nuget-org.md index aa160a850..56a7ef792 100644 --- a/docs/nuget-org/overview-nuget-org.md +++ b/docs/nuget-org/overview-nuget-org.md @@ -50,3 +50,11 @@ To use NuGet.org as a package repository with NuGet clients, you should use the Older clients can still use the V2 protocol to reach NuGet.org. However, please note, NuGet clients 3.0 or later will have slower and less reliable service using the V2 protocol: `https://www.nuget.org/api/v2` (**The V2 protocol is deprecated!**) + +nuget.org also provides a vulnerability-data-only endpoint: + +`https://data.nuget.org/v3/index.json` + +This service index only contains the [`VulnerabilityInfo`](../api/vulnerability-info.md) resource and doesn't serve packages. +It's designed for use as an [audit source](../concepts/Auditing-Packages.md#audit-sources) in environments where access to `api.nuget.org` is blocked at the network level. +Because this endpoint doesn't provide package content, network administrators who block `api.nuget.org` to prevent package downloads might be willing to allow `data.nuget.org` if asked. diff --git a/docs/reference/errors-and-warnings/NU1905.md b/docs/reference/errors-and-warnings/NU1905.md index 9cc76f41d..af03454e9 100644 --- a/docs/reference/errors-and-warnings/NU1905.md +++ b/docs/reference/errors-and-warnings/NU1905.md @@ -25,6 +25,9 @@ Any NuGet source implementing [NuGet's V3 server API can provide vulnerability d Any source defined in a NuGet.Config `` element is expected to provide this resource, and this warning is raised when it is not. You can check if your package source administrators have a setting to enable vulnerability data. +If your audit source is nuget.org and access to `api.nuget.org` is blocked on your network, consider asking the network administrator to allow `https://data.nuget.org/v3/index.json` and use it as your audit source instead. +This endpoint only serves vulnerability data, not packages, so it might be allowed even when `api.nuget.org` is blocked. + If you would like to treat this warning as an error, to cause build failures when vulnerability checks could not be performed, you can add `$(WarningAsError);NU1905` to your project file. If you are using `TreatWarningsAsErrors` to cause all warnings to be treated as errors, you can add `$(NoWarn);NU1905` to your project file to suppress this warning message, or `NU1905` to prevent this warning from being treated as an error. diff --git a/docs/reference/nuget-config-file.md b/docs/reference/nuget-config-file.md index 9778073f9..876420ad6 100644 --- a/docs/reference/nuget-config-file.md +++ b/docs/reference/nuget-config-file.md @@ -161,6 +161,11 @@ Audit sources support the same attributes as `packageSources` (`protocolVersion` ``` +> [!TIP] +> nuget.org also provides `https://data.nuget.org/v3/index.json`, a service index that only contains vulnerability data and doesn't serve packages. +> Network administrators who block `api.nuget.org` to prevent package downloads might be willing to allow `data.nuget.org` if asked. +> For more information, see [audit sources](../concepts/Auditing-Packages.md#audit-sources). + ### packageSourceCredentials Stores usernames and passwords for sources, typically specified with the `-username` and `-password` switches with `nuget sources`. Passwords are encrypted by default unless the `-storepasswordincleartext` option is also used. From 7ea61f71b227175c43d3e11be4135ea66e1a84cb Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Wed, 22 Apr 2026 23:17:24 +0000 Subject: [PATCH 2/2] docs: add data.nuget.org guidance to VS audit sources options Agent-Logs-Url: https://github.com/NuGet/docs.microsoft.com-nuget/sessions/9a8aed72-cad5-45e7-8c7e-3d228c6a871d Co-authored-by: zivkan <5030577+zivkan@users.noreply.github.com> --- docs/consume-packages/nuget-visual-studio-options.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/docs/consume-packages/nuget-visual-studio-options.md b/docs/consume-packages/nuget-visual-studio-options.md index 94e3f445b..2b3f2ef14 100644 --- a/docs/consume-packages/nuget-visual-studio-options.md +++ b/docs/consume-packages/nuget-visual-studio-options.md @@ -111,6 +111,10 @@ Audit sources provide vulnerability data during restore without acting as packag If no audit sources are configured, NuGet Audit uses package sources. [Learn more about audit sources](/nuget/reference/nuget-config-file#auditsources) +> [!TIP] +> If your organization blocks access to `api.nuget.org`, ask your network administrator to allow `https://data.nuget.org/v3/index.json`. +> You can then add that endpoint as an audit source to keep NuGet Audit vulnerability checks enabled without allowing package downloads from `api.nuget.org`. + ![Audit Sources section with checkbox "Use separate sources for vulnerability audit"](media/vsoptions/audit-sources-1.png) Configure an audit source by selecting the checkbox, "Use separate sources for vulnerability audit".