Skip to content

Add info about data.nuget.org #3561

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
zivkan wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Add info about data.nuget.org #3561

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
1829394
Add info about data.nuget.org
zivkan Apr 22, 2026
7ea61f7
docs: add data.nuget.org guidance to VS audit sources options
Copilot Apr 22, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions docs/api/implementation-guide.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -112,6 +112,10 @@ NuGet does not require that resources in the [service index](./service-index.md)
However, there are several reasons why some companies choose to block nuget.org at the firewall, or have on-prem feeds on a disconnected network.
To avoid connectivity issues, we recommend serving vulnerability data from your own web app, so that NuGet clients only make HTTP connections to the host the feed is installed on.

As an alternative to caching or proxying, users can ask their network administrator to allow access to `https://data.nuget.org/v3/index.json` and configure it as an [audit source](../concepts/Auditing-Packages.md#audit-sources).
This endpoint only serves vulnerability data, not packages, so it might be allowed even when `api.nuget.org` is blocked.
When users configure `data.nuget.org` as an audit source, your feed may not need to implement the `VulnerabilityInfo` resource.

✔️ DO cache or proxy the vulnerability pages in your own web app

❌ DO NOT advertise api.nuget.org in your service index or vulnerability index without a configuration to turn this off.
Expand Down
10 changes: 9 additions & 1 deletion docs/concepts/Auditing-Packages.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -62,11 +62,19 @@ Since a common mitigation for package substitution attacks is [to use a single p
The data source for nuget.org's vulnerability database is [GitHub Advisory Database](https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anuget).
Note that the [V2 protocol is deprecated](../nuget-org/overview-nuget-org.md#api-endpoint-for-nugetorg), so if your nuget.config is still using the V2 endpoint, you must migrate to the V3 endpoint.

nuget.org provides two service index endpoints that can be used as an audit source:

- `https://api.nuget.org/v3/index.json` — The full nuget.org service index, which includes all NuGet resources (package download, search, vulnerability data, and more).
- `https://data.nuget.org/v3/index.json` — A vulnerability-data-only service index that doesn't include package content or other resources.

Comment on lines +67 to +69
Copy link

Copilot AI Apr 22, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The phrase “doesn't include package content” can be confusing for a service index (which normally only lists resource endpoints). Consider rewording this bullet to explicitly say it doesn't include package download/search (or other non-vulnerability) resources, rather than referring to “package content”.

Copilot uses AI. Check for mistakes.
The `data.nuget.org` endpoint is useful for organizations that block access to `api.nuget.org` at the network level.
Because this endpoint only serves vulnerability data and not packages, network administrators who block `api.nuget.org` to prevent package downloads might be willing to allow `data.nuget.org` if asked.

```xml
<configuration>
<auditSources>
<clear />
<add key="nuget.org" value="https://api.nuget.org/v3/index.json" />
<add key="nuget.org" value="https://data.nuget.org/v3/index.json" />
</auditSources>
</configuration>
```
Expand Down
4 changes: 4 additions & 0 deletions docs/concepts/Security-Best-Practices.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -175,6 +175,10 @@ For example:
</configuration>
```

> [!TIP]
> If your organization blocks access to `api.nuget.org`, consider asking the network administrator to allow `https://data.nuget.org/v3/index.json` and configure it as an [audit source](Auditing-Packages.md#audit-sources) for [NuGet Audit](Auditing-Packages.md).
> This endpoint only serves vulnerability data, not packages, so it might be allowed even when `api.nuget.org` is blocked.
Comment on lines +178 to +180
Copy link

Copilot AI Apr 22, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This file uses “NuGetAudit” earlier (for example, the link text in the prior paragraph). Consider using the same name here (either “NuGetAudit” everywhere, or “NuGet Audit” everywhere) to avoid implying they’re different features.

Copilot uses AI. Check for mistakes.

### NuGet feeds

**📦 Package Consumer**
Expand Down
8 changes: 8 additions & 0 deletions docs/nuget-org/overview-nuget-org.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -50,3 +50,11 @@ To use NuGet.org as a package repository with NuGet clients, you should use the
Older clients can still use the V2 protocol to reach NuGet.org. However, please note, NuGet clients 3.0 or later will have slower and less reliable service using the V2 protocol:

`https://www.nuget.org/api/v2` (**The V2 protocol is deprecated!**)

nuget.org also provides a vulnerability-data-only endpoint:
Copy link

Copilot AI Apr 22, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In this file, the product name is used as “NuGet.org” elsewhere. Consider capitalizing “nuget.org” here for consistency and branding.

Suggested change
nuget.org also provides a vulnerability-data-only endpoint:
NuGet.org also provides a vulnerability-data-only endpoint:

Copilot uses AI. Check for mistakes.

`https://data.nuget.org/v3/index.json`

This service index only contains the [`VulnerabilityInfo`](../api/vulnerability-info.md) resource and doesn't serve packages.
It's designed for use as an [audit source](../concepts/Auditing-Packages.md#audit-sources) in environments where access to `api.nuget.org` is blocked at the network level.
Because this endpoint doesn't provide package content, network administrators who block `api.nuget.org` to prevent package downloads might be willing to allow `data.nuget.org` if asked.
Comment on lines +58 to +60
Copy link

Copilot AI Apr 22, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

“Service index … doesn't serve packages” is a bit misleading because service indexes typically list resource endpoints rather than serving package content directly. Consider rewording to clarify that https://data.nuget.org/v3/index.json doesn't advertise package download/search resources (it only advertises VulnerabilityInfo).

Suggested change
This service index only contains the [`VulnerabilityInfo`](../api/vulnerability-info.md) resource and doesn't serve packages.
It's designed for use as an [audit source](../concepts/Auditing-Packages.md#audit-sources) in environments where access to `api.nuget.org` is blocked at the network level.
Because this endpoint doesn't provide package content, network administrators who block `api.nuget.org` to prevent package downloads might be willing to allow `data.nuget.org` if asked.
This service index only advertises the [`VulnerabilityInfo`](../api/vulnerability-info.md) resource.
It doesn't advertise package search or package download resources.
It's designed for use as an [audit source](../concepts/Auditing-Packages.md#audit-sources) in environments where access to `api.nuget.org` is blocked at the network level.
Because this endpoint doesn't advertise package download resources, network administrators who block `api.nuget.org` to prevent package downloads might be willing to allow `data.nuget.org` if asked.

Copilot uses AI. Check for mistakes.
3 changes: 3 additions & 0 deletions docs/reference/errors-and-warnings/NU1905.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,9 @@ Any NuGet source implementing [NuGet's V3 server API can provide vulnerability d
Any source defined in a NuGet.Config `<auditSources>` element is expected to provide this resource, and this warning is raised when it is not.
You can check if your package source administrators have a setting to enable vulnerability data.

If your audit source is nuget.org and access to `api.nuget.org` is blocked on your network, consider asking the network administrator to allow `https://data.nuget.org/v3/index.json` and use it as your audit source instead.
This endpoint only serves vulnerability data, not packages, so it might be allowed even when `api.nuget.org` is blocked.

If you would like to treat this warning as an error, to cause build failures when vulnerability checks could not be performed, you can add `<WarningAsError>$(WarningAsError);NU1905</WarningAsError>` to your project file.
If you are using `TreatWarningsAsErrors` to cause all warnings to be treated as errors, you can add `<NoWarn>$(NoWarn);NU1905</NoWarn>` to your project file to suppress this warning message, or `<WarningsNotAsErrors>NU1905</WarningsNotAsErrors>` to prevent this warning from being treated as an error.

Expand Down
5 changes: 5 additions & 0 deletions docs/reference/nuget-config-file.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -161,6 +161,11 @@ Audit sources support the same attributes as `packageSources` (`protocolVersion`
</auditSources>
```

> [!TIP]
> nuget.org also provides `https://data.nuget.org/v3/index.json`, a service index that only contains vulnerability data and doesn't serve packages.
Copy link
Copy Markdown
Contributor

@donnie-msft donnie-msft Apr 22, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What do you think about updating VS Options docs to also have a similar callout?
This is linked from the Sources -> Audit Sources VS Options page today:

https://learn.microsoft.com/en-us/nuget/consume-packages/nuget-visual-studio-options#audit-sources

Copy link
Copy Markdown
Member Author

@zivkan zivkan Apr 22, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@copilot add a similar message in the managing audit sources section of the visual studio options docs

Copy link
Copy Markdown
Contributor

Copilot AI Apr 22, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Added the similar data.nuget.org callout in the Managing Audit Sources section of the Visual Studio options docs in commit 7ea61f7.

> Network administrators who block `api.nuget.org` to prevent package downloads might be willing to allow `data.nuget.org` if asked.
> For more information, see [audit sources](../concepts/Auditing-Packages.md#audit-sources).

### packageSourceCredentials

Stores usernames and passwords for sources, typically specified with the `-username` and `-password` switches with `nuget sources`. Passwords are encrypted by default unless the `-storepasswordincleartext` option is also used.
Expand Down