Blog
Optimizing Package Management with Azure DevOps and Azure Artifacts

Published on 2025-07-25 01:23:50 2 min read

Managing dependencies efficiently is a crucial part of software development. Azure DevOps, combined with Azure Artifacts, provides a secure, centralized, and automated approach to handling NuGet and NPM packages. This guide explores how to securely authenticate, separate package feeds based on branches, automate package restoration, push updates, and manage upstream sources dynamically.

1. What is Azure Artifacts and Why is it Important?

Azure Artifacts is a package management service that allows teams to host, share, and manage NuGet, NPM, Maven, and Python packages in a private feed. It plays a key role in:

  • Security: Keeps dependencies private and restricts unauthorized access.
  • Reliability: Prevents external package source failures from affecting the build process.
  • Version Control: Ensures teams are using the correct package versions without accidental updates.
  • Performance Optimization: Speeds up dependency resolution by reducing external calls.

2. Secure Authentication with Tokens for Azure Artifacts

To securely access Azure Artifacts in Azure Pipelines, we use system-generated access tokens. This prevents credentials from being exposed in the repository.

Configure NuGet.config for Secure Authentication

This ensures tokens are dynamically injected at runtime, preventing credential leaks.

3. Feed add & Connecting to Feed

Steps to Add a New Feed

  1. Navigate to Azure DevOps → Artifacts.
  2. Click on Create Feed and provide a meaningful name (e.g., development-feed).
  3. Choose feed visibility:
  • Public: Accessible to all users.
  • Private: Restricted to your organization.
  1. Click Create to finalize feed setup.
  2. Copy the generated feed URL for future use.

 

Create Feed

The “Connect to Feed” section in Azure Artifacts provides step-by-step instructions for linking different package managers to a secure feed. This allows teams to seamlessly pull and push packages within their Azure DevOps environment.

Why is "Connect to Feed" Important?

  • Centralized Package Management: Ensures all dependencies come from a secure, managed location.
  • Secure Authentication: Uses Azure Artifacts Credential Provider to enable seamless package retrieval.
  • Faster Restores & Builds: Reduces dependency resolution time by caching packages.
  • Version Control & Stability: Helps teams maintain package version consistency across environments.

Supported Package Managers

  • NuGet: Used in .NET projects, connects via NuGet.config.
  • NPM: JavaScript/Node.js package management.
  • Maven: Java package handling.
  • Gradle: Build automation and dependency management.
  • Python: Manages Python dependencies with pip and twine.

For each package type, Azure DevOps provides precise connection details, including authentication steps and feed URLs.
 

4. Separating Feeds Based on Branches

For better environment separation (e.g., development, staging, production), different feeds can be assigned per branch.

Example in Azure Pipelines:

variables:
  - name: packageFeed
    ${{ if eq(variables['Build.SourceBranch'], 'refs/heads/develop') }}:
      value: 'my-feed-dev'
    ${{ if eq(variables['Build.SourceBranch'], 'refs/heads/main') }}:
      value: 'my-feed-prod'

This allows:

  • Development teams to push and restore from a separate feed.
  • Production environments to pull only stable versions.

     

5. Restoring and Publishing NuGet/NPM Packages to Azure Artifacts

To ensure that missing packages are restored and published into Azure Artifacts, the following steps should be included in the pipeline:

steps:
  - task: NuGetAuthenticate@1
    displayName: 'Authenticate NuGet Feed'

  - task: DotNetCoreCLI@2
    displayName: 'Restore NuGet Packages'
    inputs:
      command: 'restore'
      feedsToUse: 'config'
      nugetConfigPath: 'NuGet.config'

  - script: |
      npm install
      npm publish --registry https://pkgs.dev.azure.com//_packaging/my-npm-feed/npm/registry/
    displayName: 'Restore & Publish NPM Packages'

  - task: DotNetCoreCLI@2
    displayName: 'Push NuGet Packages to Feed'
    inputs:
      command: 'push'
      packagesToPush: '**/*.nupkg'
      nuGetFeedType: 'internal'
      publishVstsFeed: '$(packageFeed)'

6. Upstream Sources: Why and When to Use Them?

Upstream Sources Feed

Upstream sources allow teams to:

  • Automatically pull missing dependencies from external sources (e.g., NuGet.org, npmjs.com) without storing them locally.
  • Maintain security by filtering which external packages are allowed.
  • Improve speed by caching frequently used dependencies.

To configure upstream sources:

  • Navigate to Azure Artifacts → Your Feed → Upstream Sources.
  • Add NuGet.org or NPM registry as an upstream source.
  • Enable automatically cache pulled packages.

     

7. Handling Package Updates and Versioning

Keeping packages updated is essential for security and performance. Key best practices include:

  • Using Semantic Versioning (major.minor.patch) to track updates.
  • Running dotnet outdated or npm outdated in CI/CD pipelines to detect outdated dependencies.
  • Automating updates using Dependabot or Renovate.

     

8. Conditional Execution in Pipeline (Manual Control Over Restore & Push)

To provide flexibility, package restore and push can be controlled manually using pipeline variables:

variables:
  enableRestore: true
  enablePush: false

steps:
  - ${{ if eq(variables['enableRestore'], 'true') }}:
      - task: DotNetCoreCLI@2
        displayName: 'Restore NuGet Packages'
        inputs:
          command: 'restore'

  - ${{ if eq(variables['enablePush'], 'true') }}:
      - task: DotNetCoreCLI@2
        displayName: 'Push Packages'
        inputs:
          command: 'push'
          packagesToPush: '**/*.nupkg'

This allows developers to enable/disable package restore and publishing dynamically.

9. Key Benefits of This Approach

  • Security: Secure authentication using system tokens eliminates credential exposure.
  • Flexibility: Branch-based feeds allow separation of development and production environments.
  • Automation: CI/CD pipelines handle dependency restoration and package publishing automatically.
  • Performance: Using Azure Artifacts and upstream sources reduces build time by caching dependencies.
  • Reliability: Eliminates dependency on external package sources, reducing build failures.
     

Conclusion

Using Azure DevOps, Azure Artifacts, and token-based authentication ensures a secure, centralized, and automated NuGet/NPM package management solution. By leveraging branch-based feeds, upstream sources, and conditional execution, teams can optimize package handling across various environments, improving security, efficiency, and scalability in CI/CD workflows.

Here are some related articles you may find interesting:

AI Action Plan: US leadership must be ‘unchallenged’
25th Jul 2025 12:58:42
OpenAI and Oracle announce Stargate AI data centre deal
25th Jul 2025 1:00:41
Tech giants split on EU AI code as compliance deadline looms
25th Jul 2025 1:01:38
The Top 25 Sustainability Consultants and Leaders of 2025
25th Jul 2025 1:04:52
Chinese companies are waging fierce price wars — but the consumer isn’t always the winnerFierce price wars in China are hitting industries from cars to food deliveries to solar panels, squeezing profits and worsening the country’s deflationary slide.
25th Jul 2025 1:12:30
8 “Healthy” Habits That Are Slowly Destroying Your Body (And You Probably Do Most of Them)
25th Jul 2025 1:17:26
Top 10 ‘Out of this World’ Space Technology Trends for 2025
25th Jul 2025 3:45:17

Silvershell Integrated Consulting was founded with a clear vision: to drive digital transformation and foster sustainable growth across industries.

Services

IT Consulting

Business strategy

Engineering Operations

Education & Training

Financial Consulting

Contact Info
Suite 3-8, Brook Street Business Hub, 117 Brook Street, Glasgow, G40 3AP.
+44 1413 539308
+44 7729 324316 (WhatsApp)
info@silvershellconsult.com
© 2025 Silvershell Integrated Consulting. All Rights Reserved.
Privacy Policy | Terms & Conditions