In Azure DevOps Builds, checks for deprecated and vulnerable nuget packages work great using:
dotnet list "HappySolution.sln" package --deprecated --source https://api.nuget.org/v3/index.json --include-transitive
dotnet list "HappySolution.sln" package --vulnerable --source https://api.nuget.org/v3/index.json --include-transitive
Which works great for packages available via nuget.org, however internal packages within an on-prem package feed in Azure DevOps should never be published to nuget.org. How can the build check that these internal packages are now deprecated?
A list of packages could be generated per solution, then compared to the results of a "Deprecated" View that the deprecated packages are promoted to:
nuget list -source https://happy.sos/DefaultCollection/_packaging/InternalNuget@Deprecated/nuget/v3/index.json -AllVersions
but nuget list is now deprecated in favor of nuget search, which does not support the -AllVersions option.
In other words,
dotnet list "HappySolution.sln" package --deprecated --source https://happy.sos/DefaultCollection/_packaging/InternalNuget@Deprecated/nuget/v3/index.json --include-transitive
always returns that a given project has no deprecated packages, when internally it needs to.
If you are using Azure Artifacts to host your own custom NuGet feeds, then the deprecated package feature isn't available yet.
You can only unlist/delete a package instead with Azure Artifacts.
BTW, many other custom NuGet feed solutions do support that feature, which you can migrate to if you want that feature.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With