How to whitelist packages in azure devops?

Question

Strange question - I want to whitelist packages for dotnet build, like use only allowed packages. I'm using Azure DevOps as a build/deploy solution.

For example,

dotnet list Service.csproj package:
   Top-level Package                               Requested   Resolved 
   > AspNetCore.HealthChecks.SqlServer             6.0.0       6.0.0    
   > Microsoft.ApplicationInsights.AspNetCore      2.18.0      2.18.0   
   > Microsoft.EntityFrameworkCore.Tools           5.0.11      5.0.11   

And I want to stop a build if Microsoft.ApplicationInsights.AspNetCore not eq 2.14.0

My idea -> compare output from dotnet list package with some "allowlist.txt/json", but it looks super scary.

Any 3d party tools?

Any ideas? Thanks!

Answer 1

Sorry for any inconvenience.

I am afraid there is no such way to whitelist upstream packages without disabling upstream sources at this moment.

Just as you know, there is not much settings for upstream sources currently, just add/delete, enable/disable. We could not have any way to set a whitelist to filter the packets from the upstream source.

As you have a business need to manually approve every (external) upstream change, you could add your request for this feature on our UserVoice site (https://developercommunity.visualstudio.com/content/idea/post.html?space=21 ), which is our main forum for product suggestions. Thank you for helping us build a better Azure DevOps.

Besides, as workaround, I also agree with the second way. We could use file matching patterns to publish multiple packages:

Push NuGet packages