Artifacts & dependencies

Feeds, pinning, dependency integrity.

Intermediate25 min · lesson 6 of 15

Software is built from packages, and managing those packages — both the ones you consume and the ones you produce — is part of a reliable, secure delivery pipeline. Azure Artifacts provides package feeds, and dependency integrity is a supply-chain concern.

Package feeds

Azure Artifacts hosts private package feeds for NuGet, npm, Maven, and Python, giving your organization a controlled, versioned registry for internal packages and a proxy/cache for public ones. Publishing shared libraries to a feed lets teams consume vetted, versioned building blocks rather than copying code, and upstream sources let you pull public packages through the feed so you control and cache what enters your builds. This centralizes dependency management: teams consume from a known, governed source, and you can apply retention and access policies. A private feed is the foundation for sharing code safely across an organization and for controlling the external packages your pipelines pull in.

a governed package feed
# Publish an internal library to the org feed, versioned:
# npm publish (to the Azure Artifacts feed, e.g. @contoso/[email protected])
#
# Consume from the feed (with upstream to public registries, cached):
# .npmrc → registry = the Azure Artifacts feed
#
# Teams pull VETTED, versioned packages from one governed source;
# public packages enter only through the controlled upstream.

Dependency integrity

Most of your application is other people’s code, so dependency integrity is a real security concern. Pin dependencies to exact versions (via lockfiles) so builds are reproducible and a package cannot silently change under you, scan dependencies for known vulnerabilities in the pipeline, and prefer your governed feed so you control what enters. This defends against the supply-chain attacks — dependency confusion (a malicious public package shadowing an internal one, mitigated by proper feed configuration and scoping), typosquatting, and malicious updates — that target the packages a build consumes. Combined with build artifacts (build once, promote the same output through environments so what you tested is what ships), disciplined package management keeps the software supply chain trustworthy from dependency to deployed artifact.

Package management
produce + consume
Azure Artifacts feeds
private, versioned registry
upstream sources
controlled/cached public packages
integrity
pin + lockfiles
reproducible, no surprise changes
scan dependencies
catch known vulnerabilities
Govern packages through a private feed, pin and scan dependencies, and build once to promote the same artifact everywhere.
Floating dependency versions are an unreviewed trust decision
Depending on "latest" or a version range means the exact code you build against can change at any moment with no review — the gap supply-chain attacks exploit. Pin dependencies with lockfiles, pull them through a governed feed, and scan them, so every dependency change is deliberate, reproducible, and vetted.