NuGet: Auto-patch NuGet.Config to allow insecure HTTP feeds#15092
Merged
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
This PR updates the NuGet helper (NuGetUpdater) to automatically patch NuGet.Config files at runtime so that any http:// package sources get allowInsecureConnections="true" added before update scenarios run, enabling restores from insecure HTTP feeds without requiring users to modify their checked-in config.
Changes:
- Adds a pre-handler step in
RunWorkerto scan forNuGet.Configfiles and patchhttp://sources withallowInsecureConnections="true". - Extends the test HTTP server with a simple NuGet V2 (OData/Atom) feed implementation to support
packages.configscenarios. - Adds unit tests for the XML patching logic and an end-to-end test covering mixed SDK-style +
packages.configprojects using insecure HTTP feeds.
Show a summary per file
| File | Description |
|---|---|
| nuget/helpers/lib/NuGetUpdater/NuGetUpdater.Core/Run/RunWorker.cs | Adds NuGet.Config patching logic and runs it before scenario handlers. |
| nuget/helpers/lib/NuGetUpdater/NuGetUpdater.Core.Test/TestHttpServer.cs | Adds a V2 NuGet feed factory used by new end-to-end coverage. |
| nuget/helpers/lib/NuGetUpdater/NuGetUpdater.Core.Test/Run/RunWorkerTests.cs | Adds unit tests validating the NuGet.Config patching behavior. |
| nuget/helpers/lib/NuGetUpdater/NuGetUpdater.Core.Test/Run/EndToEndTests.InsecureHttpFeed.cs | Adds an end-to-end test ensuring updates work with insecure HTTP feeds across project types. |
Copilot's findings
- Files reviewed: 4/4 changed files
- Comments generated: 4
brettfo
force-pushed
the
brettfo/nuget-insecure-http-feed-patching
branch
from
e883194 to
f59ccda
Compare
| return jobFile; | ||
| } | ||
|
|
||
| internal static string AddInsecureConnectionsAttribute(string nugetConfigContents) |
Contributor
There was a problem hiding this comment.
Just making sure, this doesn't actually get added in the resulting PR right?
Contributor
Author
There was a problem hiding this comment.
Correct, we never submit a nuget.config file in the PR. In fact, there is internal code to explicitly reject PR creation if anything other than csproj/props/targets/packages.config (and a handful of others) are modified.
Contributor
Author
There was a problem hiding this comment.
The very bottom of the end-to-end test shows that only the appropriate files are edited and not nuget.config.
sebasgomez238
approved these changes
May 21, 2026
Add allowInsecureConnections=true to http:// package sources in NuGet.Config files before running update scenarios. This allows Dependabot to restore packages from insecure HTTP feeds without requiring the attribute in the original config. - Add AddInsecureConnectionsAttribute to RunWorker for XML patching - Add PatchNuGetConfigFilesAsync to scan and patch all config files - Add V2 feed support to TestHttpServer - Add end-to-end test with mixed SDK/packages.config projects - Add unit tests for the XML patching logic Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
brettfo
force-pushed
the
brettfo/nuget-insecure-http-feed-patching
branch
from
f59ccda to
8773f99
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Automatically adds
allowInsecureConnections="true"tohttp://package sources in NuGet.Config files before running update scenarios. This allows Dependabot to restore packages from insecure HTTP feeds without requiring the attribute in the original config file.Reasoning
A repo owner might locally use an older version of NuGet.exe that doesn't complain on insecure package feeds along with a custom, you guessed it, insecure package feed. In that instance dependabot should still generate a package update PR.
Changes
AddInsecureConnectionsAttribute(static, public) to patch NuGet.Config XML content, andPatchNuGetConfigFilesAsync(private) to scan the repo and apply patches before running handlersCreateTestNuGetV2Feedfactory method for V2 OData-based NuGet feedsTesting
AddInsecureConnectionsAttributecovering https sources, http sources, local paths, existing attributes, multiple sources, package source mappings, credentials, XML declarations, and other config sections