Artifacts & dependencies
Feeds, pinning, dependency integrity.
Software is built from packages, and managing those packages — both the ones you consume and the ones you produce — is part of a reliable, secure delivery pipeline. Azure Artifacts provides package feeds, and dependency integrity is a supply-chain concern.
Package feeds
Azure Artifacts hosts private package feeds for NuGet, npm, Maven, and Python, giving your organization a controlled, versioned registry for internal packages and a proxy/cache for public ones. Publishing shared libraries to a feed lets teams consume vetted, versioned building blocks rather than copying code, and upstream sources let you pull public packages through the feed so you control and cache what enters your builds. This centralizes dependency management: teams consume from a known, governed source, and you can apply retention and access policies. A private feed is the foundation for sharing code safely across an organization and for controlling the external packages your pipelines pull in.
# Publish an internal library to the org feed, versioned:# npm publish (to the Azure Artifacts feed, e.g. @contoso/logging@2.1.0)## Consume from the feed (with upstream to public registries, cached):# .npmrc → registry = the Azure Artifacts feed## Teams pull VETTED, versioned packages from one governed source;# public packages enter only through the controlled upstream.
Dependency integrity
Most of your application is other people’s code, so dependency integrity is a real security concern. Pin dependencies to exact versions (via lockfiles) so builds are reproducible and a package cannot silently change under you, scan dependencies for known vulnerabilities in the pipeline, and prefer your governed feed so you control what enters. This defends against the supply-chain attacks — dependency confusion (a malicious public package shadowing an internal one, mitigated by proper feed configuration and scoping), typosquatting, and malicious updates — that target the packages a build consumes. Combined with build artifacts (build once, promote the same output through environments so what you tested is what ships), disciplined package management keeps the software supply chain trustworthy from dependency to deployed artifact.