Friday, April 26, 2013

NuGet your Enterprise?

simple talk - Taking NuGet to the Enterprise

The NuGet package manager  is a great way for developers to install and update third-party tools. It solves a lot of the problems of dependency management and integration. Is it ready for the exacting requirements of  development in the enterprise?


  • NuGet as That Tool
  • A World Without NuGet
  • NuGet… to the rescue?
  • Dependency Management Overview
  • Brief History of NuGet
  • The Enterprise Development Challenge
  • Enterprise Annoyances with NuGet
  • Getting around Nuget annoyances
  • Private NuGet Repository
  • Preparing Packages for the Enterprise
  • Alternative Client Tools
  • Taking NuGet to the Enterprise

Beyond Dependency Management

Several tools – both open source and commercial – have repurposed NuGet components for uses other than dependency management. While these components will obviously share NuGet’s annoyances, the same techniques can be applied to mitigate these annoyances in the enterprise.

One such tool is Chocolatey. It’s described as “somewhat like apt-get, but built with Windows in mind,” and allows users to install programs like Notepad++, Git, and 7Zip with a single command at the Command Prompt. The Chocolatey client accomplishes this by downloading the corresponding .nupkg file from and executing the install.ps1 contained within.

Obviously, most of NuGet’s dependency management annoyances aren’t applicable with Chocolatey, but Package Verification, Arbitrary PowerShell Script Execution, and Unexpected Licensing are equally – if not more – problematic. But they can all be mitigated with a private NuGet repository and careful package preparation.

Another tool that uses NuGet components is Red Gate’s Deployment Manager. Essentially, it retrieves application components (which have been packaged as NuGet packages) from a private NuGet repository and deploys those components to various servers. But in this case, since the packages come from known sources (i.e. built by the organization), used outside of the context of development, and are already housed in a private repository, none of NuGet’s annoyances have transferred.

All new tools brought in the enterprise need to be carefully adopted, but as these examples show, just because a tool uses NuGet components doesn’t mean that it inherits NuGet’s annoyances. And even if it does (as is the case with Chocolatey), it’s just as easy to mitigate.

At work we had a discussion about just this yesterday, about leveraging NuGet with a private repository, primarily for sharing in-house bin's. But also to re-purpose NuGet too as a "service" repository. I hadn't thought to use a private repository for storing of third-party stuff we've licensed. In hindsight that seems to make a good deal of sense... Interesting... 

1 comment:

Mike said...

At my work we have built our private NuGet feeds to host shared code amongst our development teams. Example packages include Shared.MVC, Shared.WCF etc... The packages are not built for specific products without our company, but for reusable code.

Works very well, the packages have unit test project and any new update to a package is pushed to the feed automatically on checkin.

One gotcha is the fact that its difficult to test a package (outside of your unit tests). Reason being is that you'll only have one private NuGet feed. You'll unlikely going to have a feed for each staging environment (dev, UAT etc...). Because you won't want to be uninstalling and reinstalling packages from each feed just to test new functionality