generalinformation-404166-nuget-security-licensing-reliability-considerations.md
To find your personal DevExpress NuGet Feed key, login to any of the following pages:
If you are working within a team, a license holder (typically a team lead or executive) assigns individual DevExpress licenses to each developer using the Assign Licenses menu on our website. An individual DevExpress license assigned to a developer grants this developer the right to use the DevExpress Unified Component Installer or individual NuGet feed credentials.
For a shared CI/CD pipeline, an individual developer (such as a team lead) can use their personal NuGet feed and .NET or DevExtreme license key. The same developer can also use their licensed DevExpress products in Visual Studio or another IDE. All other developers on the team that use DevExpress products must also have valid DevExpress licenses.
If the primary license owner has assigned all available licenses to developers on a team, the license owner cannot use their individual NuGet feed and .NET or DevExtreme license key for a shared CI/CD pipeline or any other development purposes. Primary license owners without a license cannot install DevExpress products (whether through NuGet or the Unified Component Installer). For additional license-related information, please refer to the following webpage: Licensing: EULAs and FAQ | DevExpress.
We offer trial/evaluation versions for the latest versions. Licensed users are able to access earlier versions via the DevExpress Download Manager or their personal online NuGet feed.
DevExpress NuGet packages may “disappear” in the following instances:
To help avoid unintentional license/EULA violations, we send an email notification when a NuGet package trial begins: Start your 30-day trial. Applications that reference DevExpress trial packages display trial/eval banners and watermarks: When using a trial version.
Users sometimes mistake certain features for capabilities that ship as part of DevExpress DXperience or our platform-specific subscriptions. Check your projects for the following to avoid unintended use or a license/EULA violation:
DevExpress Office File API
DevExpress Business Intelligence Dashboard
If you are unsure whether your code uses APIs from these DevExpress packages, you can search for and remove them by using Solution Explorer. Compilation errors in your project will display API usage location.
Note
DevExpress license terms (as defined in the DevExpress EULA) prohibit the use of a single DevExpress license by multiple software developers (for build and development purposes within Visual Studio or other IDEs). Each engineer who develops solutions using DevExpress products must own/purchase a valid license.
If you own the appropriate number of DevExpress licenses, but need licensing related clarification for your CI/CD system, be sure to submit a support ticket via the DevExpress Support Center. We’ll do our best to accommodate your specific business requirements (where possible). If you have licensing related questions, please refer to the following webpage: Licensing: EULAs and FAQ | DevExpress.
DevExpress NuGet feed URL and authorization keys are not encrypted. You should protect this sensitive information against unauthorized use. Do not share nuget.config and other secret files (with a DevExpress NuGet feed URL or authorization key) on GitHub, public DevExpress Support Center tickets, Stack Overflow, or other public online resources. If you accidentally exposed your NuGet feed to the public, submit a DevExpress Support Center ticket so that we can regenerate your NuGet feed.
To help protect private NuGet feeds in your CI/CD system and other secured environments such as Azure DevOps, Docker, Kubernetes, GitHub, or GitLab, we support NuGet authentication using personal access tokens. Options include:
--secret flag to safely pass the NuGet source URL.Note
Storing passwords in clear text is highly discouraged. For additional information on secure credential management, refer to the following Microsoft help topic: Consuming packages from authenticated feeds - Security best practices for managing credentials.
Your NuGet API key contains sensitive information. As such, you should protect it from unauthorized use. If you NuGet API key has been compromised in any manner, you need to regenerate it as soon as possible. Situations which may require you to regenerate a NuGet API key may include, but are not limited to, the following:
To regenerate the NuGet API key, you must:
Navigate to https://nuget.devexpress.com/.
Log in if you are logged out.
Click Regenerate Feed and follow the instructions.
Your IT administrators should double-check that nuget-cdn.devexpress.com and nuget.devexpress.com are added to the list of allowed sites or whitelisted using the fully qualified domain name (FQDN) rather than the IP address.
IT administrators may be interested to know that the DevExpress NuGet server hosts packages on Amazon CloudFront and there is a redirect to nuget-cdn.devexpress.com from nuget.devexpress.com (internal CI/CD and other systems must support ‘http redirection’ and TLS 1.2). nuget.devexpress.com is protected by CloudFlare (you should grant access to CloudFlare edge servers).
If these recommendations do not help, please ask your IT administrators to test access to our website using standard tools such as ping and tracert. Read the following article for additional information in this regard: How to Use TRACERT to Troubleshoot TCP/IP Problems in Windows.
It is likely that access to external sites such as https://www.devexpress.com is blocked for certain machines/networks by your IT department. Use Down for Everyone or Just Me or a similar third-party tool to check if our website is down.
If our website is not accessible from your company network, please review the previous question/solution.
Our NuGet server implements various security measures to prevent distributed denial-of-service (DDoS) attacks and unauthorized usage. In rare instances (when we detect anomalous or malicious activity), DevExpress may blacklist certain NuGet clients or external IP addresses. In such instances, contact DevExpress Support (via the DevExpress Support Center) to unblock the external IP address.
Use the NuGet v3 protocol to access DevExpress packages:
https://nuget.devexpress.com/{your-feed-authorization-key}/api/v3/index.json (Feed URL Authorization)https://nuget.devexpress.com/api/v3/index.json (Password-based Authorization - use “DevExpress” as your user name and your feed authorization key as your password)Microsoft (for https://www.nuget.org/) and many third-parties (such as CI/CD systems and other vendors) have deprecated the NuGet v2 protocol. The NuGet v3 protocol is faster and more reliable than NuGet v2. You can access DevExpress NuGet packages (temporarily) using the legacy/deprecated NuGet v2 protocol (https://nuget.devexpress.com/{your-feed-authorization-key}/api/).
Note
We strongly recommend that you migrate to NuGet v3 as NuGet v2 will be removed from https://nuget.devexpress.com in the future.
We do not recommend setting up a NuGet server because of additional maintenance requirements (including the need to maintain package sync between your server and our latest versions). However, this setup can be beneficial in high-security environments without Internet access, or in advanced CI/CD system scenarios where internal package caching is necessary to improve performance\security. You can obtain our NUPKG files from c:\Program Files\DevExpress 25.2\Components\System\Components\packages\setup and set up your own NuGet server.
Read the following help topic for additional information: Hosting your own NuGet feeds.
Tip
If you do not require a remote or online NuGet server, consider using the Installer-Generated Local NuGet Feed (Windows) for a simpler setup.
We strongly recommend that you configure your CI/CD pipelines to cache NuGet packages. Caching NuGet packages will help your team reduce build time and also avoid downtime should outages occur (with https://nuget.devexpress.com/ or with external NuGet servers like https://www.nuget.org/). For instance, with Azure DevOps, you can follow best practices outlined in the following document: Cache NuGet packages | Microsoft Azure DevOps documentation. Contact your CI/CD system vendor for additional information/guidance or review our NuGet feed integration help topic for technical assistance.
If you encounter package installation or update issues in Visual Studio or CI/CD, reset your NuGet package cache with the dotnet tool in Visual Studio itself. In Visual Studio 2017 and higher, you must:
Read the following Microsoft help topic for additional information in this regard: Clearing local folders.
Read the following sections to register the DevExpress NuGet feed and add DevExpress NuGet packages to your project:
<feed name> Unable to load the service index for source https://nuget.devexpress.com/…/api.
The content at 'https://nuget.devexpress.com/…/api' is not a valid JSON object.
Unexpected character encountered while parsing value: <. Path '', line 0, position 0.
Open and modify the nuget.config file as follows:
Restart Visual Studio.
Read the following Microsoft article to find the location of nuget.config: Config file locations and uses.
This error may be unrelated to DevExpress:
Note
Storing passwords in clear text is highly discouraged. For additional information on secure credential management, refer to the following Microsoft help topic: Consuming packages from authenticated feeds - Security best practices for managing credentials.
This error may be unrelated to DevExpress. Reports related to this type of exception can be found in the following public resources:
If you are experiencing NuGet errors, please isolate the error and search public resources for additional guidance (the following Microsoft article should help you isolate non-DevExpress-related issues): Errors and warnings.