An Introduction to NuGet
If you’ve spent any amount of time in the .NET / Microsoft developer ecosystem, you’ve probably heard the term “NuGet” in reference to code packages, package managers, software libraries, and even software installers. Understandably, this can cause a lot of confusion around what NuGet actually is.
This article will help you understand:
- What NuGet is
- Where NuGet came from
- What a NuGet package is
- Common use cases and tooling for NuGet packages
What is NuGet?
NuGet is the official package management system for .NET development. This includes a platform and tooling to help .NET developers create, publish, consume, and share reusable code. The format in which the code is bundled is called a NuGet package, which is simply a shareable unit of code.
Where did NuGet come from?
NuGet was created in 2010 (under the name “NuPack”) by the Outercurve Foundation, a non-profit founded by Microsoft. The goal of this foundation was to "enable the exchange of code and understanding among software companies and open source communities." The Outercurve Foundation was a precursor to the current .Net Foundation and contributed projects like NuGet to this group.
So what’s in a NuGet Package?
So what actually is a NuGet package? Well, the short answer is it’s just a fancy zip file that uses the “.nupkg” extension. This archive can contain:
- Compiled code in the form of libraries (DLL’s), or in some cases binaries (EXE’s and MSI’s)
- Additional files related to the code (often describing how to use/install it)
- A manifest file (“.nuspec”) detailing metadata about the package (version, author, etc.)
Where are NuGet packages stored?
Developers wanting to store or share this code with their team or others can simply publish their NuGet packages to a Public or Private NuGet repository. This also encourages developers to write code that is more reusable among teams, with libraries and dependencies that are well-defined. Why reinvent the wheel if you don’t have to?
NuGet Flavors: Communities & Tooling
Several distinct communities in the .NET ecosystem utilize the NuGet package format. Each of these communities has its own unique use case and tooling, along with its own “flavors” of NuGet package.
.NET Developer Community (C#)
Community: .NET Developers
Language of Choice: C# (with some F#, VB)
Public Repository: NuGet Gallery
The .Net Developer Community largely uses C# as their programming language of choice (though F# and VB definitely have a presence here as well). With the move to .NET Core as a fully cross-platform and open-source framework, the community has garnered wider adoption and support on desktop, mobile, Cloud, and IoT operating systems.
This Community largely interacts with .NET via Visual Studio, the most popular IDE (Integrated Developer Environment) in this tech stack. Visual Studio offers .Net developers the ability to interact with their NuGet repositories via its graphical interface. In fact, the NuGet Gallery (hosted at nuget.org) already comes pre-configured as a package source. As of writing, the NuGet Gallery hosts almost 300,000 unique NuGet packages! Developers can add NuGet packages directly within their C# project and are then immediately given the ability to reference the libraries from that package in their code (with IntelliSense auto-suggestion).
How to install a NuGet package in Visual Studio
Watch the video below on how to install and use a NuGet Package with Visual Studio; courtesy of Microsoft:
Developers that prefer to create their own NuGet packages often choose to use the NuGet CLI (command-line interface; a.k.a. nuget.exe). The NuGet CLI allows users to install, create, publish, and manage packages without leaving their console. This also affords users the ability to interact programmatically with NuGet packages in their pipelines.
PowerShell Developer Community
Community: PowerShell Community
Language of Choice: PowerShell
Tools of Choice: PowerShell (pwsh), Windows PowerShell (powershell.exe)
Public Repository: PowerShell Gallery
PowerShell is a programming language, a scripting language, and a command-line shell all rolled into one! It has gained a great deal of popularity as a “glue language,” being a tool of choice in DevOps & Automation pipelines. All three major cloud vendors (AWS, Azure, GCP) support interaction with their platform via PowerShell modules and even include them in their SDK (Software Development Kit). Windows PowerShell comes installed by default on all Microsoft Windows operating systems. PowerShell (7+; a.k.a. pwsh.exe) is also available as a cross-platform open-source binary.
PowerShell developers utilize PowerShell modules as their unit of shareable and reusable code. PowerShell Modules contain functions and cmdlets (pronounced “commandlets”) that abstract away the need to do string manipulation.
For users interested in sharing and reusing code publicly, Microsoft hosts the PowerShell Gallery, with over 9,500 unique modules. In effect, PowerShell uses “nuget.exe” under the hood of its cmdlets that interact with NuGet repositories to create, upload, and download PowerShell modules wrapped in NuGet packages. The modules themselves are not kept in NuGet format once installed or imported; the NuGet packages are simply used as a conveyance mechanism.
Chocolatey Developer Community
Organization: Chocolatey Software
Language of Choice: Chocolatey CLI; PowerShell
Public Repository: Chocolatey Community Repository
Chocolatey is a Windows software management solution that was created by Rob Reynolds in 2011. It is a CLI tool (“choco.exe”) that allows users to package and install any kind of Windows software into a Chocolatey NuGet package. Chocolatey packages are a slightly different “flavor” of NuGet. They usually include binaries (EXE’s and MSI’s), along with instructions on how to install, upgrade, and uninstall these applications in the form of PowerShell scripts. The fact that users can bundle pretty much any kind of installer or PowerShell scripting in a reusable package format has solidified Chocolatey as one of the most versatile and ubiquitous choices for installing and managing software on Windows endpoints.
The Chocolatey Community Repository hosts over 9,000 community packages in the Chocolatey NuGet format, containing simple, scriptable, and silent installation methods for most popular Windows applications (e.g., 7Zip, Notepad++, Firefox, Chrome). Many of these packages are for open-source software as well, and almost all of them are contributed by community maintainers. This gives a System Administrator a quick and easy way to provision and patch a set of base applications on all their Windows endpoints. In addition, Chocolatey Software also offers Chocolatey for Business with a more advanced feature set for creating, updating, and monitoring the status of Chocolatey NuGet packages in an organization.
NuGet packages don’t always play nice together
As you can probably see from the above examples, NuGet packages can come in many “flavors,” with notably different compositions. Thus, it should come as no surprise that mixing and matching different formats is not supported or recommended.
For example, Pester, the testing framework for PowerShell, exists as a package on the NuGet Gallery, PowerShell Gallery, and Chocolatey Community Repository. However, you can’t “choco install” the NuGet Gallery package or use “Install-Module” in PowerShell to begin using it. The lack of interoperability between repositories and NuGet formats can often be the source of confusion.
To add another wrinkle, the NuGet Team deprecated NuGet V2 in favor of V3 on the NuGet Gallery (citing performance and scalability issues of NuGet V2 OData feeds and queries). This works fine as long as you’re only using Visual Studio or the NuGet CLI. However, both PowerShell and Chocolatey communities currently only support the NuGet V2 format for their NuGet package management.
Hopefully, this article has helped clear up some confusion on what NuGet is as a package format and how developers use NuGet packages in their .Net, C#, PowerShell, and Chocolatey code workflows.
If you or your organization are looking for a global, secure, cloud-native, and universal package repository solution to host Nuget packages along with 26+ other formats (including Docker containers), reach out to us here at Cloudsmith, and we’d love to understand your use case, and show how we can help.
If you're intrigued to learn more about specific package formats, delve into our series below:
Here is a quick roundup of the common NuGet questions we’ve come across.
What is NuGet in C#?
C# is the most popular programming language used by developers building software with the .NET Framework. NuGet is used to improve C# developer productivity since reusable units of code can be packaged in a NuGet format and shared among teams and the OSS community. Developers can add NuGet packages directly within their C# project and are then immediately given the ability to reference the libraries from that package in their code.
Are NuGet packages safe to use?
Should you be worried about the safety of NuGet packages? We live and breathe security here at Cloudsmith, and you should always be in control of your software supply chain. Real talk: you should be careful about any kind of package you download from public repositories, as detailed in our article discussing what developers and organizations want from a package repository. But a NuGet package is as secure as any other package format; you just need to do your due diligence to vet the sources of these packages appropriately.
What is a NuGet repository?
NuGet repositories (also known as NuGet feeds) are where you can upload and store your NuGet packages. At Cloudsmith, our package repositories are multi-format friendly, meaning you can store NuGet packages alongside other popular formats in the same repo, such as Docker images, Maven packages, and 24+ other formats too!