[Feature]: Require package source mapping when using CPM

[jeffkl]

NuGet Product(s) Involved

NuGet.exe, Visual Studio Package Management UI, Visual Studio Package Manager Console, MSBuild.exe, dotnet.exe

The Elevator Pitch

To make NuGet secure by default, there should be an option to required package source mapping when using more than one feed and central package management.

Additional Context and Details

No response

[tebeco]

Will this be MsBuild first so that one could finnaly get rid of nuget.config ?

[jeffkl]

Will this be MsBuild first so that one could finnaly get rid of nuget.config ?

@tebeco package source mapping currently only works when defined in NuGet.config. The feature described in this issue is to simply require package source mapping when managing package versions centrally.

[tebeco]

yes my question still stands though.

it's really like to avoid relying on a non flexible xml and to msbuild for most of what's possible

feed list
dotnet tool
source mapping

i don't understand the need of nuget.config being a non standard format (i mean not msbuild compliant). We're recreating the same problem as SLN file but this time it's named nuget.config

[jeffkl]

@tebeco I would recommend you open a new feature request to allow package source mapping definitions to come from MSBuild instead of NuGet.config. Keep in mind there are certain technical limitations when it comes to where configuration data is stored (example #7855). I'm not sure if package source mapping would suffer from any of these limitations.

[jimmylewis]

I'm curious why CPVM plays into this at all. Shouldn't this warning also be shown if not using CPVM? How does CPVM change the threat model?