profile

Aaronontheweb

The Latest from Aaronontheweb: So Microsoft Deleted Some of Our Packages From NuGet.org Without Notice

Published 4 months ago • 1 min read

So Microsoft Deleted Some of Our Packages From NuGet.org Without Notice

Published on July 11, 2025 in

7 minutes to read

“Software supply chain management” is one of those terms that sounds like Venture Capital-funded vendor marketing bullshit right up until it isn’t.

In 2016 the npm left-pad incident taught many of us in the software industry the importance of:

  1. The fragility of depending directly on central package management systems, such as npm or nuget.org, hence why artifact proxying tools like JFrog Artifactory became so important; and
  2. How centralized package management systems probably need to make stronger security and availability guarantees, such as not allowing hard deletes of packages in the first place.

One of the distinguishing features of nuget.org is they make it very, very hard for authors to delete their packages - only in exceptional cases, such as malware inclusion, will they allow the permanent deletion of packages.

Imagine my surprise yesterday, when I discovered that two of our Akka.NET packages were deleted1, by Microsoft, without any advanced notice. I only discovered that this was an issue when one of my own Akka.NET applications failed to build on CI/CD due to missing package versions.

Akka.Coordination.Azure deleted from NuGet.org

I’ll get into the reasons why they did this, but the bottom line is: this is a disturbing precedent that really should never be repeated.

In essence, Microsoft’s adjacent business units abused NuGet to deal with their own security vulnerabilities - getting a level of access that would never be granted to any other publisher on the platform.

Click here to read the full article.

Read more...

Aaronontheweb

.NET, Open Source, Startups, and Outer Space

I write about .NET, open source software, the Microsoft ecosystem, my adventures with startups, and outer space.

Read more from Aaronontheweb

Stop Failing The `git clone && run` Test Published on October 17, 2025 in 10 minutes to read I’ve done a ton of consulting as part of my work at Petabridge over the past 10 years and I run into developer onboarding problems constantly with new clients. It takes much longer than it should to clone a customer’s application from source control and successfully run it. Continuous deployment and continuous integration (CI/CD) get a ton of attention in the DevOps space, but improving the “first...

21 days ago • 1 min read

Your HTML Comments Are More Powerful Than You Think: Building Custom Validation Grammars with HtmlAgilityPack Published on October 1, 2025 in 20 minutes to read We were getting ready to redesign and simplify phobos.petabridge.com - our Akka.NET observability platform documentation site. The plan was to remove a bunch of old pages, restructure the information architecture, and redirect everything properly so we wouldn’t break any inbound links from Google, Stack Overflow, or the blog posts...

about 1 month ago • 1 min read
Bessemer Ventures AI ARR vs. burn benchmarks

There Has Never Been a Better Time to be a Junior Developer - And It Won't Last Forever Published on August 22, 2025 in 11 minutes to read Everyone in tech is convinced that AI will eliminate junior developers first. “Why hire a junior when AI can write code?” they ask. The prevailing wisdom is that entry-level developers are most vulnerable to automation. They’re dead wrong. I wrote “The Future of AI Belongs to Experienced Operators with Good Taste” a few months back and that’s still...

3 months ago • 1 min read