This project is read-only.

Add flag to ignore any nuget.config files outside %appdata%


This is based on a customer issue raised in the site forums. For full details, please see

It's naively easy to accidentally check in a nuget.config file that's specific to a developer environment. When this happens, a range of unexpected behavior can ensue in build or test environments. This request is to add a flag for ignoring the nuget.config hierarchy and using settings only from the one in %appdata%\NuGet\nuget.config.


nikrox wrote Jan 18, 2013 at 9:09 PM

Thanks for converting this into a work item. This issue becomes a real serious problems in Enterprise Scale applications of NuGet where builds are supposed to be referencing only "golden components". In such scenarios it is unacceptable for a developer to sneak in a NuGet.exe with a custom config file and enable dowlnloads from a repository not considered golden.

The extensibility of MSBuild actually leads to a situation where any pre-build script might be used to create a nuget.config file at runtime with an untrusted source and force fetch from unsupported repositories. For enterprise level applications it is a necessity to suppress all repositories other than a golden one on certain build servers.

JeffHandley wrote Jan 22, 2013 at 6:31 PM

We would welcome a pull request for this issue that implements a design akin to how web.config handles this.

Elements could specify that the setting cannot be overridden or augmented in other web.config files.

nikrox wrote Jan 22, 2013 at 9:48 PM

I can give this a go but work is manic these days and I really would not be able to commit on a date. I am actually new to this kind of thing. Would you mind stating some of the obvious with respect to initiating this pull, committing to deadlines and submitting code changes?

RanjiniM wrote Feb 6, 2013 at 5:41 PM

@nikrox, please take a look at This has guidance on how to submit a pull request.