Dependency Confusion Demo

Repository containg the demos I've used in the the following talks:

• DotNet Iasi meetup on the 10th of August 2022
• .NET Day Switzerland on the 30th of August 2022 (slides)
• VisugXL Belgium on the 28th of October 2022
• .NET User Group Geneva on the 8th of December 2022
• Techorama Belgium on the 17th of May 2023 (slides)
• Techorama Netherlands on the 10th Oct 2023
• WeAreDevelopers Berlin on the 18th of July 2024

Feel free to use this repository to demo in your company or team on how Dependency Confusion works.

And please don't forget to mention me when doing so :).

Thanks.

You can find how to defend your NuGet supply chain against dependency confusion on my blog.

TL;DR the minimum:

1. (consumer) Use Package Source Mapping
2. (consumer) Use <trusted signers>
3. (publisher) Reserve prefixes for both your public and private packages on nuget.org

Extra mile:

1. (consumer) Use a NuGet lock file
2. (consumer) Only used fixed versions of your dependencies
3. (publisher) Sign your packages
4. (publisher) Use deterministic builds