Upgrading Octopus Server's Octopus Fork of Nuget.Client Packages from 6.14.x to 7.4.x

[enf0rc3]

Background

Octopus Server uses a forked version of NuGet.Client for managing NuGet Feeds and Package Downloads.

As part of our ongoing maintenance, we have upgraded this fork from version 6.14 to 7.4, rebasing all four of our custom modifications onto the new NuGet 7.4 release branch.

This ensures we stay current with upstream improvements, security fixes, and protocol changes while continuing to support Octopus-specific requirements.

Solution

All Octopus Server NuGet interactions - including external feed search, package download, version listing, release notes retrieval, and built-in feed package push - have been updated to use the Octopus-NuGet 7.4 client libraries fork.

For the full list of upstream changes, see the official NuGet release notes documentation https://learn.microsoft.com/en-us/nuget/release-notes/nuget-7.0.

Two breaking changes to be aware of:

• Package ID validation: NuGet 7.0 now validates package IDs against the pattern [a-zA-Z0-9_.-] across protocol operations such as feed search, metadata lookup, and package download. Packages with IDs containing characters outside this set may be rejected where they previously worked.
• Non-HTTPS service index resources: NuGet V3 feeds served over HTTPS whose service index (index.json) contains and points to a HTTP resource URLs will now raise an error. This may affect self-hosted NuGet V3 feeds with misconfigured service indices. Public feeds such as nuget.org are unaffected.