How to hide or restrict user to download only dependent package from nuget?

Question

Problem: I have Project_A and Project_B. Project_B is depend on Project_A. Project_B dependency is fullfill by adding Project_A as nuget package reference (Project_A is publish as a nuget package and included in Project_B) . Finally Project_B is getting packed as nuget reference for end users. When they download Project_B which is depend on Project_A, end user sees Project_A nuget package in nuget package explorer.

Goal:

1. Can I hide Project_A nuget package from nuget package explorer? becuase if end user download this then no use but publish as a dependency for Project_B nuget package.
2. Can I restrict end user some how to download Project_A reference?

Expected outcome: My end use should only able to download Project_B reference but not Project_A reference individually. Project_A reference should download automatically as a dependency for Project_B.

Actual outcome: My end users are unnecessary downloading Project_A nuget package reference in their project.

Answer 1

The fact that two NuGet packages are created from projects is not really relevant. In the end you have two packages, Project_A and Project_B and Project_B has a dependency on Project_A.

Can I hide Project_A nuget package from nuget package explorer?

nuget.org has the concept of unlisted packages, so users won't see them in search results. But if you publish your packages to a different NuGet feed, it depends on the server implementation. However, be careful doing this as it could give users a bad experience if it causes problems restoring the unlisted package.

Can I restrict end user some how to download Project_A reference?

Honestly, my response is why would you want to? What harm is there if a developer downloads Package_A? What problem are you trying to solve, and is there a different way to solve the same problem? Imagine you're the developer who uses a package, but its dependency appears to be missing, how would that make you feel?

To directly answer you question, you could simply publish the Project_A package to a private nuget feed. But in this case if Package_B is on a public feed, then only people who have access to the private feed will be able to use it, for everyone else NuGet will fail to restore its dependency.

edit: Also consider organisations that have security compliance procedures. If a developer uses your public package, and then they audit their dependencies and see that your package has a weird hidden dependency, that's going to look very suspicious.