-
Notifications
You must be signed in to change notification settings - Fork 252
Centrally managing NuGet packages
Anand Gaurav edited this page Jul 14, 2018
·
33 revisions
- Status: Incubation
- Author(s): Anand Gaurav (@adgrv)
Centrally manage NuGet package versions for a solution or a repo #6764
As Noah, a developer who uses NuGet in an enterprise,
- I would like to manage all the package versions centrally at a solution/folder/repo (henceforth referred as solution) level so that they do not go out of sync in the various projects in the solution.
- I can specify a range or float to latest version of a given package so that all projects in the solution always gets the latest available version when desired.
- I can lock down the package graph for the solution so that my builds are repeatable
- I can lock down direct and transitive dependencies so that the build behavior does not change by resolving to a different version of a package version due to unavailability of previously resolved version.
- I am able to lock down the integrity of the package so that so that the build behavior does not change by resolving to a different package with same ID+version.
- I am able to lock the floating versions of packages to their respective resolved versions unless I explicitly ask the package to resolve to latest version.
- When I modify a common project that's a dependency of multiple projects in the solution, I should not be required to multiple checkins corresponding to each of the dependent projects.
- E.g. Project A->B->C->D->...->X. If I change the
PackageReferencefor X, I should be making limited changes related to only Project X and not multiple changes for each of the projects that depend on it. (This would be case with per project lock file).
- E.g. Project A->B->C->D->...->X. If I change the
Extensibility requirements:
- I am able to define a different set of packages and versions for a specific project in the solution that differs from the centrally managed packages+versions.
- Correspondingly, I am able to lock down a different package graph for a specific project.
Content Governance requirements (P2)
- I am able to scan the packages (full closure) used in the solution to flag non-compliance, licensing and vulnerabilities.
Customers with huge code-base spanning 100s of projects.
Central package version management
- Developers need this and have worked their way around in multiple ways. Some define the package version as a variable and then define all the version variables in a central file to control this behavior. E.g.
<PackageReference Include="My.Sample.Lib" Version="$(MySampleLibVersion)" /> - MSBuild team has built an SDK project to implement this behavior: Microsoft.Build.CentralPackageVersions. This spec has taken inspiration from this.
Repeatable builds We have had multiple internal partners reaching out to us from VS Team Services, Bing, Windows, Azure for this feature. Customers and community members have also asked for this feature. Refer to the following GitHub issues and comments on them:
- Lineups #2572
- Why must resolve to Lowest Version? Allow users to determine package resolution strategy during package restore #5553
- Twitter thread:
- Package Versions can be centrally managed in
packages.propsfile located at the solution root folder. - Package references (
PackageReference) managed at each project level without any version information. - Managing packages for the solution/projects:
- Adding packages references not listed in
packages.propswill add the package as reference in the project. In addition it will add the package details including version info in the CPVMF. - Updating package reference per project will be an error. An option to update in the
packages.propsfile will be available. - Removing/uninstalling package references per project is allowed.
- Adding packages references not listed in
- All the referenced packages and their transitive dependencies are locked in a lock file -
packages.lock.jsonpresent at the level (same folder) as thepackages.propsfile.- NuGet
restoreaction, by default, will always resolve the dependencies using the lock file.- It will check if a referenced package (
PackageReferencein the project file) is already present in thepackages.propsfile as well as thepackages.lock,jsonfile. If not, it errors out. - It will check if the version specified in
packages.propsmatch withpackages.lock.json. If not, it errors out. - The lock file contains the integrity data (SHA) for each of the packages listed in it. Restore does a post step to validate the integrity of the packages. It errors out if the integrity check fails. This option to include integrity will be configurable using a MSBuild/NuGet property.
- It will check if a referenced package (
- NuGet
restore -update-lock-fileaction will be able to recompute dependencies and overwrite the lock file. A similar experience on VS will be available. - NuGet install/update actions will modify the lock file if it modifies
packages.propsfile.
- NuGet
Check out the proposals in the accepted & proposed folders on the repository, and active PRs for proposals being discussed today.