.NET projects often rely on NuGet packages. By generating a packages.lock.json file, you create a stable snapshot of all dependencies—critical for accurate CybeDefend SCA scanning.

  1. Enable Lockfiles in .csproj

    You can enable lockfiles in any of these ways:

    Option A: Add to your .csproj file:

    <Project Sdk="Microsoft.NET.Sdk">
  <PropertyGroup>
    <RestorePackagesWithLockFile>true</RestorePackagesWithLockFile>
    <RestoreLockedMode Condition="'$(ContinuousIntegrationBuild)' == 'true'">true</RestoreLockedMode>
  </PropertyGroup>
</Project>

    Option B: For all projects, create a Directory.Build.props file in your solution root:

    <Project>
  <PropertyGroup>
    <RestorePackagesWithLockFile>true</RestorePackagesWithLockFile>
  </PropertyGroup>
</Project>

  2. Run dotnet restore
    This generates a packages.lock.json file for each project.

    dotnet restore --use-lock-file

  3. Commit packages.lock.json
    Never edit this file manually. Let dotnet restore handle updates.

Why You Should Use Lockfiles

Using a lockfile is critical for secure and predictable builds. A lockfile contains a fixed version and a hash for each dependency and sub-dependency in your project.

  1. Supply Chain Protection
    Lockfiles prevent malicious package injections. This is crucial as supply chain attacks are rising.
  2. Predictable Builds
    Everyone uses the exact same package versions, avoiding “it works on my machine” inconsistencies.
  3. Performance Gains
    With dependency versions locked, build tools skip the usual resolution step, making builds faster.

Lockfiles are never edited manually. They’re generated and updated by your package manager and committed to your repository, ensuring consistent environments for all teammates.

Lockfile Commands

  • Generate: dotnet restore --use-lock-file
  • Locked Restore: dotnet restore --locked-mode
  • Update: Change versions in .csproj or Directory.Packages.props, then run dotnet restore --force to update the lockfile.

Using Central Package Management

For larger solutions with many projects, use NuGet’s Central Package Management:

  1. Create a Directory.Packages.props file in your solution root:

    <Project>
  <PropertyGroup>
    <ManagePackageVersionsCentrally>true</ManagePackageVersionsCentrally>
  </PropertyGroup>
  <ItemGroup>
    <!-- Define all package versions centrally -->
    <PackageVersion Include="Newtonsoft.Json" Version="13.0.1" />
  </ItemGroup>
</Project>

  2. In your project files, reference packages without versions:

    <ItemGroup>
  <PackageReference Include="Newtonsoft.Json" />
</ItemGroup>

Supported Files for .NET

File Examples
.deps.json, packages.lock.json, Directory.Packages.props, .csproj

If your lockfile is missing, SCA scanning might only detect partial or incorrect versions of NuGet packages. Lockfiles ensure precise dependency resolution.

Use Directory.Packages.props (NuGet central package management) for an even cleaner approach to pinned versions across multiple projects.