packages.lock.json file, you create a stable snapshot of all dependencies—critical for accurate CybeDefend SCA scanning.
Recommended Steps
-
Enable Lockfiles in .csproj
You can enable lockfiles in any of these ways:
Option A: Add to your
.csprojfile:Option B: For all projects, create aDirectory.Build.propsfile in your solution root: -
Run dotnet restore
This generates apackages.lock.jsonfile for each project. -
Commit packages.lock.json
Never edit this file manually. Letdotnet restorehandle updates.
Why You Should Use Lockfiles
Using a lockfile is critical for secure and predictable builds. A lockfile contains a fixed version and a hash for each dependency and sub-dependency in your project.- Supply Chain Protection
Lockfiles prevent malicious package injections. This is crucial as supply chain attacks are rising. - Predictable Builds
Everyone uses the exact same package versions, avoiding “it works on my machine” inconsistencies. - Performance Gains
With dependency versions locked, build tools skip the usual resolution step, making builds faster.
Lockfiles are never edited manually. They’re generated and updated by your package manager and committed to your repository, ensuring consistent environments for all teammates.
Lockfile Commands
- Generate:
dotnet restore --use-lock-file - Locked Restore:
dotnet restore --locked-mode - Update: Change versions in
.csprojorDirectory.Packages.props, then rundotnet restore --forceto update the lockfile.
Using Central Package Management
For larger solutions with many projects, use NuGet’s Central Package Management:-
Create a
Directory.Packages.propsfile in your solution root: -
In your project files, reference packages without versions:
Supported Files for .NET
| File Examples |
|---|
.deps.json, packages.lock.json, Directory.Packages.props, .csproj |
If your lockfile is missing, SCA scanning might only detect partial or incorrect versions of NuGet packages. Lockfiles ensure precise dependency resolution.