Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Package dependancy resolution in NuGet and naming conflicts

Tags:

nuget

On my team at work we rely on two NuGet feeds: the offical one from NuGet.org for public packages and a folder on our file server for internal packages.

This has worked well for us, but I think we have a potential problem. It looks like NuGet resolves dependencies based on package name and version number. With only one feed in play, this doesn't seem like a problem. With more than one feed, there's a risk of a name conflict. Based on NuGet's resolution rules, it looks like it will pick the highest version number, regardless of feed.

This leaves us in a bit of a spot. It's not likely to happen, but if someone were to publish a package on the NuGet.org feed that had the same package name as one on our internal feed, we could end up including an unexpected package.

I can think of two ways to work around this:

1) Pull the packages we rely on into our private feed. While this is doable, it's not terribly appealing because of the management burden of constantly downloading package updates into our private feed.

2) Publish a placeholder package via the NuGet.org feed to reserve the package name. This seems like it would work, but feels like a hack to me.

Is there a better way?

Thanks for your help!

like image 737
Jacob Avatar asked Jan 16 '14 04:01

Jacob

1 Answers

This could be accomplished quite easily with our product ProGet (essentially it's a private NuGet repository with additional features), though the feature to do so is only available in the paid edition. Essentially what you would do, is point only to the ProGet hosted feed from within Visual Studio. By default, ProGet feeds are connected to the official NuGet.org feed and are able to download all packages in the official feed as well.

However, if you were to set up a "connector filter" of:

*
!YourPackageNameOrPrefix

then it would block packages with the same name as yours from being downloaded from the official feed.

If you aren't interested in a 3rd party solution, you could always name your packages with something that would be highly unlikely to be copied (e.g. YourCompany.XXXXX), but that of course would not prevent anyone from copying it on purpose.

like image 191
John Rasch Avatar answered Oct 11 '22 08:10

John Rasch
Sign in to Comment

Related questions

Nesting files in Nuget package without PowerShell
How to build C# program in Mono with package from nuget?
Should I use the System.Net.Http Nuget Package?
Optional or conditional folders in NuGet files tag?
NuGet Pack -Build does not seem to understand c# 6.0
How to update nuget packages in many solutions at once
Prevent embedding interop types in nuspec package file
Is pre-release versioning possible in nuget
nuget.exe install not updating packages.config (or .csproj)?
How to install NuGet-packages without internet connection?
NuGet Package not copying XMLDoc file along with dll to bin

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!