Proj0043: Use lock files

By default, the package versions specified by either the PackageReference or PackageVersion are used as constraints for which dependency versions are allowed to be used when building the project. This means that the resolved package versions might change over time, leading to non-reproducible builds or security issues.

In order to prevent these issues, it is advisable to enable .NET’s lock files (similar to npm’s package-lock.json) when building your production code. This requires setting the RestorePackagesWithLockFile property to true, and ensuring that locked mode is enabled when building for production.

See also:

• https://devblogs.microsoft.com/dotnet/enable-repeatable-package-restores-using-a-lock-file/
• https://www.meziantou.net/faster-and-safer-nuget-restore-using-source-mapping-and-lock-files.htm
• https://blog.inedo.com/nuget/manage-dependencies-lockfiles-package-consumers/
• https://www.damirscorner.com/blog/posts/20220708-UsingNuGetWithPackagesLockJson.html
• https://www.endorlabs.com/learn/strengthening-security-in-net-development-with-packages-lock-json

Non-compliant

<Project Sdk="Microsoft.NET.Sdk">

  <PropertyGroup>
    <TargetFramework>net8.0</TargetFramework>
  </PropertyGroup>

</Project>

Compliant

<Project Sdk="Microsoft.NET.Sdk">

  <PropertyGroup>
    <TargetFramework>net8.0</TargetFramework>
    <RestorePackagesWithLockFile>true</RestorePackagesWithLockFile>
  </PropertyGroup>

</Project>