Proj0044: Enable <RestoreLockedMode> when <ContinuousIntegrationBuild> is enabled
In order to ensure dotnet restore is not allowed to implicitly upgrade package versions that are
specified in the lock file, it is necessary to enable “locked mode”.
The recommended way
of enabling locked mode is to conditionally set the RestoreLockedMode property to true,
if the ContinuousIntegrationBuild property is set to true. This is under the assumption that
there is a dynamic way in place that ensures ContinuousIntegrationBuild is set to true in CI pipelines.
See also:
- https://devblogs.microsoft.com/dotnet/enable-repeatable-package-restores-using-a-lock-file/
- https://www.meziantou.net/faster-and-safer-nuget-restore-using-source-mapping-and-lock-files.htm
When to disable this rule
This rule can be safely disabled if there is any configuration in place to ensure locked
mode when restoring dependencies (such as through using --locked-mode or /p:RestoreLockedMode=true)
in build pipeline scripts.
Non-compliant
<Project Sdk="Microsoft.NET.Sdk">
<PropertyGroup>
<TargetFramework>net8.0</TargetFramework>
<RestorePackagesWithLockFile>true</RestorePackagesWithLockFile>
</PropertyGroup>
</Project>
Compliant
<Project Sdk="Microsoft.NET.Sdk">
<PropertyGroup>
<TargetFramework>net8.0</TargetFramework>
<RestorePackagesWithLockFile>true</RestorePackagesWithLockFile>
<RestoreLockedMode Condition="'$(ContinuousIntegrationBuild)' == 'true'">true</RestoreLockedMode>
</PropertyGroup>
</Project>
Or:
<Project Sdk="Microsoft.NET.Sdk">
<PropertyGroup>
<TargetFramework>net8.0</TargetFramework>
<RestorePackagesWithLockFile>true</RestorePackagesWithLockFile>
</PropertyGroup>
<PropertyGroup Condition="'$(ContinuousIntegrationBuild)' == 'true'">
<RestoreLockedMode>true</RestoreLockedMode>
</PropertyGroup>
</Project>
Or:
<Project Sdk="Microsoft.NET.Sdk">
<PropertyGroup>
<TargetFramework>net8.0</TargetFramework>
<RestorePackagesWithLockFile>false</RestorePackagesWithLockFile>
</PropertyGroup>
</Project>